Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Laserline-Sys-team
New Contributor

Created on ‎09-03-2024 07:31 AM

VXLAN over an IPsec problem with switch-interface

Goal: Set up VxLAN over IPSEC to stretch LAN over Internet to another location

 

Reference: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-setup-a-VXLAN-over-IPsec-deployment...

 

Device: FG-60F v7.2.6

 

Configuration: factory default, wan1 set as Internet interface, internal VLAN Switch as LAN interface with members internal1-5

 

Problem: adding existing LAN interface internal1 to soft switch interface causes an error:

entry not found in datasource

 

Steps taken:

 

IPSEC tunnel is already configured

 

Set up the VXLAN peer based on the IPsec tunnel interface

config system vxlan
edit "VxLAN-Interface"
set interface "VPN-DR-IPSEC-VxLAN"
set vni 11
set remote-ip "10.10.11.2"

 

Create a switch interface to bridge the local LAN interface with the newly created VXLAN interface

config system switch-interface
edit "VxLAN-Switch"
set vdom "root"

set member "internal1" "VxLAN-Interface"

---> entry not found in datasource

 

Labels:
1041
0 Kudos
6 REPLIES 6
spoojary
Staff
Staff

Created on ‎09-03-2024 12:50 PM

Make sure internal 1 is not being used in any of the interfaces.

Siddhanth Poojary
998
Laserline-Sys-team
New Contributor
In response to spoojary

Created on ‎09-04-2024 05:37 AM Edited on ‎09-04-2024 05:38 AM

Hi, thanks for the reply. If I understood correctly, we are creating a switch interface to bridge the local LAN interface with the newly created VXLAN interface, as stated in the documentation: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-setup-a-VXLAN-over-IPsec-deployment...

Also, on the document picture and config, existing port3 connected to LAN is added as the member of new switch-interface

 

set member "port3" "vxlanInterface"

 

 

919
0 Kudos
Dhruvin_patel
Staff
Staff

Created on ‎09-03-2024 02:18 PM

Greetings!

 

Remove all the references for interface "internal1".

References like firewall policies, route, DHCP server, and IP address on interface "internal " and interface "internal1" should not be part of any other software or hardware switch. 

 

Regards!

If you have found a solution, please like and accept it to make it easily accessible for others.

Dhruvin Patel
992
Laserline-Sys-team
New Contributor
In response to Dhruvin_patel

Created on ‎09-04-2024 05:39 AM

Hi, thanks for the reply. In documentation, active LAN interface is added to new switch-interface.

918
0 Kudos
gianuh2
New Contributor

Created on ‎09-03-2024 11:59 PM Edited on ‎09-12-2024 03:05 AM

DF is required for vxlan. Pmtud doesn’t necessarily work with a L2 tunnel either. You may be able to configure the firewall to ignore DF bit on ipsec encap/decap, but performance will likely suffer. You really need vxlan-routing instead of bridging for this to work with vxlan, since that way you can crank down the MTU on the SVI (allows pmtud to actually work) or adjust tcp-mss to help with making things work more efficiently https://tutuapp.uno/ .

959
0 Kudos
Laserline-Sys-team
New Contributor
In response to gianuh2

Created on ‎09-04-2024 05:40 AM

Hi, thanks for the reply. Any info how to configure vxlan-routing? Goal is to stretch LAN trough IPSEC tunnel.

915
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.