Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
achowdhury
Staff
Staff

Created on ‎08-29-2019 04:59 AM Edited on ‎06-09-2022 09:14 PM By Anonymous

Article Id 192730

Technical Tip: VXLAN over IPsec tunnel

Description
This article describes VXLAN over IPsec tunnel.


Solution
HQ1:

# config firewall address
    edit "local-address"
        set subnet 192.168.100.0 255.255.255.0
    next
end
# config system interface
    edit "port1"
        set vdom "root"
        set ip 10.109.52.68 255.255.255.0
        set allowaccess ping https ssh http
        set type physical
        set snmp-index 1
    next
end

# config router static
    edit 3
        set gateway 10.109.63.254
        set device "port1"
    next
end
# config vpn ipsec phase1-interface
    edit "to_HQ2"
        set interface "port1"
        set peertype any
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set encapsulation vxlan
        set encapsulation-address ipv4
        set encap-local-gw4 10.109.52.68
        set encap-remote-gw4 10.109.48.100    
        set remote-gw 10.109.48.100
        set psksecret sample
        next
end
# config vpn ipsec phase2-interface
    edit "to_HQ2"
        set phase1name "to_HQ2"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
    next
end
# config firewall policy
    edit 1
        set srcintf "port2"
        set dstintf "to_HQ2"
        set srcaddr "local-address"
        set dstaddr "local-address"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 2
        set srcintf "to_HQ2"
        set dstintf "port2"
        set srcaddr "local-address"
        set dstaddr "local-address"
        set action accep
        set schedule "always"
        set service "ALL"
    next
end
# config system switch-interface
    edit "VXLAN-HQ1"
        set vdom "root"
        set intra-switch-policy explicit   <---------- use this to be able to get the member
        set member "port2" "to_HQ2"
    next
end
# config system interface
    edit "VXLAN-HQ1"
        set vdom "root"
        set ip 192.168.1.1 255.255.255.0
        set allowaccess ping https ssh http
        set type switch
        set snmp-index 13
    next
end


HQ2:

# config firewall address
    edit "local-address"
        set subnet 192.168.100.0 255.255.255.0
    next
end

# config system interface
    edit "port1"
        set vdom "root"
        set ip 10.109.48.100 255.255.255.0
        set allowaccess ping https ssh http
        set type physical
        set snmp-index 1
    next
end
# config router static
    edit 3
        set gateway 10.109.63.254
        set device "port1"
    next
end
# config vpn ipsec phase1-interface
    edit "to_HQ1"
        set interface "wan1"
        set peertype any
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set encapsulation vxlan
        set encapsulation-address ipv4
        set encap-local-gw4 10.109.48.100
        set encap-remote-gw4 10.109.52.68  
        set remote-gw 10.109.52.68
        set psksecret sample
    next
end
# config vpn ipsec phase2-interface
    edit "to_HQ2"
        set phase1name "to_HQ1"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
    next
end
# config firewall policy
    edit 1
        set srcintf "internal1"
        set dstintf "to_HQ1"
        set srcaddr "local-address"
        set dstaddr "local-address"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 2
        set srcintf "to_HQ1"
        set dstintf "internal1"
        set srcaddr "local-address"
        set dstaddr "local-address"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end
# config system switch-interface
    edit "VXLAN-HQ1"
        set vdom "root"
        set intra-switch-policy explicit   <---------- use this to be able to get the member
        set member "internal1" "to_HQ1"
    next
end

# config system interface
    edit "VXLAN-HQ1"
        set vdom "root"
        set ip 192.168.1.254 255.255.255.0
        set allowaccess ping https ssh http
        set type switch
        set snmp-index 13
    next
end

Results:

# diagnose sniffer packet any "host 192.168.1.1" 4 0 a

interfaces=[any]
filters=[host 192.168.1.1]
2019-08-22 13:36:13.355609 to_HQ2 in 192.168.1.254 -> 192.168.1.1: icmp: echo request
2019-08-22 13:36:13.355681 VXLAN-HQ1 out 192.168.1.1 -> 192.168.1.254: icmp: echo reply
2019-08-22 13:36:13.355685 to_HQ2 out 192.168.1.1 -> 192.168.1.254: icmp: echo reply
2019-08-22 13:36:14.365391 to_HQ2 in 192.168.1.254 -> 192.168.1.1: icmp: echo request
2019-08-22 13:36:14.365450 VXLAN-HQ1 out 192.168.1.1 -> 192.168.1.254: icmp: echo reply
2019-08-22 13:36:14.365454 to_HQ2 out 192.168.1.1 -> 192.168.1.254: icmp: echo reply
2019-08-22 13:36:15.375443 to_HQ2 in 192.168.1.254 -> 192.168.1.1: icmp: echo request
2019-08-22 13:36:15.375505 VXLAN-HQ1 out 192.168.1.1 -> 192.168.1.254: icmp: echo reply
2019-08-22 13:36:15.375511 to_HQ2 out 192.168.1.1 -> 192.168.1.254: icmp: echo reply
2019-08-22 13:36:16.385458 to_HQ2 in 192.168.1.254 -> 192.168.1.1: icmp: echo request
2019-08-22 13:36:16.385517 VXLAN-HQ1 out 192.168.1.1 -> 192.168.1.254: icmp: echo reply
2019-08-22 13:36:16.385522 to_HQ2 out 192.168.1.1 -> 192.168.1.254: icmp: echo reply

# diagnose vpn tunnel list

list all ipsec tunnel in vd 0
name=to_HQ1 ver=1 serial=4 10.109.48.100:0->10.109.52.68:0 dst_mtu=1500
bound_if=5 lgwy=static/1 tun=intf/0 mode=auto/1 encap=VXLAN/514 options[0202]=frag-rfc  run_state=0 accept_traffic=1
encap-addr: 10.109.48.100->10.109.52.68
proxyid_num=1 child_num=0 refcnt=10 ilast=2 olast=2 ad=/0
stat: rxp=21 txp=24 rxb=3944 txb=2056
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=2
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=to_HQ2 proto=0 sa=1 ref=2 serial=1
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=3 options=10226 type=00 soft=0 mtu=1390 expire=41556/0B replaywin=1024
       seqno=19 esn=0 replaywin_lastseq=00000016 itn=0 qat=0
  life: type=01 bytes=0/0 timeout=42903/43200
  dec: spi=eec7eeed esp=aes key=16 81d4cb62f6dc20ce000675f6ddbdeefc
       ah=sha1 key=20 9c78e1bfc143d1bebaca3a111e31548663a7067f
  enc: spi=ba648fca esp=aes key=16 9ad5b103781041a9acff38f0bc5c7bdb
       ah=sha1 key=20 9f631c45f475e7e560946605f929ca4334e675b6
  dec:pkts/bytes=21/2590, enc:pkts/bytes=22/4128
  npu_flag=00 npu_rgwy=10.109.52.68 npu_lgwy=10.109.48.100 npu_selid=1 dec_npuid=0 enc_npuid=0
run_tally=1

 

4576
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.