Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Laserline-Sys-team
New Contributor

VXLAN over an IPsec problem with switch-interface

Goal: Set up VxLAN over IPSEC to stretch LAN over Internet to another location

 

Reference: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-setup-a-VXLAN-over-IPsec-deployment...

 

Device: FG-60F v7.2.6

 

Configuration: factory default, wan1 set as Internet interface, internal VLAN Switch as LAN interface with members internal1-5

 

Problem: adding existing LAN interface internal1 to soft switch interface causes an error:

entry not found in datasource

 

Steps taken:

 

IPSEC tunnel is already configured

 

Set up the VXLAN peer based on the IPsec tunnel interface

config system vxlan
edit "VxLAN-Interface"
set interface "VPN-DR-IPSEC-VxLAN"
set vni 11
set remote-ip "10.10.11.2"

 

Create a switch interface to bridge the local LAN interface with the newly created VXLAN interface

config system switch-interface
edit "VxLAN-Switch"
set vdom "root"

set member "internal1" "VxLAN-Interface"

---> entry not found in datasource

 

6 REPLIES 6
spoojary
Staff
Staff

Make sure internal 1 is not being used in any of the interfaces.

Siddhanth Poojary
Laserline-Sys-team

Hi, thanks for the reply. If I understood correctly, we are creating a switch interface to bridge the local LAN interface with the newly created VXLAN interface, as stated in the documentation: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-setup-a-VXLAN-over-IPsec-deployment...

Also, on the document picture and config, existing port3 connected to LAN is added as the member of new switch-interface

 

set member "port3" "vxlanInterface"

 

 

Dhruvin_patel

Greetings!

 

Remove all the references for interface "internal1".

References like firewall policies, route, DHCP server, and IP address on interface "internal " and interface "internal1" should not be part of any other software or hardware switch. 

 

Regards!

If you have found a solution, please like and accept it to make it easily accessible for others.

Dhruvin Patel
Laserline-Sys-team

Hi, thanks for the reply. In documentation, active LAN interface is added to new switch-interface.

gianuh2
New Contributor

DF is required for vxlan. Pmtud doesn’t necessarily work with a L2 tunnel either. You may be able to configure the firewall to ignore DF bit on ipsec encap/decap, but performance will likely suffer. You really need vxlan-routing instead of bridging for this to work with vxlan, since that way you can crank down the MTU on the SVI (allows pmtud to actually work) or adjust tcp-mss to help with making things work more efficiently https://tutuapp.uno/ .

Laserline-Sys-team

Hi, thanks for the reply. Any info how to configure vxlan-routing? Goal is to stretch LAN trough IPSEC tunnel.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors