Goal: Set up VxLAN over IPSEC to stretch LAN over Internet to another location
Device: FG-60F v7.2.6
Configuration: factory default, wan1 set as Internet interface, internal VLAN Switch as LAN interface with members internal1-5
Problem: adding existing LAN interface internal1 to soft switch interface causes an error:
entry not found in datasource
Steps taken:
IPSEC tunnel is already configured
Set up the VXLAN peer based on the IPsec tunnel interface
config system vxlan
edit "VxLAN-Interface"
set interface "VPN-DR-IPSEC-VxLAN"
set vni 11
set remote-ip "10.10.11.2"
Create a switch interface to bridge the local LAN interface with the newly created VXLAN interface
config system switch-interface
edit "VxLAN-Switch"
set vdom "root"
set member "internal1" "VxLAN-Interface"
---> entry not found in datasource
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Make sure internal 1 is not being used in any of the interfaces.
Created on 09-04-2024 05:37 AM Edited on 09-04-2024 05:38 AM
Hi, thanks for the reply. If I understood correctly, we are creating a switch interface to bridge the local LAN interface with the newly created VXLAN interface, as stated in the documentation: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-setup-a-VXLAN-over-IPsec-deployment...
Also, on the document picture and config, existing port3 connected to LAN is added as the member of new switch-interface
set member "port3" "vxlanInterface"
Greetings!
Remove all the references for interface "internal1".
References like firewall policies, route, DHCP server, and IP address on interface "internal " and interface "internal1" should not be part of any other software or hardware switch.
Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
Hi, thanks for the reply. In documentation, active LAN interface is added to new switch-interface.
DF is required for vxlan. Pmtud doesn’t necessarily work with a L2 tunnel either. You may be able to configure the firewall to ignore DF bit on ipsec encap/decap, but performance will likely suffer. You really need vxlan-routing instead of bridging for this to work with vxlan, since that way you can crank down the MTU on the SVI (allows pmtud to actually work) or adjust tcp-mss to help with making things work more efficiently https://tutuapp.uno/ .
Hi, thanks for the reply. Any info how to configure vxlan-routing? Goal is to stretch LAN trough IPSEC tunnel.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.