Fortinet black logo

Administration Guide

VXLAN over IPsec tunnel with virtual wire pair

VXLAN over IPsec tunnel with virtual wire pair

VXLAN can be used to encapsulate VLAN traffic over a Layer 3 network. Using IPsec VPN tunnels to secure a connection between two sites, VXLAN can encapsulate VLAN traffic over the VPN tunnel to extend the VLANs between the two sites.

In this example, a site-to-site VPN tunnel is formed between two FortiGates. A VXLAN is configured over the IPsec interface. Multiple VLANs are connected to a switch behind each FortiGate. Host1 and Host2 are connected to VLAN10 on the switches on each site, and Host21 and Host22 are connected to VLAN20. Using virtual wire pairs, the internal interface (port1) will be paired with the VXLAN interface (vxlan) to allow VLAN traffic to pass through in either direction.

To configure FGT-A:
  1. Configure the WAN interface:

    config system interface
        edit "wan1"
            set vdom "root"
            set ip 11.11.11.11 255.255.255.0
            set allowaccess ping https ssh http fgfm
            set type physical
            set role wan
            set snmp-index 1
        next
    end
  2. Configure a static route to send all traffic out the WAN interface:

    config router static  
        edit 1
            set gateway 11.11.11.1
            set device "wan1"
        next
    end
  3. Configure the IPsec tunnel:

    config vpn ipsec phase1-interface
        edit "ipsec"
            set interface "wan1"
            set peertype any
            set proposal aes256-sha1
            set remote-gw 22.22.22.22
            set psksecret **********
        next
    end
    config vpn ipsec phase2-interface
        edit "ipsec"
            set phase1name "ipsec"
            set proposal aes256-sha1
            set auto-negotiate enable
        next
    end
  4. Configure local and remote IP addresses for the IPsec interface:

    config system interface
        edit "ipsec"
            set ip 10.200.0.1 255.255.255.255
            set remote-ip 10.200.0.2 255.255.255.252
        next
    end
    
  5. Configure the VXLAN interface and bind it to the IPsec interface:

    config system vxlan
        edit "vxlan"
            set interface "ipsec"
            set vni 10
            set remote-ip "10.200.0.2"
        next
    end

    The remote IP address is the address of the remote IPsec peer.

  6. Configure a virtual wire pair with the port1 and vxlan interfaces as members:

    config system virtual-wire-pair
        edit "vwp"
            set member "port1" "vxlan"
            set wildcard-vlan enable
        next
    end

    The interfaces added to the virtual wire pair cannot be part of a switch, such as the default internal interface.

    By enabling wildcard VLANs on the virtual wire pair, all VLAN tagged traffic that is allowed by the virtual wire pair firewall policies passes through the pair.

  7. Configure a virtual wire pair firewall policy to allow traffic between the port1 and vxlan interfaces:

    config firewall policy
        edit 4
            set name "vwp-pol"
            set srcintf "port1" "vxlan"
            set dstintf "port1" "vxlan"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
        next
    end
To configure FGT-B
  1. Configure the WAN interface:

    config system interface
        edit "wan1"
            set vdom "root"
            set ip 22.22.22.22 255.255.255.0 255.255.255.0
            set allowaccess ping https ssh http fgfm
            set type physical
            set role wan
            set snmp-index 1
        next
    end
  2. Configure a static route to send all traffic out the WAN interface:

    config router static  
        edit 1
            set gateway 22.22.22.2
            set device "wan1"
        next
    end
  3. Configure the IPsec tunnel:

    config vpn ipsec phase1-interface
        edit "ipsec"
            set interface "wan1"
            set peertype any
            set proposal aes256-sha1
            set remote-gw 11.11.11.11
            set psksecret **********
        next
    end
    config vpn ipsec phase2-interface
        edit "ipsec"
            set phase1name "ipsec"
            set proposal aes256-sha1
            set auto-negotiate enable
        next
    end
  4. Configure local and remote IP addresses for the IPsec interface:

    config system interface
        edit "ipsec"
            set ip 10.200.0.2 255.255.255.255
            set remote-ip 10.200.0.1 255.255.255.252
        next
    end
    
  5. Configure the VXLAN interface and bind it to the IPsec interface:

    config system vxlan
        edit "vxlan"
            set interface "ipsec"
            set vni 10
            set remote-ip "10.200.0.1"
        next
    end

    The remote IP address is the address of the remote IPsec peer.

  6. Configure a virtual wire pair with the port1 and vxlan interfaces as members:

    config system virtual-wire-pair
        edit "vwp"
            set member "port1" "vxlan"
            set wildcard-vlan enable
        next
    end
  7. Configure a firewall policy to allow traffic between the port1 and vxlan interfaces:

    config firewall policy
        edit 4
            set name "vwp-pol"
            set srcintf "port1" "vxlan"
            set dstintf "port1" "vxlan"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
        next
    end

Test the configuration

To test the configuration, ping Host2 (VLAN10: 192.168.10.2/24) from Host1 (VLAN10: 192.168.10.1/24):
C:\>ping 192.168.10.2

Pinging 192.168.10.2 with 32 bytes of data:
Reply from 192.168.10.2: bytes=32 time=8ms TTL=56
Reply from 192.168.10.2: bytes=32 time=8ms TTL=56
Reply from 192.168.10.2: bytes=32 time=8ms TTL=56
Reply from 192.168.10.2: bytes=32 time=11ms TTL=56

Ping statistics for 192.168.10.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 8ms, Maximum = 11ms, Average = 8ms

Host21 should also be able to ping Host22.

VXLAN over IPsec tunnel with virtual wire pair

VXLAN can be used to encapsulate VLAN traffic over a Layer 3 network. Using IPsec VPN tunnels to secure a connection between two sites, VXLAN can encapsulate VLAN traffic over the VPN tunnel to extend the VLANs between the two sites.

In this example, a site-to-site VPN tunnel is formed between two FortiGates. A VXLAN is configured over the IPsec interface. Multiple VLANs are connected to a switch behind each FortiGate. Host1 and Host2 are connected to VLAN10 on the switches on each site, and Host21 and Host22 are connected to VLAN20. Using virtual wire pairs, the internal interface (port1) will be paired with the VXLAN interface (vxlan) to allow VLAN traffic to pass through in either direction.

To configure FGT-A:
  1. Configure the WAN interface:

    config system interface
        edit "wan1"
            set vdom "root"
            set ip 11.11.11.11 255.255.255.0
            set allowaccess ping https ssh http fgfm
            set type physical
            set role wan
            set snmp-index 1
        next
    end
  2. Configure a static route to send all traffic out the WAN interface:

    config router static  
        edit 1
            set gateway 11.11.11.1
            set device "wan1"
        next
    end
  3. Configure the IPsec tunnel:

    config vpn ipsec phase1-interface
        edit "ipsec"
            set interface "wan1"
            set peertype any
            set proposal aes256-sha1
            set remote-gw 22.22.22.22
            set psksecret **********
        next
    end
    config vpn ipsec phase2-interface
        edit "ipsec"
            set phase1name "ipsec"
            set proposal aes256-sha1
            set auto-negotiate enable
        next
    end
  4. Configure local and remote IP addresses for the IPsec interface:

    config system interface
        edit "ipsec"
            set ip 10.200.0.1 255.255.255.255
            set remote-ip 10.200.0.2 255.255.255.252
        next
    end
    
  5. Configure the VXLAN interface and bind it to the IPsec interface:

    config system vxlan
        edit "vxlan"
            set interface "ipsec"
            set vni 10
            set remote-ip "10.200.0.2"
        next
    end

    The remote IP address is the address of the remote IPsec peer.

  6. Configure a virtual wire pair with the port1 and vxlan interfaces as members:

    config system virtual-wire-pair
        edit "vwp"
            set member "port1" "vxlan"
            set wildcard-vlan enable
        next
    end

    The interfaces added to the virtual wire pair cannot be part of a switch, such as the default internal interface.

    By enabling wildcard VLANs on the virtual wire pair, all VLAN tagged traffic that is allowed by the virtual wire pair firewall policies passes through the pair.

  7. Configure a virtual wire pair firewall policy to allow traffic between the port1 and vxlan interfaces:

    config firewall policy
        edit 4
            set name "vwp-pol"
            set srcintf "port1" "vxlan"
            set dstintf "port1" "vxlan"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
        next
    end
To configure FGT-B
  1. Configure the WAN interface:

    config system interface
        edit "wan1"
            set vdom "root"
            set ip 22.22.22.22 255.255.255.0 255.255.255.0
            set allowaccess ping https ssh http fgfm
            set type physical
            set role wan
            set snmp-index 1
        next
    end
  2. Configure a static route to send all traffic out the WAN interface:

    config router static  
        edit 1
            set gateway 22.22.22.2
            set device "wan1"
        next
    end
  3. Configure the IPsec tunnel:

    config vpn ipsec phase1-interface
        edit "ipsec"
            set interface "wan1"
            set peertype any
            set proposal aes256-sha1
            set remote-gw 11.11.11.11
            set psksecret **********
        next
    end
    config vpn ipsec phase2-interface
        edit "ipsec"
            set phase1name "ipsec"
            set proposal aes256-sha1
            set auto-negotiate enable
        next
    end
  4. Configure local and remote IP addresses for the IPsec interface:

    config system interface
        edit "ipsec"
            set ip 10.200.0.2 255.255.255.255
            set remote-ip 10.200.0.1 255.255.255.252
        next
    end
    
  5. Configure the VXLAN interface and bind it to the IPsec interface:

    config system vxlan
        edit "vxlan"
            set interface "ipsec"
            set vni 10
            set remote-ip "10.200.0.1"
        next
    end

    The remote IP address is the address of the remote IPsec peer.

  6. Configure a virtual wire pair with the port1 and vxlan interfaces as members:

    config system virtual-wire-pair
        edit "vwp"
            set member "port1" "vxlan"
            set wildcard-vlan enable
        next
    end
  7. Configure a firewall policy to allow traffic between the port1 and vxlan interfaces:

    config firewall policy
        edit 4
            set name "vwp-pol"
            set srcintf "port1" "vxlan"
            set dstintf "port1" "vxlan"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
        next
    end

Test the configuration

To test the configuration, ping Host2 (VLAN10: 192.168.10.2/24) from Host1 (VLAN10: 192.168.10.1/24):
C:\>ping 192.168.10.2

Pinging 192.168.10.2 with 32 bytes of data:
Reply from 192.168.10.2: bytes=32 time=8ms TTL=56
Reply from 192.168.10.2: bytes=32 time=8ms TTL=56
Reply from 192.168.10.2: bytes=32 time=8ms TTL=56
Reply from 192.168.10.2: bytes=32 time=11ms TTL=56

Ping statistics for 192.168.10.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 8ms, Maximum = 11ms, Average = 8ms

Host21 should also be able to ping Host22.