Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
journeyman
Contributor

how to diagnose vxlan ipsec tunnel within another ipsec tunnel?

A vxlan encapsulated ipsec tunnel runs inside an outer ipsec tunnel which also carries ospf. The outer tunnel is working fine. The vxlan tunnel reports it is up but traffic does not pass. Firmware is 5.6.7. Looking for comments and tips on how to diagnose this.

 

Before adding the complexity of the outer tunnel, we created a basic back-to-back vxlan tunnel which also worked fine.

 

FGT1 to FGT2 are connected with an outer ipsec tunnel. The tunnel uses nat to traverse an unrouteable network, and once established we then run ospf. That is all working fine.

 

A vxlan tunnel was created from FGT1 to FGT2 within the outer tunnel. The vxlan config roughly follows KB FD38614 but with no intra-switch-policy (yet). The vxlan tunnel endpoints are a loopback interface on each FGT.

 

The vxlan tunnel reports it is up. It does not pass traffic from the linked physical ports. Interestingly each end has a different MTU, 1280 and 1310. So far we don't care about MTU, our packets will be small.

 

The relevant sanitised configuration is attached as a text file and the steps are summarised for each end as follows:

- create the outer ipsec tunnel

- configure the outer tunnel interface

- create a loopback interface for the vxlan tunnel

- add policies so the outer tunnel comes up

- create a static route to the remote-gw

- distribute the loopback IP; accept the remote IP using prefix-list

- add the outer tunnel to the ospf configuration # working fine up to here

- create the vxlan tunnel # tunnel shows it is up

- create a virtual switch to join a physical interface to the tunnel. Note that intra-switch-policy is implicit so no policies required

At this point with the vxlan tunnel shown as up I expect to see traffic but nothing passes.

1 REPLY 1
journeyman
Contributor

Any comments or suggestions? Really dumb? Just strange? A better way?

 

BTW the reason the vxlan tunnel traverses the outer tunnel is to allow it to be routed for path redundancy purposes, once we have point to point working.

Labels
Top Kudoed Authors