Hot!Small problem with VxLAN over IPsec

Author
amaroth
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/08/13 23:15:12
  • Status: offline
2018/10/24 02:06:38 (permalink) 5.6
0

Small problem with VxLAN over IPsec

Hi,
 
Here is my setup
 

 
 
HQ has FG-501E with FortiOS 5.6.5
Branch has FG-61E with FortiOS 5.6.6
 
So I have two sites, HQ and Branch, I wanted to extend one of the HQ VLANs (vlan 892) to Branch, actually it works more or less, but there is a problem in branch office. In branch office I have a cluster of two FG-61E (active-stadby HA) and the vxlan bridge is attached to port internal6. So from both FG-61E port internal6 goes to Cisco C3560X-48T-S switch (SW1 on the picture) and both cables go to access ports.
 
Here is config of one of them:
interface GigabitEthernet0/42
  switchport access vlan 892
  switchport mode access
  spanning-tree portfast
 
And on other ports which has that port settings I can plug computer and I can ping the 172.16.92.1 and I even get IP assigned via DHCP, which means Layer 2 works.
 
However if I want to also "share" vlan 892 to next switch in the branch (SW2) , it is also Cisco C3560X-48T-S and I have a trunk between SW1 and SW2 where vlan 892 is included and configuring access port with vlan 892 there, when I plug to such a port computer, then I can't reach 172.16.92.1 from there.
 
In general I have noticed that if I have ANY trunk between both of FortiGate's then VxLAN doesn't work anymore ! Because obviously in HQ the FortiGate is not connected to ISP directly but it goes via switch (and I needed to have a access ports there as well ! connected to FG-501E). 
 
Why trunk on the path is breaking usability of the tunnel and VxLAN ??
 
Any ideas ?
post edited by amaroth - 2018/10/24 02:11:33
#1

2 Replies Related Threads

    HA
    Gold Member
    • Total Posts : 149
    • Scores: 6
    • Reward points: 0
    • Joined: 2010/09/19 07:10:45
    • Location: Luxembourg
    • Status: offline
    Re: Small problem with VxLAN over IPsec 2018/10/24 02:25:46 (permalink)
    0
    Hi,
     
    Once in trunk mode, do you active vlanforward ??
    set vlanforward enable
     
    Here's my config
    edit "wan2"
    set vlanforward enable
    set broadcast-foward enable
    set l2forward enable
    set stpforward enable
    set netbios-forward enable
    next
    edit "VxLan-IPsec"
    set vlanforward enable
    set broadcast-foward enable
    set l2forward enable
    set stpforward enable
    set netbios-forward enable
    next
     
    Another tips with VXLAN and Dot1q...
    It seems that large packet coming from the trunk interface to the Fortigate with DF bit set cannot be "handled" by the FGT.
    What I mean by "handled" is that the Fortigate cannot be reset this flag.
    So session like ssh works (small packets) but https session not (large packet)...
     
    Regards,
     
    HA 
    #2
    amaroth
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/08/13 23:15:12
    • Status: offline
    Re: Small problem with VxLAN over IPsec 2018/10/24 04:30:14 (permalink)
    0
    Thanks I will try to do that.
     
    Question aside, can the vxlan-interface bridge has IP assigned ?
     
    Because currently for computers on that VLAN the HQ (172.16.92.1) is default gateway, and I would rather want them go through my wan1. So I was thinking to give the vxlan-int soft switch IP and make it a gateway for computers in Branch (for Internet).
    #3
    Jump to:
    © 2019 APG vNext Commercial Version 5.5