IPsec VXLAN point to point with path diversity

Author
journeyman
Gold Member
  • Total Posts : 165
  • Scores: 0
  • Reward points: 0
  • Joined: 2011/03/15 22:56:36
  • Status: offline
2018/10/04 17:43:38 (permalink) 5.4
0

IPsec VXLAN point to point with path diversity

What's the best way to configure a vlxan tunnel between two sites utilising path diversity?
 
In the attached sketch, we already establish a single ipsec tunnel on each wan interface to various endpoints within our "cloud" and ospf is used for failover. We have a need for a vxlan tunnel to join an interface at each site on layer 2 and the expectation is that it will take advantage of the existing path diversity. Obviously to do so the vxlan tunnel cannot terminate on any wan interface. The path will traverse multiple FGTs within our network (not shown).
 
Would it be best to:
- build the tunnel to a loopback interface on each FGT? (sounds easy)
- use a vdom in each FGT and build the tunnel on the virtual-link? (sounds harder)
- something else?
 
Other than MTU (which is controllable and likely not an issue) I assume there is no issue with running the vxlan tunnel within the existing tunnels?
 
We run 5.4 in production, any advantage in moving to 5.6 for this?

Attached Image(s)

#1

1 Reply Related Threads

    journeyman
    Gold Member
    • Total Posts : 165
    • Scores: 0
    • Reward points: 0
    • Joined: 2011/03/15 22:56:36
    • Status: offline
    Re: IPsec VXLAN point to point with path diversity 2018/10/11 23:04:45 (permalink)
    0
    So far in bench testing we have built the vxlan tunnel to a loopback interface on each FGT, with the FGTs back to back on wan1.
    The tunnel is working fine which essentially answers the question above. We will now add the real world paths and diversity but that shouldn't change anything.
    #2
    Jump to:
    © 2018 APG vNext Commercial Version 5.5