VxLAN over IPSEC drives me crazy!

smartini · ‎03-22-2023

Hi,

there is this scenario:

HQ with FGT100E and the firewall itself should be the BO remote network default gateway (192.168.113.254/24). It has a lot of networks configured, other networks can reach the 192.168.113.0/24 through firewall routing.

BO with FGT30E, LAN network is 192.168.113.0/24.

I'd like to setup a VxLAN over IPSec between two sites, I do it but I can't manage the default gateway in the 100E without using a physical port. And I don't want to use ports because I have several BO to connect in this way.

I need a L2 link between the BO net and the default gateway in the HQ firewall.

How can I manage this?

Best regards

smartini · ‎03-24-2023

I'm noticing a very strange thing, no one policy is matched when I'm trying to ping remote network from internal LAN..but the policy exists

funkylicious · ‎03-24-2023

i am pretty sure that you have a physical interface in that software switch instead of the ipsec tunnel interface, cuz of the icon which is the reason that is not working.

geek

smartini · ‎03-24-2023

There isn't any interface with that name and I don't have other icons choise!

Julien87 · ‎03-24-2023

Hi, i confirm the @funkylicious reply the icon could be this in my capture.

The icon is physical interface. You have perhaps a reference item in your IPSEC interface. And you can not add in software switch for that.

Best Regards,

Julien

funkylicious · ‎03-24-2023

Ok, back to the basics.

Please provide a sanitized config of what's in place now, alongside fw rules in regards to this IPsec.

geek

smartini · ‎03-24-2023

There is no physical interface with that name. The only reference with that name is the VPN IPSec with VxLAN encapsulation.

Julien87 · ‎03-24-2023

strange, what is your version ? if i can try your topology in lab the next week.

Julien

smartini · ‎03-24-2023

Thanks! The HQ firewall is a cluster of two 100E with FortiOS 6.0.16, the BO firewall is a single 30E with 6.0.16.

Let me know if you find something!

Julien87 · ‎03-29-2023

Hi,

I just did my lab with two fortigate in 6.0.16.

I have no problem with tunnel level 2.

DHCP is ok for the remote site and Internet access too.

I have switch with implicit policy.

My configuration below :

config vpn ipsec phase1-interface
edit "to_sec"
set interface "port4"
set peertype any
set proposal des-md5 des-sha1
set encapsulation vxlan
set encapsulation-address ipv4
set encap-local-gw4 1.1.1.1
set encap-remote-gw4 2.2.2.2
set remote-gw 2.2.2.2
set psksecret sharekey
next
end

edit "ph2"
set phase1name "to_sec"
set proposal des-sha256
set auto-negotiate enable
next

config system switch-interface
edit "sw-vpn"
set vdom "root"
set member "port1" "to_sec"
next
end

config system interface

edit "sw-vpn"
set vdom "root"
set ip 192.168.113.254 255.255.255.0
set allowaccess ping http
set type switch
set snmp-index 6
next
edit "to_sec"
set vdom "root"
set type tunnel
set snmp-index 7
set interface "port4"
next

end

config firewall policy
edit 1
set name "sw--internet"
set uuid 72e072dc-ce31-51ed-e1f1-1967c858200d
set srcintf "sw-vpn"
set dstintf "port3"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic disable
set fsso disable
set nat enable
next
end

In the remote side, i have the same (ip modified in phase1 and another ip for interface switch)

Best regards,

Julien

smartini · ‎03-31-2023

Thanks Jiulien,

in your test there isn't a software switch with only a IPSec interface.

Can you test it with only ipsec interface in the software switch?

Best regards