Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
macarleo
New Contributor II

Native Vxlan over IPSEC and loopback interface. advanced configuration

I allow myself to write this post because I have a lot of difficulty in configuring vxlan over ipsec, the operation is not guaranteed (at least from my experience)

 

from the FortiOS version 5.6.2 vxlan can be used natively

considered that the

[ul]
  • vxlan over ipsec does not support 802.1q (while internet traffic is encrypted)
  • native vxlan supports 802.1q (instead internet traffic is not encrypted)[/ul]

     

    I decided to make a configuration using IPSEC with loopback interface and use the native vxlan with the loopback interfaces.

    With this configuration, traffic with the native vxlan is encrypted with the IPSEC

     

    attached the configuration adopted between fortigate 80E and Fortigate 90E

     

    ######################### FTG80E ###############

     

    ##creation of subnet address

     

    config firewall address

        edit "LoopBackLocal172.30.31.0"

            set subnet 172.30.31.0 255.255.255.0

        next

        edit "LoopBackRemote172.30.30.0"

            set subnet 172.30.30.0 255.255.255.0

        next

    end

    ########## loopback interface creation ##########

    config system interface

    edit "Loopback"

            set vdom "root"

            set ip 172.30.31.1 255.255.255.0

            set allowaccess ping https ssh http

            set type loopback

        next

    end

    ########## phase 1 configuration #########

    config vpn ipsec phase1-interface

    edit "VXlanSuIpsec"

    set interface "wan1"

    set keylife 28800

    set peertype any

    set proposal aes128-sha1 aes256-sha256 aes128-sha256 aes256-sha1

    set dhgrp 14 2

    set remote-gw #remote ip public

    set psksecret 123456789

    next

    end

    ########## phase 2 configuration ##########

    config vpn ipsec phase2-interface

    edit "VXlanIpsecPh2"

    set phase1name "VXlanSuIpsec"

    set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm

    set dhgrp 14 2

    set keepalive enable

    set src-addr-type name

    set dst-addr-type name

    set keylifeseconds 3600

    set src-name "LoopBackLocal172.30.31.0"

    set dst-name "LoopBackRemote172.30.30.0"

    next

    end

     

    ######### native vxlan configuration using vpn ipsec with loopback interface ########

    config system vxlan

        edit "vxlan"

            set interface "Loopback"

            set vni 1

            set remote-ip "172.30.30.1"

        next

    end

    config system interface

        edit "vxlan"

            set vdom "root"

            set type vxlan

            set interface "Loopback"

        next

    end

    ######## Virtual Switch Configuration for bridge between native vxlan and port 7. #########

    ######## port 7 firewall must be configured in trunk on switch port ##########

     

    config system switch-interface

    edit "Switch-Vxlan"

    set vdom "root"

    set member "port7" "vxlan"

    next

    end

     

    ######## Policy configuration ######

     

    config firewall policy

        edit 1

            set name "Loopback TO ipsecVPN"

            set srcintf "Loopback"

            set dstintf "VXlanSuIpsec"

            set srcaddr "LoopBackLocal172.30.31.0"

            set dstaddr "LoopBackRemote172.30.30.0"

            set action accept

            set schedule "always"

            set service "ALL"

            set logtraffic all

        next

        edit 2

            set name "ipsecVPN TO Loopback"

            set srcintf "VXlanSuIpsec"

            set dstintf "Loopback"

            set srcaddr "LoopBackRemote172.30.30.0"

            set dstaddr "LoopBackLocal172.30.31.0"

            set action accept

            set schedule "always"

            set service "ALL"

            set logtraffic all

        next

    end

     

    ############# static route configuration ##########

    ########## remember to add the default gateway associated with wan1 ############

    config router static

        edit 2

            set dst 172.30.30.0 255.255.255.0

            set distance 1

            set device "VXlanSuIpsec"

        next

    end

     

     

    ########################### FTG90E ###############

     

    ##creation of subnet address

     

    config firewall address

        edit "LoopBackLocal172.30.30.0"

            set subnet 172.30.30.0 255.255.255.0

        next

        edit "LoopBackRemote172.30.31.0"

            set subnet 172.30.31.0 255.255.255.0

        next

    end

     

    ########## loopback interface creation ##########

    config system interface

        edit "Loopback"

            set vdom "root"

            set ip 172.30.30.1 255.255.255.0

            set allowaccess ping https ssh http

            set type loopback

    next

    end

     

    ########## phase 1 configuration #########

    config vpn ipsec phase1-interface

    edit "VXlanSuIpsec"

    set interface "wan1"

    set keylife 28800

    set peertype any

    set proposal aes128-sha1 aes256-sha256 aes128-sha256 aes256-sha1

    set dhgrp 14 2

    set remote-gw #remote ip public

    set psksecret 123456789

    next

    end

    ########## phase 2 configuration ##########

    config vpn ipsec phase2-interface

    edit "VXlanIpsecPh2"

    set phase1name "VXlanSuIpsec"

    set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm

    set dhgrp 14 2

    set keepalive enable

    set src-addr-type name

    set dst-addr-type name

    set keylifeseconds 3600

    set src-name "LoopBackLocal172.30.30.0"

    set dst-name "LoopBackRemote172.30.31.0"

    next

    end

    ######### native vxlan configuration using vpn ipsec with loopback interface ########

    config system vxlan

        edit "vxlan"

            set interface "Loopback"

            set vni 1

            set remote-ip "172.30.31.1"

        next

    end

    config system interface

        edit "vxlan"

            set vdom "root"

            set type vxlan

            set interface "Loopback"

        next

    end

     

    ######## Virtual Switch Configuration for bridge between native vxlan and port 7. #########

    ######## port 7 firewall must be configured in trunk on switch port ##########

     

    config system switch-interface

    edit "Switch-Vxlan"

    set vdom "root"

    set member "internal7" "vxlan"

    next

    end

     

    ######## Policy configuration ######

    config firewall policy

        edit 1

            set name "Loopback TO ipsecVPN"

            set srcintf "Loopback"

            set dstintf "VXlanSuIpsec"

            set srcaddr "LoopBackLocal172.30.30.0"

            set dstaddr "LoopBackRemote172.30.31.0"

            set action accept

            set schedule "always"

            set service "ALL"

            set logtraffic all

        next

        edit 2

            set name "ipsecVPN TO Loopback"

            set srcintf "VXlanSuIpsec"

            set dstintf "Loopback"

            set srcaddr "LoopBackRemote172.30.31.0"

            set dstaddr "LoopBackLocal172.30.30.0"

            set action accept

            set schedule "always"

            set service "ALL"

            set logtraffic all

        next

    end

    ########## loopback interface creation ##########

    ########## remember to add the default gateway associated with wan1 ############

    config router static

        edit 2

            set dst 172.30.31.0 255.255.255.0

            set distance 1

            set device "VXlanSuIpsec"

        next

    end

     

     

     

  • 1 Solution
    macarleo
    New Contributor II

    "so are you able to get HTTPS working with  native vxlan with 802.1q ?"

     

    yes

    View solution in original post

    14 REPLIES 14
    Tom_Wuyts1
    New Contributor

    Hi,

     

    I am struggling a while with the same thing. Fortigate E30 - firmware 5.6.4

    I was able to configure the vxlan with the following procedure: 

    https://travelingpacket.com/2017/09/28/fortigate-vxlan-encapsulation/

    I also use 802.1q, LAN port isa trunk on the switch

     

    I am able to ping trough the vxlan ipsec tunnel to the devices at the other site so my vxlan configuration works.

    But when i try fileservices, webapplications it's not possible.

    It has something to do with MTU size but I can 't figure it out. When i lower my MTU size on my laptop everything goes fine. So I would like to set the MTU size of my vxlan-switch higher but thats not allowed.

    I get the message 'MTU size is not valid, should be in range of 68 - 1500'

     

    Did you also suffer from this? Any solutions?

     

    Thx,

    Tom

     

     

    macarleo
    New Contributor II

    I've had similar problems try using a laptop with linux and see if you have the same web access problems. with linux laptop I had behaviors different from laptop windows, I did not understand the reason. if you use the trunk on the primary and secondary site switches, on the secondary site try to access the interface with the same pvid of the source trunk however vxlan on ipsec does not support 802.1q. So you can not pass more vlan even if it seems that at the IP or icmp level there is availability or reachability.

     

    Try to use my configuration and let me know if it works I have tested it thoroughly without problems.

     

     

    gangadar1234
    New Contributor

    Hi Macarleo,

     

    802.1q support with VXLAN over IPSec. I tested in my lab and i can see the Firewall passing the tags across the Ipsec tunnel.

     

    However NATIVE VXLAN isnt working for me ,  Also I see you have configured the vxlan remote ip as local loopback IP,

    i believe it should be the remote loopback ip

    macarleo

    Hello from my tests in the laboratory it seems to me that apparently the vlan pass correctly on IPSEC, in fact at ICMP level I did not detect problems but when I used the HTTPS protocols I detected problems. however, the conversation with the fortinet support is attached. vxlan on ipsec does not support 802.1q.

     

     

     I did not understand what you mean by: "Also I see you have configured the vxlan remote ip as local loopback IP, i believe it should be the remote loopback ip"

     

    Best Regards

    Mariano

    gangadar1234

    so are you able to get HTTPS working with  native vxlan with 802.1q ?

    Tom_Wuyts1

    I have exactly the same question, ICMP also works for me, but other protocols http, fileservices not.

    So actually it doesn 't work because we cannot use it if only ICMP works.

     

    What do they mean with 802.1q is not supported with VXLAN over IPSEC?

     

    When I lower MTU on my laptop everything works fine, (I configured my both swich ports as trunks).

    At the switch at the other side of the tunnel I am able to put AccessPoints, Client PC's, Printers in differrent vlans and when I lower MTU everything works. But lowering MTUI of every device is not solution so I would like to change MTU setting on vxlan. But I have no idea what and where i should configure it. 

    I opened a case and keep you posted. Let me know if you guys find anything....

    macarleo
    New Contributor II

    "so are you able to get HTTPS working with  native vxlan with 802.1q ?"

     

    yes

    Tom_Wuyts1

    Hi,

     

    I configured our fortigates (both 30E) according to your info and it works like a charm.

    I tested https, fileservices, email, skype...everything went smooth. 

    Next week I will test more thoroughly or let users use it and see if they are satisfied.

     

    Thank you very much !!!!

     

    Kind Regards,

    Tom

     

    PincoP
    New Contributor

    Excellent guide

    thank you

    Labels
    Top Kudoed Authors