Hello,
Is it possible to send layer 2 VXLAN and other layer 3 traffic over the same IPSec VPN? I have tested VXLAN over IPSec in the lab but I didn't test if I can use the same IPSec VPN carrying the VXLAN to send layer 3 traffic from one site to another.
At the moment we have two sites connected with IPSec VPN and carrying layer 3 traffic. We would like to implement a layer 2 VXLAN between these two sites for a particular VLAN. Is it possible for me to add VXLAN over the same IPSec VPN? I am assuming there should be a way since we cannot create two IPSec VPNs between same endpoints. Can someone please confirm if VXLAN and Layer 3 traffic can be sent over the same IPSec VPN?
Thank you.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You can always use a loop0 interface and set that as the src -address. You will need a rule to SNAT the address and ensure NAT-T is used. I would also defined a peerid ( string, fqdn or email ....just pick one )
Ken Felix
PCNSE
NSE
StrongSwan
emnoc wrote:Hello Ken,You can always use a loop0 interface and set that as the src -address. You will need a rule to SNAT the address and ensure NAT-T is used. I would also defined a peerid ( string, fqdn or email ....just pick one )
Ken Felix
Is there a configuration example I can follow to setup the VPN using loopback interface? Would it work if I use loopback interface at both ends?
I would say no, not possible, because VXLAN over IPSec uses IPsec encapsulation in phase1 config, unlike "native" VXLAN with VLANs. So far I don't see a way to carry VLAN tags over VXLAN over IPsec either.
Maybe in 6.6?
Toshi
toshiesumi wrote:Thanks Toshi. According to FortiGate it is possible to send multiple VLANS over virtual wire pair, please see link below. However, when I last tested this it did not work for some reason.I would say no, not possible, because VXLAN over IPSec uses IPsec encapsulation in phase1 config, unlike "native" VXLAN with VLANs. So far I don't see a way to carry VLAN tags over VXLAN over IPsec either.
Maybe in 6.6?
Toshi
https://kb.fortinet.com/kb/documentLink.do?externalID=FD47557
That KB is missing details in the ipsec-config fwiw
Ken Felix
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.