- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Multiple VXLANs over IPSec using virtual wire pair
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Multiple VXLANs over IPSec using virtual wire pair
Hello,
Has anyone been able to implement multiple VXLANs over virtual wire pair as described in the Fortigate link below? I have tried this in the lab and the IPSec tunnel does not come up and it does not work. Has anyone made this work?
https://kb.fortinet.com/kb/documentLink.do?externalID=FD47557
I setup this in the lab and when I debug ike I get below policy errors. But I am not sure what policy I should be adding, since it is not clear what should be interface other than ipsec in the policy.
ike 0:ipsec: ignoring request to establish IPsec SA, no policy configured ike 0:ipsec:ipsec: IPsec SA connect 3 10.10.10.1->10.10.10.2:0 ike 0:ipsec: ignoring request to establish IPsec SA, no policy configured ike 0:ipsec:ipsec: IPsec SA connect 3 10.10.10.1->10.10.10.2:0
Following is my configuration
-------------------------------
FGT-1 --------
config system interface edit "port1" set vdom "root" set ip 10.10.10.1 255.255.255.0 set allowaccess ping https ssh http set type physical set snmp-index 1
config vpn ipsec phase1-interface edit "ipsec" set interface "port1" set peertype any set proposal des-sha1 set remote-gw 10.10.10.2 set psksecret Vxlantest next end
config vpn ipsec phase2-interface edit "ipsec" set phase1name "ipsec" set proposal des-sha1 set auto-negotiate enable next end
config system vxlan edit "vxlan" set interface "ipsec" set vni 100 set remote-ip "10.10.10.2" next end
config system virtual-wire-pair edit "vwp" set member "port3" "vxlan" set wildcard-vlan enable next end
config firewall policy edit 5 set name "vwp-pol" set srcintf "port3" "vxlan" set dstintf "port3" "vxlan" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next end
FGT 2 ------
config system interface edit "port1" set vdom "root" set ip 10.10.10.2 255.255.255.0 set allowaccess ping https ssh http set type physical set snmp-index 1
config vpn ipsec phase1-interface edit "ipsec" set interface "port1" set peertype any set proposal des-sha1 set remote-gw 10.10.10.1 set psksecret Vxlantest next end
config vpn ipsec phase2-interface edit "ipsec" set phase1name "ipsec" set proposal des-sha1 set auto-negotiate enable next end
config system vxlan edit "vxlan" set interface "ipsec" set vni 100 set remote-ip "10.10.10.1" next end
config system virtual-wire-pair edit "vwp" set member "port2" "vxlan" set wildcard-vlan enable next end
config firewall policy edit 5 set name "vwp-pol" set srcintf "port2" "vxlan" set dstintf "port2" "vxlan" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next end
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1st off, the ipsec does not looking like vxlan-ipsec. It's missing at minimal "set encapsuationl vxlan "
The error in the debug is stating you have no policy defined for the define ipsec-interface. So ike and ipsec will never fully establish.
You need at least one policy for ipsec to work.
e.g
config firewall policy
edit 0
set name "ipsec-pol1"
set srcintf ipsec
set dstintf any
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
/* optional */
edit 0
set name "ipsec-pol2"
set srcintf any
set dstintf ipsec
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end
I would do the above and then validate you have a ipsec phase1/phase2 b4 going any farther. As the virtual-wire-pair what are you trying to accomplish?
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1st off, the ipsec does not looking like vxlan-ipsec. It's missing at minimal "set encapsuationl vxlan "
The error in the debug is stating you have no policy defined for the define ipsec-interface. So ike and ipsec will never fully establish.
You need at least one policy for ipsec to work.
e.g
config firewall policy
edit 0
set name "ipsec-pol1"
set srcintf ipsec
set dstintf any
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
/* optional */
edit 0
set name "ipsec-pol2"
set srcintf any
set dstintf ipsec
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end
I would do the above and then validate you have a ipsec phase1/phase2 b4 going any farther. As the virtual-wire-pair what are you trying to accomplish?
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
emnoc wrote:1st off, the ipsec does not looking like vxlan-ipsec. It's missing at minimal "set encapsuationl vxlan "
The error in the debug is stating you have no policy defined for the define ipsec-interface. So ike and ipsec will never fully establish.
You need at least one policy for ipsec to work.
e.g
config firewall policy
edit 0
set name "ipsec-pol1"
set srcintf ipsec
set dstintf any
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
/* optional */edit 0
set name "ipsec-pol2"
set srcintf any
set dstintf ipsec
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
nextend
I would do the above and then validate you have a ipsec phase1/phase2 b4 going any farther. As the virtual-wire-pair what are you trying to accomplish?
Ken Felix
Hello Ken,
Thank you. After adding the policy you suggested the ipsec came up. However, I cannot ping from end to end on VXLAN. According to the Fortinet KB link I shared in my original post, this configuration should create a virtual wire pair over the IPSec tunnel and we should be able to extend VLANS over IPSec. But it does not seem to work. Do you know what I am missing? Is there another way to extend multiple VLANS between two sites over IPSec? I know we can do a single vlan using the VXLAN over IPSec, but if I would like to extend multiple VLANS then how do I do it?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
im sure the set encapsulation VXLAN is not needed, that is one way of doing VXLAN over IPsec, but you can do it without it also.
the scenario from the KB shivani shares, look very much what we have running. but instead of the virtual wire pair we use the virtual switch for this.
this still shows some info on this
https://forum.fortinet.com/tm.aspx?m=168761
it does support multiple VLANs over VXLAN.
but when i search for it now i believe Fortinet is removing older information on this, so the virtual wire pair path might be the best way forward. if you have a support contract you can open a ticket for this. you are just building something from the cookbook and it doesn't work. to me that feels within their scope.
if you don't, you say you can't ping across, what are you trying to ping from where?
when you snif the VPN interface, do you see VXLAN traffic?
Related Posts
Labels
-
FortiGate
6,497 -
FortiClient
1,298 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
261 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
104 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
70 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiAuthenticator
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
NAT
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
NAC policy
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.