Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
InnovatumIT
New Contributor

Created on ‎08-24-2023 11:40 PM

FortiGate VXLAN with virtual wire pair only works one way?

I have been trying to establish a VXLAN link to evaluate connecting two buildings with the same L2 VLANs over the internet.

 

The physical setup:

Site 1

 Laptop 1 to untagged VLAN8 port on HPE Aruba 2530
 Port on HPE Aruba 2530 with VLAN5 and VLAN8 tagged (nothing untagged) to "port15" on primary of Fortigate 200F (7.2.4) HA cluster


Site 2

Laptop 2 to untagged VLAN8 port on HPE Aruba 2530
Port on HPE Aruba 2530 with VLAN5 and VLAN8 tagged (nothing untagged) to "internal5" on Fortigate 60F (7.2.5)

 

Site 1 and 2 connected via Internet.


The problem I'm having is that only some of the traffic seems to get through the tunnel.
On site2, running a sniffer on 60F internal5 with no filter, I see a lot of UDP broadcast and ARP originating from
Site 1 as well as DHCP discovery from Laptop2. The laptop gets no DHCP offer but running wireshark I can see the same UDP broadcasts from site 1. Using a fixed IP and pinging resources on site1 also fails.
Running diagnose sys vxlan fdb list <vxlan> i get a list of mac addresses from site 1, on both VLANs, with remote_ip set to site1 of the tunnel.

Doing the same on Site 1 returns only a 00:00:00:00:00:00 mac pointing to site2 tunnel ip.
There I can't detect the traffic from site2. It seems that the tunnel only works one way? Are there any additional requirements on the switches besides handeling VLAN tagging?

I have been following "VLAN over IPsec tunnel with virtual wire pair" from the FortiOS 7.2.4 admin guide
https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/821119/vxlan-over-ipsec-tunn...

Any help I can get is much appreciated!

 

Configurations from both sites:

 

Site1:

config system vxlan
    edit "vxlan-thn-wi"
        set interface "Thn-Wi"
        set vni 10
        set remote-ip "10.199.10.2"
    next
end

config system virtual-wire-pair
    edit "vwp-thn-wi"
        set member "port15" "vxlan-thn-wi"
        set wildcard-vlan enable
    next
end

config system interface
    edit "Thn-Wi"
        set vdom "root"
        set ip 10.199.10.1 255.255.255.255
        set type tunnel
        set remote-ip 10.199.10.2 255.255.255.252
        set snmp-index 18
        set interface "EXTNet"
    next
end

config system interface
    edit "vxlan-thn-wi"
        set vdom "root"
        set type vxlan
        set snmp-index 46
        set interface "Thn-Wi"
    next
end

config vpn ipsec phase1-interface
    edit "Thn-Wi"
        set interface "EXTNet"
        set peertype any
        set net-device disable
        set proposal aes256-sha1
        set remote-gw 11.22.33.44
        set psksecret ENC xxxxxxxxxxxxxxxxxxxxxxxx
    next
end

config vpn ipsec phase2-interface
    edit "Thn-Wi"
        set phase1name "Thn-Wi"
        set proposal aes256-sha1
        set auto-negotiate enable
    next
end

config firewall policy
    edit 68
        set name "VWP-Thn-Wi"
        set uuid 1f7b01d8-41a5-51ee-8fbd-d4220e557bdf
        set srcintf "port15" "vxlan-thn-wi"
        set dstintf "port15" "vxlan-thn-wi"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
end

 

Site 2

config system vxlan
    edit "vxlan-thn-wi"
        set interface "Thn-Wi"
        set vni 10
        set remote-ip "10.199.10.1"
    next
end

config system virtual-wire-pair
    edit "vwp-thn-wi"
        set member "internal5" "vxlan-thn-wi"
        set wildcard-vlan enable
    next
end

config system interface
    edit "Thn-Wi"
        set vdom "root"
        set ip 10.199.10.2 255.255.255.255
        set type tunnel
        set remote-ip 10.199.10.1 255.255.255.252
        set snmp-index 17
        set interface "wan1"
    next
end

config system interface
    edit "vxlan-thn-wi"
        set vdom "root"
        set type vxlan
        set snmp-index 18
        set interface "Thn-Wi"
    next
end

config vpn ipsec phase1-interface
    edit "Thn-Wi"
        set interface "wan1"
        set peertype any
        set net-device disable
        set proposal aes256-sha1
        set remote-gw 55.66.77.88
        set psksecret ENC xxxxxxxxxxxxxxxxxxxxxxxxx
    next
end

config vpn ipsec phase2-interface
    edit "Thn-Wi"
        set phase1name "Thn-Wi"
        set proposal aes256-sha1
        set auto-negotiate enable
    next
end

config firewall policy
    edit 2
        set name "VWP-Thn-Wi"
        set uuid 6e274f4c-41ac-51ee-477a-d68e4bac6cee
        set srcintf "vxlan-thn-wi" "internal5"
        set dstintf "vxlan-thn-wi" "internal5"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
    next
end

 

Labels:
1610
0 Kudos
10 REPLIES 10
oheigl
Contributor II
In response to InnovatumIT

Created on ‎01-15-2024 05:30 AM

Did you ever get this setup working?

133
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.