FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
iskandar_lie
Staff
Staff
Article Id 249427
Description

 

This article describes how Virtual wire pair VXLAN for internal VDOM which has no direct outside access, can be implemented.

 

Scope

 

FortiGate.

 

Solution

 

Diagram: 

 

topology.PNG

 

Consider this scenario:

1) IPsec tunnel is set up between the internal VDOM of 'Spoke_FGT1' and the internal VDOM of HUB.

2) Both hubs do not have direct outside access, but only via root_vdom of each FortiGate. 

3) Integrate two different locations which have the same IP subnet is planned.

 

Here is the step-by-step: 

 

Under global VDOM

1) Create vdom-link with type ethernet, otherwise it won't work 

 

Spoke_FGT1 (global) # show system vdom-link
config system vdom-link
    edit "int_root"
        set type ethernet
    next
end

 

2) Assign this interface to VDOM root and internal: and the IP address to each interface:

 

Spoke_FGT1 (global) # show system interface
config system interface

    edit "int_root0"
        set vdom "root"
        set ip 192.168.30.1 255.255.255.252
        set allowaccess ping https ssh http fgfm
        set type vdom-link
        set description "int_root_root"
        set snmp-index 19
        set macaddr 4a:25:c3:2c:00:16
    next
        edit "int_root1"
            set vdom "int_spokeA"
            set ip 192.168.30.2 255.255.255.252
            set allowaccess ping https ssh http fgfm
            set type vdom-link
            set description "int_root_spoke"
            set snmp-index 20
            set macaddr 72:3d:d0:b3:00:17
        next

 

Under root VDOM:

 

3) create a VIP at 'root_vdom' at each FortiGate, so that the outer connection can reach the internal VDOM:

 

Spoke_FGT1 (root) # show firewall vip
config firewall vip
    edit "IPsec_VIP"
        set uuid d0974d60-50a5-51ed-7f91-dff793ef5f65
        set extip 192.168.13.2
        set mappedip "192.168.30.2"          
        set extintf "port6"
    next
end

 

Spoke_FGT1 (root) # show firewall policy 2
config firewall policy
    edit 2
         set name "vip_ipsec"
         set uuid ec232d9c-50a5-51ed-9aa5-a5419a61fad6
         set srcintf "port6" <----- Outer interface that connects to other FortiGate.  
         set dstintf "int_root0" <----- vdom_link that connects to internal VDOM.
         set action accept
         set srcaddr "all"
         set dstaddr "IPsec_VIP"
         set schedule "always"
         set service "ALL"
         set logtraffic all
         set logtraffic-start enable
    next
end

 

4) Firewall rule at root_vdom to allow outbound access from internal VDOM:

 

Spoke_FGT1 (root) # show firewall policy 3
config firewall policy
    edit 3
        set name "to_hub"
        set uuid b9641b0e-50a6-51ed-fa03-372304c46055
        set srcintf "int_root0"
        set dstintf "port6"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set logtraffic-start enable
        set nat enable
    next
end

 

Under internal VDOM:

 

5) Create IPsec tunnel between the internal_vdom of both FortiGates: 

 

This step will take a common procedure as a normal IPsec tunnel setup.

 

Refer to the below articles:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Static-route-defined-over-IPsec-VPN-tunnel...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Static-route-for-IPsec-VPN-shows-gateway/t...

 

6) Assign IP address to the tunnel interface:

 

Spoke_FGT1 (int_spokeA) # show system interface to_HUB_int
config system interface
    edit "to_HUB_int"
        set vdom "int_spokeA"
        set ip 10.200.0.2 255.255.255.255
        set allowaccess ping https ssh snmp http fgfm
        set type tunnel
        set remote-ip 10.200.0.1 255.255.255.252
        set snmp-index 21
        set interface "int_root1"
    next
end

  

7) Create VXLAN system interface:

 

Spoke_FGT1 (int_spokeA) # show system interface vxlan
config system interface
    edit "vxlan"
        set vdom "int_spokeA"
        set type vxlan
        set snmp-index 15
        set interface "to_HUB_int"
    next
end

 

8) Create system VXLAN:

 

Spoke_FGT1 (int_spokeA) # show system vxlan
config system vxlan
    edit "vxlan"
        set interface "to_HUB_int"
        set vni 10 <----- Assign the same vni at the other partner.
        set remote-ip "10.200.0.1"<----- Partner tunnel IP address.
    next
end

 

9) Create system virtual-wire-pair between VXLAN interface and port3 (this port is connected to the user machine):

 

Spoke_FGT1 (int_spokeA) # show system virtual-wire-pair
config system virtual-wire-pair
    edit "vwp"
        set member "port3" "vxlan"
    next
end

 

10) Create a firewall policy for the virtual-wire-interface: to allow communication within virtual-vire-pair:

 

Spoke_FGT1 (int_spokeA) # show firewall policy 4
config firewall policy
    edit 4
        set name "vwp_pol"
        set uuid 5fae7a82-50ab-51ed-dacd-7ab849d83506
        set srcintf "port3" "vxlan"
        set dstintf "port3" "vxlan"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
    next
end

 

Tunnel status of each internal VDOM:

 

Tunnel HUB.PNG

 

Tunnel Spoke.PNG

 

Ping is now successful from User A to B and vice versa:

 

User A.PNG

 

User B.PNG

 

Note:

The complete config of both sides is attached.

 

Related documents:

https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/22733/virtual-wire-pair-with...

https://community.fortinet.com/t5/FortiGate/Technical-Note-Virtual-Extensible-LAN-VXLAN-configuratio...