Created on ‎03-17-2023 06:23 AM Edited on ‎02-05-2024 09:09 AM By Stephen_G
Description
This article describes how Virtual wire pair VXLAN for internal VDOM which has no direct outside access, can be implemented.
Scope
FortiGate.
Solution
Diagram:
Consider this scenario:
1) IPsec tunnel is set up between the internal VDOM of 'Spoke_FGT1' and the internal VDOM of HUB.
2) Both hubs do not have direct outside access, but only via root_vdom of each FortiGate.
3) Integrate two different locations which have the same IP subnet is planned.
Here is the step-by-step:
Under global VDOM
1) Create vdom-link with type ethernet, otherwise it won't work
Spoke_FGT1 (global) # show system vdom-link
config system vdom-link
edit "int_root"
set type ethernet
next
end
2) Assign this interface to VDOM root and internal: and the IP address to each interface:
Spoke_FGT1 (global) # show system interface
config system interface
edit "int_root0"
set vdom "root"
set ip 192.168.30.1 255.255.255.252
set allowaccess ping https ssh http fgfm
set type vdom-link
set description "int_root_root"
set snmp-index 19
set macaddr 4a:25:c3:2c:00:16
next
edit "int_root1"
set vdom "int_spokeA"
set ip 192.168.30.2 255.255.255.252
set allowaccess ping https ssh http fgfm
set type vdom-link
set description "int_root_spoke"
set snmp-index 20
set macaddr 72:3d:d0:b3:00:17
next
Under root VDOM:
3) create a VIP at 'root_vdom' at each FortiGate, so that the outer connection can reach the internal VDOM:
Spoke_FGT1 (root) # show firewall vip
config firewall vip
edit "IPsec_VIP"
set uuid d0974d60-50a5-51ed-7f91-dff793ef5f65
set extip 192.168.13.2
set mappedip "192.168.30.2"
set extintf "port6"
next
end
Spoke_FGT1 (root) # show firewall policy 2
config firewall policy
edit 2
set name "vip_ipsec"
set uuid ec232d9c-50a5-51ed-9aa5-a5419a61fad6
set srcintf "port6" <----- Outer interface that connects to other FortiGate.
set dstintf "int_root0" <----- vdom_link that connects to internal VDOM.
set action accept
set srcaddr "all"
set dstaddr "IPsec_VIP"
set schedule "always"
set service "ALL"
set logtraffic all
set logtraffic-start enable
next
end
4) Firewall rule at root_vdom to allow outbound access from internal VDOM:
Spoke_FGT1 (root) # show firewall policy 3
config firewall policy
edit 3
set name "to_hub"
set uuid b9641b0e-50a6-51ed-fa03-372304c46055
set srcintf "int_root0"
set dstintf "port6"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
set logtraffic-start enable
set nat enable
next
end
Under internal VDOM:
5) Create IPsec tunnel between the internal_vdom of both FortiGates:
This step will take a common procedure as a normal IPsec tunnel setup.
Refer to the below articles:
6) Assign IP address to the tunnel interface:
Spoke_FGT1 (int_spokeA) # show system interface to_HUB_int
config system interface
edit "to_HUB_int"
set vdom "int_spokeA"
set ip 10.200.0.2 255.255.255.255
set allowaccess ping https ssh snmp http fgfm
set type tunnel
set remote-ip 10.200.0.1 255.255.255.252
set snmp-index 21
set interface "int_root1"
next
end
7) Create VXLAN system interface:
Spoke_FGT1 (int_spokeA) # show system interface vxlan
config system interface
edit "vxlan"
set vdom "int_spokeA"
set type vxlan
set snmp-index 15
set interface "to_HUB_int"
next
end
8) Create system VXLAN:
Spoke_FGT1 (int_spokeA) # show system vxlan
config system vxlan
edit "vxlan"
set interface "to_HUB_int"
set vni 10 <----- Assign the same vni at the other partner.
set remote-ip "10.200.0.1"<----- Partner tunnel IP address.
next
end
9) Create system virtual-wire-pair between VXLAN interface and port3 (this port is connected to the user machine):
Spoke_FGT1 (int_spokeA) # show system virtual-wire-pair
config system virtual-wire-pair
edit "vwp"
set member "port3" "vxlan"
next
end
10) Create a firewall policy for the virtual-wire-interface: to allow communication within virtual-vire-pair:
Spoke_FGT1 (int_spokeA) # show firewall policy 4
config firewall policy
edit 4
set name "vwp_pol"
set uuid 5fae7a82-50ab-51ed-dacd-7ab849d83506
set srcintf "port3" "vxlan"
set dstintf "port3" "vxlan"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
next
end
Tunnel status of each internal VDOM:
Ping is now successful from User A to B and vice versa:
Note:
The complete config of both sides is attached.
Related documents: