IPsec VXLAN point to point with path diversity
What's the best way to configure a vlxan tunnel between two sites utilising path diversity?
In the attached sketch, we already establish a single ipsec tunnel on each wan interface to various endpoints within our "cloud" and ospf is used for failover. We have a need for a vxlan tunnel to join an interface at each site on layer 2 and the expectation is that it will take advantage of the existing path diversity. Obviously to do so the vxlan tunnel cannot terminate on any wan interface. The path will traverse multiple FGTs within our network (not shown).
Would it be best to:
- build the tunnel to a loopback interface on each FGT? (sounds easy)
- use a vdom in each FGT and build the tunnel on the virtual-link? (sounds harder)
- something else?
Other than MTU (which is controllable and likely not an issue) I assume there is no issue with running the vxlan tunnel within the existing tunnels?
We run 5.4 in production, any advantage in moving to 5.6 for this?