Hi,
there is this scenario:
HQ with FGT100E and the firewall itself should be the BO remote network default gateway (192.168.113.254/24). It has a lot of networks configured, other networks can reach the 192.168.113.0/24 through firewall routing.
BO with FGT30E, LAN network is 192.168.113.0/24.
I'd like to setup a VxLAN over IPSec between two sites, I do it but I can't manage the default gateway in the 100E without using a physical port. And I don't want to use ports because I have several BO to connect in this way.
I need a L2 link between the BO net and the default gateway in the HQ firewall.
How can I manage this?
Best regards
I've created a software virtual switch as image but I see devices in the device inventory but I can't ping nothing in the remote BO network.
Also the IPsec interface is needed to be added.
this is only the IPSec interface!
Created on 03-22-2023 09:46 AM Edited on 03-22-2023 09:46 AM
Ok, let's start with the basics.
Here's the template that I used to create the VxLAN over IPsec.
Things in CAPITAL, <> and others/intfs , would need to be adapted to our needs, the same is at both ends with proper changes, like fw rules.
Play around w/ it and see if you can make it work based on your needs and the diagram above.
config vpn ipsec phase1-interface
edit "p1"
set interface WAN_INTF
set peertype any
set proposal aes128-sha1 aes128-sha256
set encapsulation vxlan
set encapsulation-address ipv4
set encap-local-gw4 LOCAL_WAN
set encap-remote-gw4 REM_WAN
set remote-gw REM_WAN
set psksecret PSK
next
end
config vpn ipsec phase2-interface
edit "p2"
set phase1name "p1"
set proposal aes128-sha1 aes128-sha256
next
end
config system switch-interface
edit "VXLAN-SW"
set vdom root
set member PORT p1
next
end
Yes, i did it. Phase 1 is like this:
set encapsulation vxlan
set type ddns
set remotegw-ddns "vpn1.remote.it"
set interface "wan1"
set ike-version 2
set keylife 28800
set peertype any
set net-device enable
set proposal aes256-sha256
set dpd on-idle
set dhgrp 14
In the switch interface I only set the ipsec interface without port.
Is port mandatory? I no need physical port because the HQ firewall is BO network default gateway and I only use software switch to give an IP to IPSec interface.
I don't think so, it should work without it.
I required it, because the remote device required to communicate to the devices locally.
It's not working with the IPSec interface only, I see BO L2 network mac addresses but routing won't work.
Devices in the BO must communicate only with firewall as default gateway and other traffic will be managed by the routing in the HQ firewall.
I'm not understanding this!
without some debugs and a diagram of what u are trying to achieve, ppl can only guess where the issue is.
Here is a quick diagram
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.