Description
This article describes how to configure VXLAN over IPsec for multiple VLANs.
Scope
FortiGate.
Solution
Virtual Extensible LAN (VXLAN) is a network virtualization technology used in large cloud computing deployments. It encapsulates OSI layer 2 Ethernet frames within layer 3 IP packets using standard destination port 4789.
- WAN interface configuration.
This configuration is focused on how to configure two or more VLANs which can be used with VXLAN to extend the Layer2 connectivity across two different locations.
- Make sure that connectivity between both FortiGates is working to bring the IPsec tunnel up.
- Configuring IPsec VPN tunnel:
Note:
The 'set encapsulation vxlan' config in the ipsec tunnel has already been deprecated.
|
FGT1 |
FGT2 |
|
Phase1 config:
config vpn ipsec phase1-interface edit "ipsec" set interface "wan1" set peertype any set net-device disable set proposal aes256-sha1 set remote-gw 1.1.1.2 set psksecret xx next end
Phase2 config:
config vpn ipsec phase2-interface edit "ipsec" set phase1name "ipsec" set proposal aes256-sha1 set auto-negotiate enable next end
Tunnel interface config:
config system interface edit "ipsec" set vdom "root" set ip 2.2.2.2 255.255.255.255 set allowaccess ping set type tunnel set remote-ip 2.2.2.1 255.255.255.252 set snmp-index 20 set interface "wan1" next |
Phase1 config:
config vpn ipsec phase1-interface edit "ipsec" set interface "wan1" set peertype any set net-device disable set proposal aes256-sha1 set remote-gw 1.1.1.1 set psksecret xx next end
Phase2 config:
config vpn ipsec phase2-interface edit "ipsec" set phase1name "ipsec" set proposal aes256-sha1 set auto-negotiate enable next end
Tunnel interface config:
config system interface edit "ipsec" set vdom "root" set ip 2.2.2.1 255.255.255.255 set allowaccess ping set type tunnel set remote-ip 2.2.2.2 255.255.255.252 set snmp-index 20 set interface "wan1" next |
- This configuration will bring the IPsec tunnel up. Verify it as well.
It may be required to create a policy from the interface 'ipsec' to 'ipsec' so the tunnel can go up (tested in FortiOS v7.0.11).
config firewall policy
edit 0
set name "IPSECTUNNELPolicy"
set srcintf "ipsec"
set dstintf "ipsec"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set srcintf "ipsec"
set dstintf "ipsec"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
next
end
- Configure VLAN interfaces.
- Configure VXLAN interfaces for both VLANs.
- Configure the software switch interface:
- Test the connectivity by pinging the client connected to VLAN50 on 'SW1' towards the client connected to vlan50 on 'SW2'. Also, test the connectivity from the client connected on VLAN50 on 'SW2' towards the client connected on VLAN50 on 'SW1'.
- Repeat the same test for the client in VLAN60.
- In this setup, no firewall policies would be required. The reason for this is the option 'set intra-switch-policy implicit' configured under 'config system switch-interface' for both VLANs. With intra-switch-policy implicit, it is needed to expect some limitations. More information can be found here Software switch and intra-switch-policy.
- If there is a requirement to use firewall policies, this option needs to be changed.
- Do not configure VLAN1 in the FortiGate as it is not recommended, and FortiGate uses VLAN1 for internal communication between FortiGate and FortiSwitch.
Note:
If both FortiGates are in an HA pair, change the HA group-id for any one cluster. When FortiGates are in a cluster, they will use virtual MAC addresses. Switch interfaces on both sides can have the same virtual MAC address, which will result in connectivity issues.
Note:
The VLAN interface must be free of references and must not have any IP addresses to be added under the software switch.
Related articles:
Technical Tip: Software switch policy.
Technical Tip: Verifying physical and HA virtual MAC addresses of FortiGate interfaces.
