Hi,
there is this scenario:
HQ with FGT100E and the firewall itself should be the BO remote network default gateway (192.168.113.254/24). It has a lot of networks configured, other networks can reach the 192.168.113.0/24 through firewall routing.
BO with FGT30E, LAN network is 192.168.113.0/24.
I'd like to setup a VxLAN over IPSec between two sites, I do it but I can't manage the default gateway in the 100E without using a physical port. And I don't want to use ports because I have several BO to connect in this way.
I need a L2 link between the BO net and the default gateway in the HQ firewall.
How can I manage this?
Best regards
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I have set something similar, where the device on the remote site was required to exit it's local subnet, and could only achieve it by connecting another physical port and doing the software switch w/ it and reaching the GW that was on another port then being routed out.
thanks funkylicious,
the configuration of the BO firewall is quite clear, there is a software switch with the LAN port and the IPSEC interface with the VxLAN encapsulation.
I'm not sure about the HQ firewall configuration..
it should be similar on the FGT, w/ soft-sw between the phase-1 intf and a port, connected to a switch in mode access, this way you can reach the GW which is in that vlan on another port/sub intf.
The network of the BO 192.168.113.0/24 there isn't in the HQ firewall, I need only to set up the default gateway 192.168.113.254 without bridging this network to others.
Can I do that?
I'm a little confused.
One of purposes of VxLAN is to extend an existing L2 network to another location over a L3 network.
Anyways, if it doesnt exist in HQ, then u would need to create it, at VLAN/L2 level on a different one of the existing ones to separate them, then create the GW on the FW w/ that IP.
Should I create a software switch too in the HQ fwl? I've tried to create a software switch with only the VxLAN over IPSec interface, I see the BO network devices in L2 (in device inventory) but I can't ping nothing!
Created on 03-22-2023 09:01 AM Edited on 03-22-2023 09:05 AM
Ok, let's take the following diagram.
I want to extend the subnet 192.168.20.0 /24 which in behind HUB to another location, over the Internet in the same time, I want to be able to access Lo0 8.8.8.8 via the existing GW of network, which works just fine locally in the HUB/HQ .
I have port2 which is the GW for devices in that subnet 192.168.20.1 /24.
I've configured VxLAN over IPsec between the devices, where I created ( leaving aside the actual ipsec config ) :
- on Spoke-1 a software switch of phase1 intf and port2 as members; ( ignore port3 on Spoke-1 )
- on HUB a software switch of phase1 intf and port3 as members;
- port3 is connected to the switch on a port which is in mode access in the corresponding VLAN with the other devices
- from VPC6 ( 192.168.20.200 /24 ) i can reach the devices in the same network
- from VPC6 I can reach the GW
- I can exist the network via the GW
This is what I've done and works as intended.
My scenario is bit different, you have the same network in both sites.
In my HQ there is another network, but I want the L2 BO default gateway in that firewall! Only the gateway IP should be in the HQ firewall so I can manage traffic of the BO throught the HQ firewall policies.
Just configure an IP on that software switch you create and define it as the GW, then control with fw rules.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.