Question, I set up a VXLAN over IPSEC with a soft switch to extend a network to a remote site. It works, however, I have multiple ISPs and want to have a backup path for the VXLAN over IPSEC. I was able to get it work by adding the additional "ports" to the software switch.
Is it possible to control which one is the "primary" tunnel for the VXLAN extended network? One has lower latency then the other and right now it is hit and miss which one it uses.
Thank you in advance for any assistance.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I haven't done it myself. But based on the concept the VXLAN works and the fact that FGT doesn't do STP/RSTP, I don't think you can control which L2 path to take when redundancy exists between two switches on the FGT side. It would be decided by the switches('bridges') and you might or might not be able to control in case the hops are the same. But I believe at least FGTs pass BPDUs over VXLAN (I tested only over physical link though) by default without additional config.
However, I can think of a way to get the same outcome at L3 level with a FGT pair on both ends with link-monitor.
First you set a lower number of priority or distance on the primary static route over the primary VPN, then set opposite on the backup route. Then you need to configure a set of tunnel interface IPs on both ends at least on the primary VPN (it's probably not in the VXLAN over IPsec config doc), you should be able to ping the IP on the opposite end to detect the primary IPsec down with a link-monitor. In the link-monitor, you can remove the static route on the primary side to use the backup VPN when the tunnel goes down.
If you decide to adopt this idea, please let me know if it worked or not. I don't see any reason not to work though.
Is it possible to connect to 2 different vpns at the same time? Need to access 2 different programs through 2 different vpns at the same time
First, my suggestion never disconnect VPNs. Just control the routes. Both VPNs are up all the time.
Besides, if applications use two VPNs independently, that's NOT VXLAN. Or outside of VXLAN. If a VXLAN shares one subnet, say 192.168.1.0/24, between two locations, while 172.x.y.z/16s exists at both locations for the applications, those applications wouldn't be affected by VXLAN. They are two different/independent things each other.
Actually I just pointed out my original idea's flaw myself. There is no routes to control for VXLAN traffic by link-monitor. Sorry.
You really need to do it with spanning-tree protocol on the switch side.
yeah I was going to say the same thing.
BAck to OP issues, are BPDUs being sent over ipsec-tunnels ?
diag sniffer packet any "not ip" 4
Ken Felix
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1519 | |
1019 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.