Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.

IPsec VXLAN point to point with path diversity

What's the best way to configure a vlxan tunnel between two sites utilising path diversity?


In the attached sketch, we already establish a single ipsec tunnel on each wan interface to various endpoints within our "cloud" and ospf is used for failover. We have a need for a vxlan tunnel to join an interface at each site on layer 2 and the expectation is that it will take advantage of the existing path diversity. Obviously to do so the vxlan tunnel cannot terminate on any wan interface. The path will traverse multiple FGTs within our network (not shown).


Would it be best to:

- build the tunnel to a loopback interface on each FGT? (sounds easy)

- use a vdom in each FGT and build the tunnel on the virtual-link? (sounds harder)

- something else?


Other than MTU (which is controllable and likely not an issue) I assume there is no issue with running the vxlan tunnel within the existing tunnels?


We run 5.4 in production, any advantage in moving to 5.6 for this?


So far in bench testing we have built the vxlan tunnel to a loopback interface on each FGT, with the FGTs back to back on wan1.

The tunnel is working fine which essentially answers the question above. We will now add the real world paths and diversity but that shouldn't change anything.

Top Kudoed Authors