Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
smartini
New Contributor

Created on ‎03-22-2023 08:12 AM

VxLAN over IPSEC drives me crazy!

Hi,

there is this scenario:

HQ with FGT100E and the firewall itself should be the BO remote network default gateway (192.168.113.254/24). It has a lot of networks configured, other networks can reach the 192.168.113.0/24 through firewall routing.

BO with FGT30E, LAN network is 192.168.113.0/24.

 

I'd like to setup a VxLAN over IPSec between two sites, I do it but I can't manage the default gateway in the 100E without using a physical port. And I don't want to use ports because I have several BO to connect in this way.

I need a L2 link between the BO net and the default gateway in the HQ firewall.

How can I manage this?

 

Best regards

Labels:
4614
0 Kudos
31 REPLIES 31
smartini
New Contributor

Created on ‎03-24-2023 08:25 AM

I'm noticing a very strange thing, no one policy is matched when I'm trying to ping remote network from internal LAN..but the policy exists 

 

WhatsApp Image 2023-03-24 at 15.51.58.jpeg

 

Schermata 2023-03-24 alle 14.23.02.png

 

Schermata 2023-03-22 alle 17.15.44.png

 

1276
0 Kudos
funkylicious
SuperUser
SuperUser
In response to smartini

Created on ‎03-24-2023 08:41 AM

i am pretty sure that you have a physical interface in that software switch instead of the ipsec tunnel interface, cuz of the icon which is the reason that is not working.

"jack of all trades, master of none"
"jack of all trades, master of none"
1273
0 Kudos
smartini
New Contributor
In response to funkylicious

Created on ‎03-24-2023 08:55 AM

There isn't any interface with that name and I don't have other icons choise!

1272
0 Kudos
Julien87
Contributor II
In response to smartini

Created on ‎03-24-2023 10:19 AM

Hi, i confirm the @funkylicious reply the icon could be this in my capture. 

 

The icon is physical interface.  You have perhaps a reference item in your IPSEC interface. And you can not add in software switch for that.

 

Best Regards,

2023-03-24_18h15_45.png

Julien
Julien
1269
0 Kudos
funkylicious
SuperUser
SuperUser

Created on ‎03-24-2023 09:34 AM

Ok, back to the basics.

Please provide a sanitized config of what's in place now, alongside fw rules in regards to this IPsec.

"jack of all trades, master of none"
"jack of all trades, master of none"
1271
0 Kudos
smartini
New Contributor

Created on ‎03-24-2023 11:13 AM

There is no physical interface with that name. The only reference with that name is the VPN IPSec with VxLAN encapsulation.

Schermata 2023-03-24 alle 19.13.06.png

1263
0 Kudos
Julien87
Contributor II
In response to smartini

Created on ‎03-24-2023 12:30 PM

strange, what is your version ? if i can try your topology in lab the next week.

Julien
Julien
1254
0 Kudos
smartini
New Contributor
In response to Julien87

Created on ‎03-24-2023 12:41 PM

Thanks! The HQ firewall is a cluster of two 100E with FortiOS 6.0.16, the BO firewall is a single 30E with 6.0.16.

Let me know if you find something!

1252
0 Kudos
Julien87
Contributor II
In response to smartini

Created on ‎03-29-2023 06:29 AM

Hi,

 

I just did my lab with two fortigate in 6.0.16.

I have no problem with tunnel level 2.

DHCP is ok for the remote site and Internet access too.

I have switch with implicit policy.

 

My configuration below :

 

config vpn ipsec phase1-interface
edit "to_sec"
set interface "port4"
set peertype any
set proposal des-md5 des-sha1
set encapsulation vxlan
set encapsulation-address ipv4
set encap-local-gw4 1.1.1.1
set encap-remote-gw4 2.2.2.2
set remote-gw 2.2.2.2
set psksecret sharekey
next
end

 

edit "ph2"
set phase1name "to_sec"
set proposal des-sha256
set auto-negotiate enable
next

 

 

config system switch-interface
edit "sw-vpn"
set vdom "root"
set member "port1" "to_sec"
next
end

 

config system interface

edit "sw-vpn"
set vdom "root"
set ip 192.168.113.254 255.255.255.0
set allowaccess ping http
set type switch
set snmp-index 6
next
edit "to_sec"
set vdom "root"
set type tunnel
set snmp-index 7
set interface "port4"
next

end

 

 

config firewall policy
edit 1
set name "sw--internet"
set uuid 72e072dc-ce31-51ed-e1f1-1967c858200d
set srcintf "sw-vpn"
set dstintf "port3"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic disable
set fsso disable
set nat enable
next
end

 

 

In the remote side, i have the same (ip modified in phase1 and another ip for interface switch)

Best regards,

 

Julien
Julien
1215
0 Kudos
smartini
New Contributor
In response to Julien87

Created on ‎03-31-2023 08:04 AM

Thanks Jiulien,

in your test there isn't a software switch with only a IPSec interface.

Can you test it with only ipsec interface in the software switch?

 

Best regards

1198
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.