Created on 08-29-2019 04:59 AM Edited on 06-09-2022 09:14 PM By Anonymous
Description
This article describes VXLAN over IPsec tunnel.
Solution
HQ1:
# config firewall address
edit "local-address"
set subnet 192.168.100.0 255.255.255.0
next
end
# config system interface
edit "port1"
set vdom "root"
set ip 10.109.52.68 255.255.255.0
set allowaccess ping https ssh http
set type physical
set snmp-index 1
next
end
# config router static
edit 3
set gateway 10.109.63.254
set device "port1"
next
end
# config vpn ipsec phase1-interface
edit "to_HQ2"
set interface "port1"
set peertype any
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set encapsulation vxlan
set encapsulation-address ipv4
set encap-local-gw4 10.109.52.68
set encap-remote-gw4 10.109.48.100
set remote-gw 10.109.48.100
set psksecret sample
next
end
# config vpn ipsec phase2-interface
edit "to_HQ2"
set phase1name "to_HQ2"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
next
end
# config firewall policy
edit 1
set srcintf "port2"
set dstintf "to_HQ2"
set srcaddr "local-address"
set dstaddr "local-address"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set srcintf "to_HQ2"
set dstintf "port2"
set srcaddr "local-address"
set dstaddr "local-address"
set action accep
set schedule "always"
set service "ALL"
next
end
# config system switch-interface
edit "VXLAN-HQ1"
set vdom "root"
set intra-switch-policy explicit <---------- use this to be able to get the member
set member "port2" "to_HQ2"
next
end
# config system interface
edit "VXLAN-HQ1"
set vdom "root"
set ip 192.168.1.1 255.255.255.0
set allowaccess ping https ssh http
set type switch
set snmp-index 13
next
end
HQ2:
# config firewall address
edit "local-address"
set subnet 192.168.100.0 255.255.255.0
next
end
# config system interface
edit "port1"
set vdom "root"
set ip 10.109.48.100 255.255.255.0
set allowaccess ping https ssh http
set type physical
set snmp-index 1
next
end
# config router static
edit 3
set gateway 10.109.63.254
set device "port1"
next
end
# config vpn ipsec phase1-interface
edit "to_HQ1"
set interface "wan1"
set peertype any
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set encapsulation vxlan
set encapsulation-address ipv4
set encap-local-gw4 10.109.48.100
set encap-remote-gw4 10.109.52.68
set remote-gw 10.109.52.68
set psksecret sample
next
end
# config vpn ipsec phase2-interface
edit "to_HQ2"
set phase1name "to_HQ1"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
next
end
# config firewall policy
edit 1
set srcintf "internal1"
set dstintf "to_HQ1"
set srcaddr "local-address"
set dstaddr "local-address"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set srcintf "to_HQ1"
set dstintf "internal1"
set srcaddr "local-address"
set dstaddr "local-address"
set action accept
set schedule "always"
set service "ALL"
next
end
# config system switch-interface
edit "VXLAN-HQ1"
set vdom "root"
set intra-switch-policy explicit <---------- use this to be able to get the member
set member "internal1" "to_HQ1"
next
end
# config system interface
edit "VXLAN-HQ1"
set vdom "root"
set ip 192.168.1.254 255.255.255.0
set allowaccess ping https ssh http
set type switch
set snmp-index 13
next
end
Results:
# diagnose sniffer packet any "host 192.168.1.1" 4 0 a
interfaces=[any]
filters=[host 192.168.1.1]
2019-08-22 13:36:13.355609 to_HQ2 in 192.168.1.254 -> 192.168.1.1: icmp: echo request
2019-08-22 13:36:13.355681 VXLAN-HQ1 out 192.168.1.1 -> 192.168.1.254: icmp: echo reply
2019-08-22 13:36:13.355685 to_HQ2 out 192.168.1.1 -> 192.168.1.254: icmp: echo reply
2019-08-22 13:36:14.365391 to_HQ2 in 192.168.1.254 -> 192.168.1.1: icmp: echo request
2019-08-22 13:36:14.365450 VXLAN-HQ1 out 192.168.1.1 -> 192.168.1.254: icmp: echo reply
2019-08-22 13:36:14.365454 to_HQ2 out 192.168.1.1 -> 192.168.1.254: icmp: echo reply
2019-08-22 13:36:15.375443 to_HQ2 in 192.168.1.254 -> 192.168.1.1: icmp: echo request
2019-08-22 13:36:15.375505 VXLAN-HQ1 out 192.168.1.1 -> 192.168.1.254: icmp: echo reply
2019-08-22 13:36:15.375511 to_HQ2 out 192.168.1.1 -> 192.168.1.254: icmp: echo reply
2019-08-22 13:36:16.385458 to_HQ2 in 192.168.1.254 -> 192.168.1.1: icmp: echo request
2019-08-22 13:36:16.385517 VXLAN-HQ1 out 192.168.1.1 -> 192.168.1.254: icmp: echo reply
2019-08-22 13:36:16.385522 to_HQ2 out 192.168.1.1 -> 192.168.1.254: icmp: echo reply
# diagnose vpn tunnel list
list all ipsec tunnel in vd 0
name=to_HQ1 ver=1 serial=4 10.109.48.100:0->10.109.52.68:0 dst_mtu=1500
bound_if=5 lgwy=static/1 tun=intf/0 mode=auto/1 encap=VXLAN/514 options[0202]=frag-rfc run_state=0 accept_traffic=1
encap-addr: 10.109.48.100->10.109.52.68
proxyid_num=1 child_num=0 refcnt=10 ilast=2 olast=2 ad=/0
stat: rxp=21 txp=24 rxb=3944 txb=2056
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=2
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=to_HQ2 proto=0 sa=1 ref=2 serial=1
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=3 options=10226 type=00 soft=0 mtu=1390 expire=41556/0B replaywin=1024
seqno=19 esn=0 replaywin_lastseq=00000016 itn=0 qat=0
life: type=01 bytes=0/0 timeout=42903/43200
dec: spi=eec7eeed esp=aes key=16 81d4cb62f6dc20ce000675f6ddbdeefc
ah=sha1 key=20 9c78e1bfc143d1bebaca3a111e31548663a7067f
enc: spi=ba648fca esp=aes key=16 9ad5b103781041a9acff38f0bc5c7bdb
ah=sha1 key=20 9f631c45f475e7e560946605f929ca4334e675b6
dec:pkts/bytes=21/2590, enc:pkts/bytes=22/4128
npu_flag=00 npu_rgwy=10.109.52.68 npu_lgwy=10.109.48.100 npu_selid=1 dec_npuid=0 enc_npuid=0
run_tally=1
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.