Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
danielrgrein
New Contributor

Layer 2 VXLAN via VPN tunnels -Multiple VPN Tunnels How to Prioritize

Question, I set up a VXLAN over IPSEC with a soft switch to extend a network to a remote site.  It works, however, I have multiple ISPs and want to have a backup path for the VXLAN over IPSEC.  I was able to get it work by adding the additional "ports" to the software switch.

 

Is it possible to control which one is the "primary" tunnel for the VXLAN extended network?  One has lower latency then the other and right now it is hit and miss which one it uses.

 

Thank you in advance for any assistance.

5 REPLIES 5
Toshi_Esumi
SuperUser
SuperUser

I haven't done it myself. But based on the concept the VXLAN works and the fact that FGT doesn't do STP/RSTP, I don't think you can control which L2 path to take when redundancy exists between two switches on the FGT side. It would be decided by the switches('bridges') and you might or might not be able to control in case the hops are the same. But I believe at least FGTs pass BPDUs over VXLAN (I tested only over physical link though) by default without additional config.

 

However, I can think of a way to get the same outcome at L3 level with a FGT pair on both ends with link-monitor.

First you set a lower number of priority or distance on the primary static route over the primary VPN, then set opposite on the backup route. Then you need to configure a set of tunnel interface IPs on both ends at least on the primary VPN (it's probably not in the VXLAN over IPsec config doc), you should be able to ping the IP on the opposite end to detect the primary IPsec down with a link-monitor. In the link-monitor, you can remove the static route on the primary side to use the backup VPN when the tunnel goes down.

 

If you decide to adopt this idea, please let me know if it worked or not. I don't see any reason not to work though.

andyhilton27

Is it possible to connect to 2 different vpns at the same time? Need to access 2 different programs through 2 different vpns at the same time 

mcdvoice mybkexperience

Toshi_Esumi

First, my suggestion never disconnect VPNs. Just control the routes. Both VPNs are up all the time.

Besides, if applications use two VPNs independently, that's NOT VXLAN. Or outside of VXLAN. If a VXLAN shares one subnet, say 192.168.1.0/24, between two locations, while 172.x.y.z/16s exists at both locations for the applications, those applications wouldn't be affected by VXLAN. They are two different/independent things each other.

Toshi_Esumi

Actually I just pointed out my original idea's flaw myself. There is no routes to control for VXLAN traffic by link-monitor. Sorry.

You really need to do it with spanning-tree protocol on the switch side.

emnoc
Esteemed Contributor III

yeah I was going to say the same thing.

 

BAck to  OP issues, are  BPDUs being sent over ipsec-tunnels ?

 

 

  diag sniffer packet any "not ip" 4  

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors