VxLAN over IPSEC drives me crazy!

smartini · ‎03-22-2023

Hi,

there is this scenario:

HQ with FGT100E and the firewall itself should be the BO remote network default gateway (192.168.113.254/24). It has a lot of networks configured, other networks can reach the 192.168.113.0/24 through firewall routing.

BO with FGT30E, LAN network is 192.168.113.0/24.

I'd like to setup a VxLAN over IPSec between two sites, I do it but I can't manage the default gateway in the 100E without using a physical port. And I don't want to use ports because I have several BO to connect in this way.

I need a L2 link between the BO net and the default gateway in the HQ firewall.

How can I manage this?

Best regards

smartini · ‎03-22-2023

I've created a software virtual switch as image but I see devices in the device inventory but I can't ping nothing in the remote BO network.

funkylicious · ‎03-22-2023

Also the IPsec interface is needed to be added.

geek

smartini · ‎03-22-2023

this is only the IPSec interface!

funkylicious · ‎03-22-2023

Ok, let's start with the basics.

Here's the template that I used to create the VxLAN over IPsec.

Things in CAPITAL, <> and others/intfs , would need to be adapted to our needs, the same is at both ends with proper changes, like fw rules.

Play around w/ it and see if you can make it work based on your needs and the diagram above.

config vpn ipsec phase1-interface
    edit "p1"
        set interface WAN_INTF
        set peertype any
        set proposal aes128-sha1 aes128-sha256
        set encapsulation vxlan
        set encapsulation-address ipv4
        set encap-local-gw4 LOCAL_WAN
        set encap-remote-gw4 REM_WAN
        set remote-gw REM_WAN
        set psksecret PSK
        next
end
config vpn ipsec phase2-interface
    edit "p2"
        set phase1name "p1"
        set proposal aes128-sha1 aes128-sha256
    next
end
config system switch-interface
    edit "VXLAN-SW"
	set vdom root
        set member PORT p1
    next
end

geek

smartini · ‎03-22-2023

Yes, i did it. Phase 1 is like this:

      set encapsulation vxlan
           set type ddns
           set remotegw-ddns "vpn1.remote.it"
           set interface "wan1"
           set ike-version 2
           set keylife 28800
           set peertype any
           set net-device enable
           set proposal aes256-sha256
           set dpd on-idle
           set dhgrp 14

smartini · ‎03-23-2023

In the switch interface I only set the ipsec interface without port.

Is port mandatory? I no need physical port because the HQ firewall is BO network default gateway and I only use software switch to give an IP to IPSec interface.

funkylicious · ‎03-23-2023

I don't think so, it should work without it.

I required it, because the remote device required to communicate to the devices locally.

geek

smartini · ‎03-23-2023

It's not working with the IPSec interface only, I see BO L2 network mac addresses but routing won't work.

Devices in the BO must communicate only with firewall as default gateway and other traffic will be managed by the routing in the HQ firewall.

I'm not understanding this!

funkylicious · ‎03-23-2023

without some debugs and a diagram of what u are trying to achieve, ppl can only guess where the issue is.

geek

smartini · ‎03-23-2023

Here is a quick diagram