Helpful ReplyHot!Native Vxlan over IPSEC and loopback interface. advanced configuration

Author
macarleo
New Member
  • Total Posts : 5
  • Scores: 4
  • Reward points: 0
  • Joined: 2018/11/13 08:15:35
  • Status: offline
2018/11/13 09:01:51 (permalink)
5 (1)

Native Vxlan over IPSEC and loopback interface. advanced configuration

I allow myself to write this post because I have a lot of difficulty in configuring vxlan over ipsec, the operation is not guaranteed (at least from my experience)
 
from the FortiOS version 5.6.2 vxlan can be used natively
considered that the
  • vxlan over ipsec does not support 802.1q (while internet traffic is encrypted)
  • native vxlan supports 802.1q (instead internet traffic is not encrypted)
 
I decided to make a configuration using IPSEC with loopback interface and use the native vxlan with the loopback interfaces.
With this configuration, traffic with the native vxlan is encrypted with the IPSEC
 
attached the configuration adopted between fortigate 80E and Fortigate 90E
 
######################### FTG80E ###############
 
##creation of subnet address
 
config firewall address
    edit "LoopBackLocal172.30.31.0"
        set subnet 172.30.31.0 255.255.255.0
    next
    edit "LoopBackRemote172.30.30.0"
        set subnet 172.30.30.0 255.255.255.0
    next
end
########## loopback interface creation ##########
config system interface
edit "Loopback"
        set vdom "root"
        set ip 172.30.31.1 255.255.255.0
        set allowaccess ping https ssh http
        set type loopback
    next
end
########## phase 1 configuration #########
config vpn ipsec phase1-interface
edit "VXlanSuIpsec"
set interface "wan1"
set keylife 28800
set peertype any
set proposal aes128-sha1 aes256-sha256 aes128-sha256 aes256-sha1
set dhgrp 14 2
set remote-gw #remote ip public
set psksecret 123456789
next
end
########## phase 2 configuration ##########
config vpn ipsec phase2-interface
edit "VXlanIpsecPh2"
set phase1name "VXlanSuIpsec"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm
set dhgrp 14 2
set keepalive enable
set src-addr-type name
set dst-addr-type name
set keylifeseconds 3600
set src-name "LoopBackLocal172.30.31.0"
set dst-name "LoopBackRemote172.30.30.0"
next
end
 
######### native vxlan configuration using vpn ipsec with loopback interface ########
config system vxlan
    edit "vxlan"
        set interface "Loopback"
        set vni 1
        set remote-ip "172.30.30.1"
    next
end
config system interface
    edit "vxlan"
        set vdom "root"
        set type vxlan
        set interface "Loopback"
    next
end
######## Virtual Switch Configuration for bridge between native vxlan and port 7. #########
######## port 7 firewall must be configured in trunk on switch port ##########
 
config system switch-interface
edit "Switch-Vxlan"
set vdom "root"
set member "port7" "vxlan"
next
end
 
######## Policy configuration ######
 
config firewall policy
    edit 1
        set name "Loopback TO ipsecVPN"
        set srcintf "Loopback"
        set dstintf "VXlanSuIpsec"
        set srcaddr "LoopBackLocal172.30.31.0"
        set dstaddr "LoopBackRemote172.30.30.0"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
    edit 2
        set name "ipsecVPN TO Loopback"
        set srcintf "VXlanSuIpsec"
        set dstintf "Loopback"
        set srcaddr "LoopBackRemote172.30.30.0"
        set dstaddr "LoopBackLocal172.30.31.0"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
end
 
############# static route configuration ##########
########## remember to add the default gateway associated with wan1 ############
config router static
    edit 2
        set dst 172.30.30.0 255.255.255.0
        set distance 1
        set device "VXlanSuIpsec"
    next
end
 
 
########################### FTG90E ###############
 
##creation of subnet address
 
config firewall address
    edit "LoopBackLocal172.30.30.0"
        set subnet 172.30.30.0 255.255.255.0
    next
    edit "LoopBackRemote172.30.31.0"
        set subnet 172.30.31.0 255.255.255.0
    next
end
 
########## loopback interface creation ##########
config system interface
    edit "Loopback"
        set vdom "root"
        set ip 172.30.30.1 255.255.255.0
        set allowaccess ping https ssh http
        set type loopback
next
end
 
########## phase 1 configuration #########
config vpn ipsec phase1-interface
edit "VXlanSuIpsec"
set interface "wan1"
set keylife 28800
set peertype any
set proposal aes128-sha1 aes256-sha256 aes128-sha256 aes256-sha1
set dhgrp 14 2
set remote-gw #remote ip public
set psksecret 123456789
next
end
########## phase 2 configuration ##########
config vpn ipsec phase2-interface
edit "VXlanIpsecPh2"
set phase1name "VXlanSuIpsec"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm
set dhgrp 14 2
set keepalive enable
set src-addr-type name
set dst-addr-type name
set keylifeseconds 3600
set src-name "LoopBackLocal172.30.30.0"
set dst-name "LoopBackRemote172.30.31.0"
next
end
######### native vxlan configuration using vpn ipsec with loopback interface ########
config system vxlan
    edit "vxlan"
        set interface "Loopback"
        set vni 1
        set remote-ip "172.30.31.1"
    next
end
config system interface
    edit "vxlan"
        set vdom "root"
        set type vxlan
        set interface "Loopback"
    next
end
 
######## Virtual Switch Configuration for bridge between native vxlan and port 7. #########
######## port 7 firewall must be configured in trunk on switch port ##########
 
config system switch-interface
edit "Switch-Vxlan"
set vdom "root"
set member "internal7" "vxlan"
next
end
 
######## Policy configuration ######
config firewall policy
    edit 1
        set name "Loopback TO ipsecVPN"
        set srcintf "Loopback"
        set dstintf "VXlanSuIpsec"
        set srcaddr "LoopBackLocal172.30.30.0"
        set dstaddr "LoopBackRemote172.30.31.0"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
    edit 2
        set name "ipsecVPN TO Loopback"
        set srcintf "VXlanSuIpsec"
        set dstintf "Loopback"
        set srcaddr "LoopBackRemote172.30.31.0"
        set dstaddr "LoopBackLocal172.30.30.0"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
end
########## loopback interface creation ##########
########## remember to add the default gateway associated with wan1 ############
config router static
    edit 2
        set dst 172.30.31.0 255.255.255.0
        set distance 1
        set device "VXlanSuIpsec"
    next
end
 
 
 
post edited by macarleo - 2018/11/16 03:29:55

Attached Image(s)

#1
Tom Wuyts
New Member
  • Total Posts : 3
  • Scores: 2
  • Reward points: 0
  • Joined: 2018/11/14 03:34:32
  • Status: offline
Re: Native Vxlan over IPSEC and loopback interface. advanced configuration 2018/11/14 03:41:41 (permalink)
0
Hi,
 
I am struggling a while with the same thing. Fortigate E30 - firmware 5.6.4
I was able to configure the vxlan with the following procedure: 
https://travelingpacket.com/2017/09/28/fortigate-vxlan-encapsulation/
I also use 802.1q, LAN port isa trunk on the switch
 
I am able to ping trough the vxlan ipsec tunnel to the devices at the other site so my vxlan configuration works.
But when i try fileservices, webapplications it's not possible.
It has something to do with MTU size but I can 't figure it out. When i lower my MTU size on my laptop everything goes fine. So I would like to set the MTU size of my vxlan-switch higher but thats not allowed.
I get the message 'MTU size is not valid, should be in range of 68 - 1500'
 
Did you also suffer from this? Any solutions?
 
Thx,
Tom
 
 
#2
macarleo
New Member
  • Total Posts : 5
  • Scores: 4
  • Reward points: 0
  • Joined: 2018/11/13 08:15:35
  • Status: offline
Re: Native Vxlan over IPSEC and loopback interface. advanced configuration 2018/11/14 05:30:46 (permalink)
0
I've had similar problems

try using a laptop with linux and see if you have the same web access problems.
with linux laptop I had behaviors different from laptop windows, I did not understand the reason.

if you use the trunk on the primary and secondary site switches, on the secondary site try to access the interface with the same pvid of the source trunk

however vxlan on ipsec does not support 802.1q.
So you can not pass more vlan even if it seems that at the IP or icmp level there is availability or reachability.
 
Try to use my configuration and let me know if it works

I have tested it thoroughly without problems.
 
 
#3
gangadar1234
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/11/15 19:57:47
  • Status: offline
Re: Native Vxlan over IPSEC and loopback interface. advanced configuration 2018/11/15 20:03:26 (permalink)
0
Hi Macarleo,
 
802.1q support with VXLAN over IPSec. I tested in my lab and i can see the Firewall passing the tags across the Ipsec tunnel.
 
However NATIVE VXLAN isnt working for me ,  Also I see you have configured the vxlan remote ip as local loopback IP,
i believe it should be the remote loopback ip
#4
macarleo
New Member
  • Total Posts : 5
  • Scores: 4
  • Reward points: 0
  • Joined: 2018/11/13 08:15:35
  • Status: offline
Re: Native Vxlan over IPSEC and loopback interface. advanced configuration 2018/11/16 00:24:22 (permalink)
0
Hello
from my tests in the laboratory it seems to me that apparently the vlan pass correctly on IPSEC, in fact at ICMP level I did not detect problems but when I used the HTTPS protocols I detected problems.

however, the conversation with the fortinet support is attached.

vxlan on ipsec does not support 802.1q.
 
 
 I did not understand what you mean by: "Also I see you have configured the vxlan remote ip as local loopback IP,
i believe it should be the remote loopback ip"
 
Best Regards
Mariano
post edited by macarleo - 2018/11/16 00:27:36

Attached Image(s)

#5
gangadar1234
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/11/15 19:57:47
  • Status: offline
Re: Native Vxlan over IPSEC and loopback interface. advanced configuration 2018/11/16 00:30:07 (permalink)
0
so are you able to get HTTPS working with  native vxlan with 802.1q ?
#6
Tom Wuyts
New Member
  • Total Posts : 3
  • Scores: 2
  • Reward points: 0
  • Joined: 2018/11/14 03:34:32
  • Status: offline
Re: Native Vxlan over IPSEC and loopback interface. advanced configuration 2018/11/16 00:51:48 (permalink)
0
I have exactly the same question, ICMP also works for me, but other protocols http, fileservices not.
So actually it doesn 't work because we cannot use it if only ICMP works.
 
What do they mean with 802.1q is not supported with VXLAN over IPSEC?
 
When I lower MTU on my laptop everything works fine, (I configured my both swich ports as trunks).
At the switch at the other side of the tunnel I am able to put AccessPoints, Client PC's, Printers in differrent vlans and when I lower MTU everything works. But lowering MTUI of every device is not solution so I would like to change MTU setting on vxlan. But I have no idea what and where i should configure it. 
I opened a case and keep you posted. Let me know if you guys find anything....
#7
macarleo
New Member
  • Total Posts : 5
  • Scores: 4
  • Reward points: 0
  • Joined: 2018/11/13 08:15:35
  • Status: offline
Re: Native Vxlan over IPSEC and loopback interface. advanced configuration 2018/11/16 01:34:32 (permalink) ☄ Helpfulby Tom Wuyts 2018/11/16 06:12:14
5 (1)
"so are you able to get HTTPS working with  native vxlan with 802.1q ?"
 
yes
post edited by macarleo - 2018/11/16 01:35:55
#8
Tom Wuyts
New Member
  • Total Posts : 3
  • Scores: 2
  • Reward points: 0
  • Joined: 2018/11/14 03:34:32
  • Status: offline
Re: Native Vxlan over IPSEC and loopback interface. advanced configuration 2018/11/16 06:15:13 (permalink)
5 (1)
Hi,
 
I configured our fortigates (both 30E) according to your info and it works like a charm.
I tested https, fileservices, email, skype...everything went smooth. 
Next week I will test more thoroughly or let users use it and see if they are satisfied.
 
Thank you very much !!!!
 
Kind Regards,
Tom
 
#9
PincoP
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/11/20 01:05:43
  • Status: offline
Re: Native Vxlan over IPSEC and loopback interface. advanced configuration 2018/11/20 01:07:49 (permalink)
0
Excellent guide
thank you
#10
Jump to:
© 2018 APG vNext Commercial Version 5.5