Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
amaroth
New Contributor

Created on ‎10-24-2018 02:06 AM

Small problem with VxLAN over IPsec

Hi,

 

Here is my setup

 

 

 

HQ has FG-501E with FortiOS 5.6.5

Branch has FG-61E with FortiOS 5.6.6

 

So I have two sites, HQ and Branch, I wanted to extend one of the HQ VLANs (vlan 892) to Branch, actually it works more or less, but there is a problem in branch office. In branch office I have a cluster of two FG-61E (active-stadby HA) and the vxlan bridge is attached to port internal6. So from both FG-61E port internal6 goes to Cisco C3560X-48T-S switch (SW1 on the picture) and both cables go to access ports.

 

Here is config of one of them:

interface GigabitEthernet0/42   switchport access vlan 892   switchport mode access   spanning-tree portfast

 

And on other ports which has that port settings I can plug computer and I can ping the 172.16.92.1 and I even get IP assigned via DHCP, which means Layer 2 works.

 

However if I want to also "share" vlan 892 to next switch in the branch (SW2) , it is also Cisco C3560X-48T-S and I have a trunk between SW1 and SW2 where vlan 892 is included and configuring access port with vlan 892 there, when I plug to such a port computer, then I can't reach 172.16.92.1 from there.

 

In general I have noticed that if I have ANY trunk between both of FortiGate's then VxLAN doesn't work anymore ! Because obviously in HQ the FortiGate is not connected to ISP directly but it goes via switch (and I needed to have a access ports there as well ! connected to FG-501E). 

 

Why trunk on the path is breaking usability of the tunnel and VxLAN ??

 

Any ideas ?

Labels:
4762
0 Kudos
2 REPLIES 2
HA
Contributor

Created on ‎10-24-2018 02:25 AM

Hi,

 

Once in trunk mode, do you active vlanforward ??

set vlanforward enable

 

Here's my config

edit "wan2" set vlanforward enable set broadcast-foward enable set l2forward enable set stpforward enable set netbios-forward enable next edit "VxLan-IPsec" set vlanforward enable set broadcast-foward enable set l2forward enable set stpforward enable set netbios-forward enable next

 

Another tips with VXLAN and Dot1q...

It seems that large packet coming from the trunk interface to the Fortigate with DF bit set cannot be "handled" by the FGT.

What I mean by "handled" is that the Fortigate cannot be reset this flag.

So session like ssh works (small packets) but https session not (large packet)...

 

Regards,

 

HA 

1676
0 Kudos
amaroth
New Contributor
In response to HA

Created on ‎10-24-2018 04:30 AM

Thanks I will try to do that.

 

Question aside, can the vxlan-interface bridge has IP assigned ?

 

Because currently for computers on that VLAN the HQ (172.16.92.1) is default gateway, and I would rather want them go through my wan1. So I was thinking to give the vxlan-int soft switch IP and make it a gateway for computers in Branch (for Internet).

1676
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.