VXLAN over IPsec using a VXLAN tunnel endpoint

This example describes how to implement VXLAN over IPsec VPN using a VXLAN tunnel endpoint (VTEP).

This example shows a specific configuration that uses a hub-and-spoke topology. However, the same logic can be applied to a static VPN with or without XAuth. In this hub-and-spoke topology, dialup VPN is convenient because it uses a single phase 1 dialup definition on the hub FortiGate. Additional spoke tunnels are added without any changes to the hub, other than adding a user account for each additional spoke. Spoke-to-spoke communication is established through the hub. This example assumes the authentication users and user groups have already been created.

IPsec tunnel interfaces are used to support VXLAN tunnel termination. An IP address is set for each tunnel interface. Ping access is allowed for troubleshooting purposes.

VTEPs are created on each of the hub and spokes in order to forward VXLAN traffic through the IPsec tunnels. VXLAN encapsulates OSI layer 2 Ethernet frames within layer 3 IP packets. You will need to either combine the internal port and VXLAN interface into a soft switch, or create a virtual wire pair so that devices behind port1 have direct layer 2 access to remote peers over the VXLAN tunnel. This example uses a switch interface on the hub and a virtual wire pair on the spokes to demonstrate the two different methods.

Finally, in order to apply an IPsec VPN interface on the VXLAN interface setting, net-device must be disabled in the IPsec VPN phase 1 settings. All VXLAN interfaces in this example share the same VXLAN network ID (vni).

To configure the hub FortiGate:
  1. Configure the phase 1 and phase 2 interfaces:
    config vpn ipsec phase1-interface
       edit "SPOKES"
          set type dynamic
          set interface "port2"
          set mode aggressive
          set peertype one
          set net-device disable
          set proposal aes256-sha256
          set xauthtype auto
          set authusrgrp "SPOKES"
          set peerid "SPOKES"
          set psksecret <secret>
       next
    end
    config vpn ipsec phase2-interface
       edit "SPOKES"
          set phase1name "SPOKES"
          set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
       next
    end
  2. Configure the IPsec VPN policy that allows VXLAN traffic between spokes:
    config firewall policy
       edit 1
          set name "VXLAN_SPOKE_to_SPOKE"
          set srcintf "SPOKES"
          set dstintf "SPOKES"
          set srcaddr "NET_192.168.255.0"
          set dstaddr "NET_192.168.255.0"
          set action accept
          set schedule "always"
          set service "UDP_4789"
          set logtraffic all
          set fsso disable
       next
    end
  3. Configure the IPsec tunnel interfaces (the remote IP address is not used, but it is necessary for this configuration):
    config system interface
       edit "SPOKES"
          set vdom "root"
          set ip 192.168.255.1 255.255.255.255
          set allowaccess ping
          set type tunnel
          set remote-ip 192.168.255.254 255.255.255.0
          set snmp-index 12
          set interface "port2"
       next
    end
  4. Configure the VXLAN interface (the remote IP is the tunnel interfaces IPs of the spokes):
    config system VXLAN
       edit "SPOKES_VXLAN"
          set interface "SPOKES"
          set vni 1
          set remote-ip "192.168.255.2" "192.168.255.3"
       next
    end
To configure the spoke FortiGates:
  1. Configure the phase 1 and phase 2 interfaces:
    config vpn ipsec phase1-interface
       edit "HUB"
          set interface "port2"
          set mode aggressive
          set peertype any
          set net-device disable
          set proposal aes256-sha256
          set localid "SPOKES"
          set xauthtype client
          set authusr "SPOKE1"
          set authpasswd <secret>
          set remote-gw <hub public IP>
          set psksecret <secret>
       next
    end
    config vpn ipsec phase2-interface
       edit "HUB"
          set phase1name "HUB"