Hot!Layer 2 VPN between x FGT60D 6.0.5

Author
Yngve0
Gold Member
  • Total Posts : 237
  • Scores: 0
  • Reward points: 0
  • Joined: 2004/12/29 03:06:35
  • Status: offline
2020/01/18 09:32:38 (permalink)
0

Layer 2 VPN between x FGT60D 6.0.5

I am trying create a Layer2 VPN between 2 sites. Both sites have FGT60D version 6.0.5. Both sites have dynamic publicIP, but site2 is behind a NAT-device.
 
I used this wizard: https://kb.fortinet.com/kb/viewContent.do?externalId=FD40170&sliceId=1
Tunnel is up and running, but it seems like the package is not bridged; I am not able to ping ip 10.228.191.251 from site 1.
 
"diag deb sniffer packet any 'host 10.228.191.251' 4" on site 1 shows "arp who-has 10.228.191.251 tell...." on VxLan-interface but the request is not shown on site 2.
 
Any advise about where to start digging is welcome...
Site1:
Site 1

config system switch-interface
    edit "switch2891"
        set vdom "vd_site1"
        set member "int2.2891" "VxLan-IPsec"
        set intra-switch-policy explicit
    next
end
config system interface
    edit "VxLan-IPsec"
        set vdom "vd_site1"
        set vlanforward enable
        set type tunnel
        set snmp-index 18
        set interface "int2.3997"
    next
    edit "int2.2891"
        set vdom "vd_site1"
        set vlanforward enable
        set alias "2891 VxLAN"
        set device-identification enable
        set role lan
        set snmp-index 20
        set interface "internal2"
        set vlanid 2891
    next
    edit "switch2891"
        set vdom "vd_site1"
        set ip 10.228.191.2 255.255.255.0
        set allowaccess ping https ssh
        set type switch
        set snmp-index 21
    next
end
config vpn ipsec phase1-interface
    edit "VxLan-IPsec"
        set type ddns
        set interface "int2.3997"
        set peertype any
        set proposal aes128-sha1
        set encapsulation vxlan
        set remotegw-ddns "site2.mydomain.net"
        set psksecret ENC VerySecret
    next
end
config vpn ipsec phase2-interface
    edit "VxLan-IPsec"
        set phase1name "VxLan-IPsec"
        set proposal aes128-sha1
    next
end


 
Site 2:
config system switch-interface
    edit "switch2891"
        set vdom "vd_site2"
        set member "int1.2891" "VxLan-2891"
        set intra-switch-policy explicit
    next
end
config system interface
    edit "int1.2891"
        set vdom "vd_site2"
        set vlanforward enable
        set device-identification enable
        set role lan
        set snmp-index 33
        set interface "internal1"
        set vlanid 2891
    next
    edit "switch2891"
        set vdom "vd_site2"
        set ip 10.228.191.251 255.255.255.0
        set allowaccess ping
        set type switch
        set snmp-index 34
    next
    edit "VxLan-2891"
        set vdom "vd_site2"
        set vlanforward enable
        set type tunnel
        set snmp-index 31
        set interface "wan2"
    next
end

config vpn ipsec phase1-interface
    edit "VxLan-2891"
        set type ddns
        set interface "wan2"
        set peertype any
        set proposal aes128-sha1
        set encapsulation vxlan
        set remotegw-ddns "site1.mydomain.net"
        set psksecret ENC VerySecret
    next
end
config vpn ipsec phase2-interface
    edit "ph2_VxLan-2891"
        set phase1name "VxLan-2891"
        set proposal aes128-sha1
    next
end

#1

2 Replies Related Threads

    Jirka
    Gold Member
    • Total Posts : 167
    • Scores: 7
    • Reward points: 0
    • Joined: 2014/07/09 11:34:53
    • Location: Czech Republic
    • Status: offline
    Re: Layer 2 VPN between x FGT60D 6.0.5 2020/01/18 10:24:11 (permalink)
    0
    Hi, 
     
    I think the problem is that you have set the VLAN ID on the "int2.2891" interface (I suppose it's a vlan interface). For proper operation, only physical interface, not vlan, should be a member of the switch.
    At least it works for me. 
    Jirka
    #2
    emnoc
    Expert Member
    • Total Posts : 5769
    • Scores: 375
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Layer 2 VPN between x FGT60D 6.0.5 2020/01/19 07:47:16 (permalink)
    0
    Hows the fwpolicy and what does "diag debug flow" show? I would also run the "diag vpn tunnel" commands to ensure two-way ipsec-SA connectivity. And show arp commands to confirm ARP resolutions?
     
    Outside of that, the cfg looks good.
     
    Ken Felix

    PCNSE 
    NSE 
    StrongSwan  
    #3
    Jump to:
    © 2020 APG vNext Commercial Version 5.5