I allow myself to write this post because I have a lot of difficulty in configuring vxlan over ipsec, the operation is not guaranteed (at least from my experience)
from the FortiOS version 5.6.2 vxlan can be used natively
considered that the
[ul]
I decided to make a configuration using IPSEC with loopback interface and use the native vxlan with the loopback interfaces.
With this configuration, traffic with the native vxlan is encrypted with the IPSEC
attached the configuration adopted between fortigate 80E and Fortigate 90E
######################### FTG80E ###############
##creation of subnet address
config firewall address
edit "LoopBackLocal172.30.31.0"
set subnet 172.30.31.0 255.255.255.0
next
edit "LoopBackRemote172.30.30.0"
set subnet 172.30.30.0 255.255.255.0
next
end
########## loopback interface creation ##########
config system interface
edit "Loopback"
set vdom "root"
set ip 172.30.31.1 255.255.255.0
set allowaccess ping https ssh http
set type loopback
next
end
########## phase 1 configuration #########
config vpn ipsec phase1-interface
edit "VXlanSuIpsec"
set interface "wan1"
set keylife 28800
set peertype any
set proposal aes128-sha1 aes256-sha256 aes128-sha256 aes256-sha1
set dhgrp 14 2
set remote-gw #remote ip public
set psksecret 123456789
next
end
########## phase 2 configuration ##########
config vpn ipsec phase2-interface
edit "VXlanIpsecPh2"
set phase1name "VXlanSuIpsec"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm
set dhgrp 14 2
set keepalive enable
set src-addr-type name
set dst-addr-type name
set keylifeseconds 3600
set src-name "LoopBackLocal172.30.31.0"
set dst-name "LoopBackRemote172.30.30.0"
next
end
######### native vxlan configuration using vpn ipsec with loopback interface ########
config system vxlan
edit "vxlan"
set interface "Loopback"
set vni 1
set remote-ip "172.30.30.1"
next
end
config system interface
edit "vxlan"
set vdom "root"
set type vxlan
set interface "Loopback"
next
end
######## Virtual Switch Configuration for bridge between native vxlan and port 7. #########
######## port 7 firewall must be configured in trunk on switch port ##########
config system switch-interface
edit "Switch-Vxlan"
set vdom "root"
set member "port7" "vxlan"
next
end
######## Policy configuration ######
config firewall policy
edit 1
set name "Loopback TO ipsecVPN"
set srcintf "Loopback"
set dstintf "VXlanSuIpsec"
set srcaddr "LoopBackLocal172.30.31.0"
set dstaddr "LoopBackRemote172.30.30.0"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 2
set name "ipsecVPN TO Loopback"
set srcintf "VXlanSuIpsec"
set dstintf "Loopback"
set srcaddr "LoopBackRemote172.30.30.0"
set dstaddr "LoopBackLocal172.30.31.0"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
end
############# static route configuration ##########
########## remember to add the default gateway associated with wan1 ############
config router static
edit 2
set dst 172.30.30.0 255.255.255.0
set distance 1
set device "VXlanSuIpsec"
next
end
########################### FTG90E ###############
##creation of subnet address
config firewall address
edit "LoopBackLocal172.30.30.0"
set subnet 172.30.30.0 255.255.255.0
next
edit "LoopBackRemote172.30.31.0"
set subnet 172.30.31.0 255.255.255.0
next
end
########## loopback interface creation ##########
config system interface
edit "Loopback"
set vdom "root"
set ip 172.30.30.1 255.255.255.0
set allowaccess ping https ssh http
set type loopback
next
end
########## phase 1 configuration #########
config vpn ipsec phase1-interface
edit "VXlanSuIpsec"
set interface "wan1"
set keylife 28800
set peertype any
set proposal aes128-sha1 aes256-sha256 aes128-sha256 aes256-sha1
set dhgrp 14 2
set remote-gw #remote ip public
set psksecret 123456789
next
end
########## phase 2 configuration ##########
config vpn ipsec phase2-interface
edit "VXlanIpsecPh2"
set phase1name "VXlanSuIpsec"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm
set dhgrp 14 2
set keepalive enable
set src-addr-type name
set dst-addr-type name
set keylifeseconds 3600
set src-name "LoopBackLocal172.30.30.0"
set dst-name "LoopBackRemote172.30.31.0"
next
end
######### native vxlan configuration using vpn ipsec with loopback interface ########
config system vxlan
edit "vxlan"
set interface "Loopback"
set vni 1
set remote-ip "172.30.31.1"
next
end
config system interface
edit "vxlan"
set vdom "root"
set type vxlan
set interface "Loopback"
next
end
######## Virtual Switch Configuration for bridge between native vxlan and port 7. #########
######## port 7 firewall must be configured in trunk on switch port ##########
config system switch-interface
edit "Switch-Vxlan"
set vdom "root"
set member "internal7" "vxlan"
next
end
######## Policy configuration ######
config firewall policy
edit 1
set name "Loopback TO ipsecVPN"
set srcintf "Loopback"
set dstintf "VXlanSuIpsec"
set srcaddr "LoopBackLocal172.30.30.0"
set dstaddr "LoopBackRemote172.30.31.0"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 2
set name "ipsecVPN TO Loopback"
set srcintf "VXlanSuIpsec"
set dstintf "Loopback"
set srcaddr "LoopBackRemote172.30.31.0"
set dstaddr "LoopBackLocal172.30.30.0"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
end
########## loopback interface creation ##########
########## remember to add the default gateway associated with wan1 ############
config router static
edit 2
set dst 172.30.31.0 255.255.255.0
set distance 1
set device "VXlanSuIpsec"
next
end
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
"so are you able to get HTTPS working with native vxlan with 802.1q ?"
yes
Hi,
I am struggling a while with the same thing. Fortigate E30 - firmware 5.6.4
I was able to configure the vxlan with the following procedure:
https://travelingpacket.com/2017/09/28/fortigate-vxlan-encapsulation/
I also use 802.1q, LAN port isa trunk on the switch
I am able to ping trough the vxlan ipsec tunnel to the devices at the other site so my vxlan configuration works.
But when i try fileservices, webapplications it's not possible.
It has something to do with MTU size but I can 't figure it out. When i lower my MTU size on my laptop everything goes fine. So I would like to set the MTU size of my vxlan-switch higher but thats not allowed.
I get the message 'MTU size is not valid, should be in range of 68 - 1500'
Did you also suffer from this? Any solutions?
Thx,
Tom
I've had similar problems try using a laptop with linux and see if you have the same web access problems. with linux laptop I had behaviors different from laptop windows, I did not understand the reason. if you use the trunk on the primary and secondary site switches, on the secondary site try to access the interface with the same pvid of the source trunk however vxlan on ipsec does not support 802.1q. So you can not pass more vlan even if it seems that at the IP or icmp level there is availability or reachability.
Try to use my configuration and let me know if it works I have tested it thoroughly without problems.
Hi Macarleo,
802.1q support with VXLAN over IPSec. I tested in my lab and i can see the Firewall passing the tags across the Ipsec tunnel.
However NATIVE VXLAN isnt working for me , Also I see you have configured the vxlan remote ip as local loopback IP,
i believe it should be the remote loopback ip
Hello from my tests in the laboratory it seems to me that apparently the vlan pass correctly on IPSEC, in fact at ICMP level I did not detect problems but when I used the HTTPS protocols I detected problems. however, the conversation with the fortinet support is attached. vxlan on ipsec does not support 802.1q.
I did not understand what you mean by: "Also I see you have configured the vxlan remote ip as local loopback IP, i believe it should be the remote loopback ip"
Best Regards
Mariano
so are you able to get HTTPS working with native vxlan with 802.1q ?
I have exactly the same question, ICMP also works for me, but other protocols http, fileservices not.
So actually it doesn 't work because we cannot use it if only ICMP works.
What do they mean with 802.1q is not supported with VXLAN over IPSEC?
When I lower MTU on my laptop everything works fine, (I configured my both swich ports as trunks).
At the switch at the other side of the tunnel I am able to put AccessPoints, Client PC's, Printers in differrent vlans and when I lower MTU everything works. But lowering MTUI of every device is not solution so I would like to change MTU setting on vxlan. But I have no idea what and where i should configure it.
I opened a case and keep you posted. Let me know if you guys find anything....
"so are you able to get HTTPS working with native vxlan with 802.1q ?"
yes
Hi,
I configured our fortigates (both 30E) according to your info and it works like a charm.
I tested https, fileservices, email, skype...everything went smooth.
Next week I will test more thoroughly or let users use it and see if they are satisfied.
Thank you very much !!!!
Kind Regards,
Tom
Excellent guide
thank you
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.