Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: VXLAN over IPSEC
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VXLAN over IPSEC
Hi!
I was wondering if any of you could helpo me out making this work,
I"m runnning 2 VM64 Fortigate on a ESXi server, through 2 VyOS router to emulate.
Version 5.6.3
The tunnel is up, but somehow, ARP requests are not getting through:
FortiGate-VM64 # diag netlink brctl name host VXLAN-INTERFACE show bridge control interface VXLAN-INTERFACE host. fdb: size=2048, used=3, num=3, depth=1 Bridge VXLAN-INTERFACE host table port no device devname mac addr ttl attributes 1 6 port4 00:0c:29:d6:62:ab 51 Hit(51) 2 17 VXLAN 5e:9f:e8:0f:21:a6 0 Local Static 1 6 port4 00:0c:29:0f:47:91 0 Local Static
interfaces=[any] filters=[host 10.0.11.100 and arp] 15.470412 port4 in arp who-has 10.0.11.101 tell 10.0.11.100 15.470449 VXLAN out arp who-has 10.0.11.101 tell 10.0.11.100 16.487104 port4 in arp who-has 10.0.11.101 tell 10.0.11.100 16.487121 VXLAN out arp who-has 10.0.11.101 tell 10.0.11.100 17.511047 port4 in arp who-has 10.0.11.101 tell 10.0.11.100 17.511059 VXLAN out arp who-has 10.0.11.101 tell 10.0.11.100 18.535167 port4 in arp who-has 10.0.11.101 tell 10.0.11.100 18.535191 VXLAN out arp who-has 10.0.11.101 tell 10.0.11.100
here's my config:
edit "port2" set vdom "root" set ip 84.84.85.2 255.255.255.0 set allowaccess ping set type physical set alias "WAN1" set role wan set snmp-index 2 next
edit "VXLAN" set vdom "root" set type tunnel set snmp-index 12 set interface "port2" next
config vpn ipsec phase1-interface edit "VXLAN" set interface "port2" set peertype any set proposal des-md5 set encapsulation vxlan set encapsulation-address ipv4 set encap-local-gw4 84.84.85.2 set encap-remote-gw4 84.84.86.2 set remote-gw 84.84.86.2 set psksecret ENC OWif8UtnjVfxFQDRN8ajAv/Ten/+O8xoWmIRA1fylLgeGljO1jb+irdNGhDpwlOJD5SJzW4uycM4fDZ2ISwWZUzCCeGKS2q2Df8PQ+qz4Q3pKS4FRd1/IpIYC1dcnnpsEixK5NuYyThTKHc9AoCZF0FT3akcZjevsHKb9m+CV/6VNE9ZY6mDy9bwcDrc7mSiie+mIg== next end
config vpn ipsec phase2-interface edit "VXLAN_ph2" set phase1name "VXLAN" set proposal des-md5 next end
config system switch-interface edit "VXLAN-INTERFACE" set vdom "root" set member "port4" "VXLAN" set intra-switch-policy explicit next end
config firewall policy edit 1 set name "VXLAN-INCOMING" set uuid 1d96cbcc-3d91-51e8-585d-00de8ce55269 set srcintf "VXLAN" set dstintf "port4" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat enable next edit 2 set name "VXLAN-OUTGOING" set uuid 2c5fe85a-3d91-51e8-7c00-653d11fab724 set srcintf "port4" set dstintf "VXLAN" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat enable next end
Thanks for the help!
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
- « Previous
-
- 1
- 2
- Next »
16 REPLIES 16
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So your closer to your identification of the problems(s)
Have you ran the diag debug flow and validate the configurations are correct?
Ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi everybody,
I think it is not necessary to create a new thread so I will kindly join this one. I try to setup VXLAN over IPSEC according to these guides:
http://kb.fortinet.com/kb/documentLink.do?popup=true&externalID=FD40170
https://travelingpacket.com/2017/09/28/fortigate-vxlan-encapsulation/
My goal is to build a L2 VPN between two FortiGates using VxLAN over IPsec. Or simply put: interconnect a detached branch to HQ according this scenario:
CISCO switchport --- (trunk)----HQ_Fortigate ----Internet(IPSEC)----Branch_ Fortigate---(trunk)---Cisco switchport
I hope I am close to be successfull however I am still fighting (probably) with MTU/MSS settings. The maximum ICMP packet size between clients on HQ and Branch side (incl. header) is 1390 Bytes regardless to "Don't Fragment Flag is set or not. Larger packet does not pass. That of course causes many problems with http/https traffic and other "usual" network services.
Could anyone advise how to handle with MTU/MSS settings on Fortigate? Firmware is v5.6.4. I can provide all the necessary output form debug.
Thank you in addition
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Jan,
There is no fix, only a workaround for the MTU issue:
The workaround is to stop honoring the DF bit:
config system global
set honor-df disable
end
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice,
60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail
100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B,
11C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Thank you for your feedback and very inspirational topic. I've done some investigation and here is my temporary conclusion.
set honor-df disable possibly can do certain job in case I want to forward untagged traffic (switchport in access mode). However this setting does not affect tagged traffic (switchport in trunk mode). I've noticed that it is better to use separate VDOM for software switch and corresponding interfaces because of arp request. That may help to the founder of this topic. Untaged traffic would be let say good enough but I wanted more.
Here is my solution:
1)I've created an usual IPSEC tunnel with loopback interfaces. Notice, there in no "set encapsulation vxlan"
config vpn ipsec phase1-interface edit "vxlan_ph1" set interface "wan1" set ike-version 2 set peertype any set proposal aes256-sha512 set nattraversal disable set remote-gw remote_IP_address set psksecret ENC mysecredpassword next end config vpn ipsec phase2-interface edit "vxlan_ph2" set phase1name "vxlan_ph1" set proposal aes256-sha512 set auto-negotiate enable set src-subnet 172.30.31.0 255.255.255.0 //IP address of local loobpack inteface. (Of cource, there could be /32 prefix :) ) set dst-subnet 172.30.30.0 255.255.255.0 //IP address of remote loobpack inteface. next end
2) Next step is to configure "native" vxlan according this reference: http://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-whats-new/Top-Network-vxlan.htm
config system vxlan edit "vxlan1" set interface "loop1" //local loopback interface set vni 1 set remote-ip "172.30.30.1" //remote loopback int. IP address next end
This configuration makes the "vxlan1" interface:
edit "vxlan1"
set vdom "root" set type vxlan set snmp-index 9 set interface "loop1"
3) The last step is to put the physical port "internal4" and vxlan interface "vxlan1" into the soft switch:
config system switch-interface edit "sw_switch" set vdom "root" set member "internal4" "vxlan1" // next end
After that I am able to transfer tagged traffic from HQ switchport to the branch switchport without packet loss and MTU is no problem any more. Unfortunatelly, I have to break next investigation / debug because I had to return the borrowed device. Anyway, I hope that my approach could help.
*English is not my mother tongue, please excuse any errors on my part.
Jan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I didn't find an issue with vlans going across VxLan but the https/printer traffic. IP Telephony, Access Points works just fine - all receive tagged traffic in its vlans. Funny but Access Points connected to Wireless Controller works with https traffic. The only workaround I found for https traffic is to send native vlan for PCs to allow https traffic to go through tunnel without fragmentation. MTU is a problem and I couldn't find a solution for that. I've tested that on various FortiOS versions. 6.0.5 was the recent. If anyone found a solution for https through vxlan over ipsec please let me know.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
that is 6.2.x in my opinion. it did clear up issues like this for me.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If anyone else is deploying this in labs or on ESXi, you need to have the vSwitch Security configured to Accept all three (Promiscuous, MAC address changes, and Forged trandsmits).
Was getting Destination host unreachable, and Timed out when testing - enabled those after finding someone who mentioned it offhand in a lab guide, and suddenly everything sprang to life.
Hope it helps
- « Previous
-
- 1
- 2
- Next »
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Problem with VPN autoconnect 68 Views
- IPSec + Forticlient VPN + SAML? 63 Views
- Ask - Use Fortigate - Web... 41 Views
- Site to Site IPSEC between to... 109 Views
- VXLAN discussion/design questions? 55 Views
Labels
-
FortiGate
8,522 -
FortiClient
1,724 -
5.2
801 -
FortiManager
716 -
5.4
639 -
FortiAnalyzer
548 -
FortiSwitch
463 -
FortiAP
460 -
6.0
416 -
FortiClient EMS
411 -
5.6
362 -
FortiMail
310 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
225 -
FortiWeb
201 -
5.0
196 -
IPsec
191 -
FortiNAC
181 -
FortiGuard
136 -
6.4
128 -
SD-WAN
112 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
85 -
Customer Service
78 -
Wireless Controller
76 -
Firewall policy
74 -
4.0MR3
64 -
FortiProxy
59 -
High Availability
54 -
Fortivoice
53 -
FortiADC
53 -
FortiEDR
51 -
vlan
48 -
ZTNA
46 -
FortiExtender
45 -
FortiSandbox
44 -
FortiDNS
42 -
Routing
41 -
DNS
41 -
BGP
39 -
LDAP
39 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
34 -
Authentication
33 -
SSO
31 -
Interface
31 -
NAT
31 -
RADIUS
30 -
FortiConnect
28 -
FortiLink
27 -
FortiWAN
26 -
Web profile
26 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
FortiPAM
22 -
Virtual IP
22 -
SSL SSH inspection
21 -
Fortigate Cloud
20 -
FortiPortal
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
Intrusion prevention
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
Fortinet Engage Partner Program
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
Authentication rule and scheme
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1665 | |
| 1077 | |
| 752 | |
| 446 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.