FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
achowdhury
Staff
Staff
Article Id 192730

Description
This article describes VXLAN over IPsec tunnel.


Solution
HQ1:

# config firewall address
    edit "local-address"
        set subnet 192.168.100.0 255.255.255.0
    next
end
# config system interface
    edit "port1"
        set vdom "root"
        set ip 10.109.52.68 255.255.255.0
        set allowaccess ping https ssh http
        set type physical
        set snmp-index 1
    next
end

# config router static

    edit 3
        set gateway 10.109.63.254
        set device "port1"
    next
end
# config vpn ipsec phase1-interface
    edit "to_HQ2"
        set interface "port1"
        set peertype any
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set encapsulation vxlan
        set encapsulation-address ipv4
        set encap-local-gw4 10.109.52.68
        set encap-remote-gw4 10.109.48.100    
        set remote-gw 10.109.48.100
        set psksecret sample
        next
end
# config vpn ipsec phase2-interface
    edit "to_HQ2"
        set phase1name "to_HQ2"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
    next
end
# config firewall policy
    edit 1
        set srcintf "port2"
        set dstintf "to_HQ2"
        set srcaddr "local-address"
        set dstaddr "local-address"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 2
        set srcintf "to_HQ2"
        set dstintf "port2"
        set srcaddr "local-address"
        set dstaddr "local-address"
        set action accep
        set schedule "always"
        set service "ALL"
    next
end
# config system switch-interface
    edit "VXLAN-HQ1"
        set vdom "root"
        set intra-switch-policy explicit   <---------- use this to be able to get the member
        set member "port2" "to_HQ2"
    next
end
# config system interface
    edit "VXLAN-HQ1"
        set vdom "root"
        set ip 192.168.1.1 255.255.255.0
        set allowaccess ping https ssh http
        set type switch
        set snmp-index 13
    next
end


HQ2:

# config firewall address
    edit "local-address"
        set subnet 192.168.100.0 255.255.255.0
    next
end

# config system interface
    edit "port1"
        set vdom "root"
        set ip 10.109.48.100 255.255.255.0
        set allowaccess ping https ssh http
        set type physical
        set snmp-index 1
    next
end
# config router static
    edit 3
        set gateway 10.109.63.254
        set device "port1"
    next
end
# config vpn ipsec phase1-interface

    edit "to_HQ1"
        set interface "wan1"
        set peertype any
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set encapsulation vxlan
        set encapsulation-address ipv4
        set encap-local-gw4 10.109.48.100
        set encap-remote-gw4 10.109.52.68  
        set remote-gw 10.109.52.68
        set psksecret sample
    next
end
# config vpn ipsec phase2-interface
    edit "to_HQ2"
        set phase1name "to_HQ1"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
    next
end
# config firewall policy
    edit 1
        set srcintf "internal1"
        set dstintf "to_HQ1"
        set srcaddr "local-address"
        set dstaddr "local-address"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 2
        set srcintf "to_HQ1"
        set dstintf "internal1"
        set srcaddr "local-address"
        set dstaddr "local-address"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end
# config system switch-interface

    edit "VXLAN-HQ1"
        set vdom "root"
        set intra-switch-policy explicit   <---------- use this to be able to get the member
        set member "internal1" "to_HQ1"
    next
end

# config system interface
    edit "VXLAN-HQ1"
        set vdom "root"
        set ip 192.168.1.254 255.255.255.0
        set allowaccess ping https ssh http
        set type switch
        set snmp-index 13
    next
end

Results:

# diagnose sniffer packet any "host 192.168.1.1" 4 0 a

interfaces=[any]
filters=[host 192.168.1.1]
2019-08-22 13:36:13.355609 to_HQ2 in 192.168.1.254 -> 192.168.1.1: icmp: echo request
2019-08-22 13:36:13.355681 VXLAN-HQ1 out 192.168.1.1 -> 192.168.1.254: icmp: echo reply
2019-08-22 13:36:13.355685 to_HQ2 out 192.168.1.1 -> 192.168.1.254: icmp: echo reply
2019-08-22 13:36:14.365391 to_HQ2 in 192.168.1.254 -> 192.168.1.1: icmp: echo request
2019-08-22 13:36:14.365450 VXLAN-HQ1 out 192.168.1.1 -> 192.168.1.254: icmp: echo reply
2019-08-22 13:36:14.365454 to_HQ2 out 192.168.1.1 -> 192.168.1.254: icmp: echo reply
2019-08-22 13:36:15.375443 to_HQ2 in 192.168.1.254 -> 192.168.1.1: icmp: echo request
2019-08-22 13:36:15.375505 VXLAN-HQ1 out 192.168.1.1 -> 192.168.1.254: icmp: echo reply
2019-08-22 13:36:15.375511 to_HQ2 out 192.168.1.1 -> 192.168.1.254: icmp: echo reply
2019-08-22 13:36:16.385458 to_HQ2 in 192.168.1.254 -> 192.168.1.1: icmp: echo request
2019-08-22 13:36:16.385517 VXLAN-HQ1 out 192.168.1.1 -> 192.168.1.254: icmp: echo reply
2019-08-22 13:36:16.385522 to_HQ2 out 192.168.1.1 -> 192.168.1.254: icmp: echo reply

# diagnose vpn tunnel list

list all ipsec tunnel in vd 0
name=to_HQ1 ver=1 serial=4 10.109.48.100:0->10.109.52.68:0 dst_mtu=1500
bound_if=5 lgwy=static/1 tun=intf/0 mode=auto/1 encap=VXLAN/514 options[0202]=frag-rfc  run_state=0 accept_traffic=1
encap-addr: 10.109.48.100->10.109.52.68
proxyid_num=1 child_num=0 refcnt=10 ilast=2 olast=2 ad=/0
stat: rxp=21 txp=24 rxb=3944 txb=2056
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=2
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=to_HQ2 proto=0 sa=1 ref=2 serial=1
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=3 options=10226 type=00 soft=0 mtu=1390 expire=41556/0B replaywin=1024
       seqno=19 esn=0 replaywin_lastseq=00000016 itn=0 qat=0
  life: type=01 bytes=0/0 timeout=42903/43200
  dec: spi=eec7eeed esp=aes key=16 81d4cb62f6dc20ce000675f6ddbdeefc
       ah=sha1 key=20 9c78e1bfc143d1bebaca3a111e31548663a7067f
  enc: spi=ba648fca esp=aes key=16 9ad5b103781041a9acff38f0bc5c7bdb
       ah=sha1 key=20 9f631c45f475e7e560946605f929ca4334e675b6
  dec:pkts/bytes=21/2590, enc:pkts/bytes=22/4128
  npu_flag=00 npu_rgwy=10.109.52.68 npu_lgwy=10.109.48.100 npu_selid=1 dec_npuid=0 enc_npuid=0
run_tally=1

 

Contributors