Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

VxLAN over IPSEC drives me crazy!


there is this scenario:

HQ with FGT100E and the firewall itself should be the BO remote network default gateway ( It has a lot of networks configured, other networks can reach the through firewall routing.

BO with FGT30E, LAN network is


I'd like to setup a VxLAN over IPSec between two sites, I do it but I can't manage the default gateway in the 100E without using a physical port. And I don't want to use ports because I have several BO to connect in this way.

I need a L2 link between the BO net and the default gateway in the HQ firewall.

How can I manage this?


Best regards

Contributor III

I have set something similar, where the device on the remote site was required to exit it's local subnet, and could only achieve it by connecting another physical port and doing the software switch w/ it and reaching the GW that was on another port then being routed out.


thanks funkylicious,

the configuration of the BO firewall is quite clear, there is a software switch with the LAN port and the IPSEC interface with the VxLAN encapsulation.

I'm not sure about the HQ firewall configuration..


it should be similar on the FGT, w/ soft-sw between the phase-1 intf and a port, connected to a switch in mode access, this way you can reach the GW which is in that vlan on another port/sub intf.


The network of the BO there isn't in the HQ firewall, I need only to set up the default gateway without bridging this network to others. 

Can I do that?


I'm a little confused.

One of purposes of VxLAN is to extend an existing L2 network to another location over a L3 network.


Anyways, if it doesnt exist in HQ, then u would need to create it, at VLAN/L2 level on a different one of the existing ones to separate them, then create the GW on the FW w/ that IP.


Should I create a software switch too in the HQ fwl? I've tried to create a software switch with only the VxLAN over IPSec interface, I see the BO network devices in L2 (in device inventory) but I can't ping nothing!


Ok, let's take the following diagram.

I want to extend the subnet /24 which in behind HUB to another location, over the Internet in the same time, I want to be able to access Lo0 via the existing GW of network, which works just fine locally in the HUB/HQ . 




I have port2 which is the GW for devices in that subnet /24.

I've configured VxLAN over IPsec between the devices, where I created ( leaving aside the actual ipsec config ) :

- on Spoke-1 a software switch of phase1 intf and port2 as members; ( ignore port3 on Spoke-1 )

- on HUB a software switch of phase1 intf and port3 as members;

- port3 is connected to the switch on a port which is in mode access in the corresponding VLAN with the other devices

- from VPC6 ( /24 ) i can reach the devices in the same network

- from VPC6 I can reach the GW

-  I can exist the network via the GW


This is what I've done and works as intended.


My scenario is bit different, you have the same network in both sites.

In my HQ there is another network, but I want the L2 BO default gateway in that firewall! Only the gateway IP should be in the HQ firewall so I can manage traffic of the BO throught the HQ firewall policies.


Just configure an IP on that software switch you create and define it as the GW, then control with fw rules.