Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
smartini
New Contributor

VxLAN over IPSEC drives me crazy!

Hi,

there is this scenario:

HQ with FGT100E and the firewall itself should be the BO remote network default gateway (192.168.113.254/24). It has a lot of networks configured, other networks can reach the 192.168.113.0/24 through firewall routing.

BO with FGT30E, LAN network is 192.168.113.0/24.

 

I'd like to setup a VxLAN over IPSec between two sites, I do it but I can't manage the default gateway in the 100E without using a physical port. And I don't want to use ports because I have several BO to connect in this way.

I need a L2 link between the BO net and the default gateway in the HQ firewall.

How can I manage this?

 

Best regards

31 REPLIES 31
funkylicious
Contributor III

I have set something similar, where the device on the remote site was required to exit it's local subnet, and could only achieve it by connecting another physical port and doing the software switch w/ it and reaching the GW that was on another port then being routed out.

geek
geek
smartini

thanks funkylicious,

the configuration of the BO firewall is quite clear, there is a software switch with the LAN port and the IPSEC interface with the VxLAN encapsulation.

I'm not sure about the HQ firewall configuration..

funkylicious

it should be similar on the FGT, w/ soft-sw between the phase-1 intf and a port, connected to a switch in mode access, this way you can reach the GW which is in that vlan on another port/sub intf.

geek
geek
smartini

The network of the BO 192.168.113.0/24 there isn't in the HQ firewall, I need only to set up the default gateway 192.168.113.254 without bridging this network to others. 

Can I do that?

funkylicious

I'm a little confused.

One of purposes of VxLAN is to extend an existing L2 network to another location over a L3 network.

 

Anyways, if it doesnt exist in HQ, then u would need to create it, at VLAN/L2 level on a different one of the existing ones to separate them, then create the GW on the FW w/ that IP.

geek
geek
smartini

Should I create a software switch too in the HQ fwl? I've tried to create a software switch with only the VxLAN over IPSec interface, I see the BO network devices in L2 (in device inventory) but I can't ping nothing!

funkylicious

Ok, let's take the following diagram.

I want to extend the subnet 192.168.20.0 /24 which in behind HUB to another location, over the Internet in the same time, I want to be able to access Lo0 8.8.8.8 via the existing GW of network, which works just fine locally in the HUB/HQ . 

 

diagdiag

 

I have port2 which is the GW for devices in that subnet 192.168.20.1 /24.

I've configured VxLAN over IPsec between the devices, where I created ( leaving aside the actual ipsec config ) :

- on Spoke-1 a software switch of phase1 intf and port2 as members; ( ignore port3 on Spoke-1 )

- on HUB a software switch of phase1 intf and port3 as members;

- port3 is connected to the switch on a port which is in mode access in the corresponding VLAN with the other devices

- from VPC6 ( 192.168.20.200 /24 ) i can reach the devices in the same network

- from VPC6 I can reach the GW

-  I can exist the network via the GW

 

This is what I've done and works as intended.

geek
geek
smartini

My scenario is bit different, you have the same network in both sites.

In my HQ there is another network, but I want the L2 BO default gateway in that firewall! Only the gateway IP should be in the HQ firewall so I can manage traffic of the BO throught the HQ firewall policies.

funkylicious

Just configure an IP on that software switch you create and define it as the GW, then control with fw rules.

geek
geek
Labels
Top Kudoed Authors