Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Yngve0
New Contributor II

Layer 2 VPN between x FGT60D 6.0.5

I am trying create a Layer2 VPN between 2 sites. Both sites have FGT60D version 6.0.5. Both sites have dynamic publicIP, but site2 is behind a NAT-device.

 

I used this wizard: https://kb.fortinet.com/kb/viewContent.do?externalId=FD40170&sliceId=1

Tunnel is up and running, but it seems like the package is not bridged; I am not able to ping ip 10.228.191.251 from site 1.

 

"diag deb sniffer packet any 'host 10.228.191.251' 4" on site 1 shows "arp who-has 10.228.191.251 tell...." on VxLan-interface but the request is not shown on site 2.

 

Any advise about where to start digging is welcome...

Site1:
Site 1

config system switch-interface
    edit "switch2891"
        set vdom "vd_site1"
        set member "int2.2891" "VxLan-IPsec"
        set intra-switch-policy explicit
    next
end
config system interface
    edit "VxLan-IPsec"
        set vdom "vd_site1"
        set vlanforward enable
        set type tunnel
        set snmp-index 18
        set interface "int2.3997"
    next
    edit "int2.2891"
        set vdom "vd_site1"
        set vlanforward enable
        set alias "2891 VxLAN"
        set device-identification enable
        set role lan
        set snmp-index 20
        set interface "internal2"
        set vlanid 2891
    next
    edit "switch2891"
        set vdom "vd_site1"
        set ip 10.228.191.2 255.255.255.0
        set allowaccess ping https ssh
        set type switch
        set snmp-index 21
    next
end
config vpn ipsec phase1-interface
    edit "VxLan-IPsec"
        set type ddns
        set interface "int2.3997"
        set peertype any
        set proposal aes128-sha1
        set encapsulation vxlan
        set remotegw-ddns "site2.mydomain.net"
        set psksecret ENC VerySecret
    next
end
config vpn ipsec phase2-interface
    edit "VxLan-IPsec"
        set phase1name "VxLan-IPsec"
        set proposal aes128-sha1
    next
end

 

Site 2:
config system switch-interface
    edit "switch2891"
        set vdom "vd_site2"
        set member "int1.2891" "VxLan-2891"
        set intra-switch-policy explicit
    next
end
config system interface
    edit "int1.2891"
        set vdom "vd_site2"
        set vlanforward enable
        set device-identification enable
        set role lan
        set snmp-index 33
        set interface "internal1"
        set vlanid 2891
    next
    edit "switch2891"
        set vdom "vd_site2"
        set ip 10.228.191.251 255.255.255.0
        set allowaccess ping
        set type switch
        set snmp-index 34
    next
    edit "VxLan-2891"
        set vdom "vd_site2"
        set vlanforward enable
        set type tunnel
        set snmp-index 31
        set interface "wan2"
    next
end

config vpn ipsec phase1-interface
    edit "VxLan-2891"
        set type ddns
        set interface "wan2"
        set peertype any
        set proposal aes128-sha1
        set encapsulation vxlan
        set remotegw-ddns "site1.mydomain.net"
        set psksecret ENC VerySecret
    next
end
config vpn ipsec phase2-interface
    edit "ph2_VxLan-2891"
        set phase1name "VxLan-2891"
        set proposal aes128-sha1
    next
end

2 REPLIES 2
Jirka1
Contributor III

Hi, 

 

I think the problem is that you have set the VLAN ID on the "int2.2891" interface (I suppose it's a vlan interface). For proper operation, only physical interface, not vlan, should be a member of the switch.

At least it works for me. 

Jirka

emnoc
Esteemed Contributor III

Hows the fwpolicy and what does "diag debug flow" show? I would also run the "diag vpn tunnel" commands to ensure two-way ipsec-SA connectivity. And show arp commands to confirm ARP resolutions?

 

Outside of that, the cfg looks good.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors