By Manny Fernandez

January 18, 2020

VX-LAN over IPSec using Fortigate Firewalls

VXLAN is a tunneling protocol that encapsulates layer 2 frames into layer 3 UDP packets.  VXLANs allow you to create logical/virtual  layer 2 network that span physical Layer 3 networks.  A use case for this is a customer that is looking to move their DC but cannot do it all inside a single maintenance windows.  Since changing IP addresses for either the moved subnet or the subnet that “stayed behind” in my example, we could virtually extend the layer 2 segment which would allow the same network to live on both side of the VX LAN over IPSec device.  See below.

Network 2.jpg

In my environment, I am using 10.243.1.0/24 as the network I was to extend.

Challenge:  Be able to ping across the two Fortigate firewalls configured for VXLAN while two separate devices are connected to the same Layer 3 subnets.

Lets get started.

Computer Testing Environment Setup

MacBook Pro Connected to SecPrimate-01 firewall

2020-01-18_00-53-36.png

Windows 10 Machine Connected to SecPrimate-02 firewall

Capture.PNG

SecPrimate-01

You will want to configure your WAN ip addresses and default gateway as needed.  Do NOT assign and IP address to the LAN side where the extended network will live.

Phase I Configuration

Next we will configure the Phase I portion of the IPSec VPN

config vpn ipsec phase1-interface
        edit "VPN-to-Sec2"
               set interface "wan1"
               set peertype any
               set proposal aes256-sha256
               set encapsulation vxlan
               set encapsulation-address ipv4
               set encap-local-gw4 12.1.1.1
               set encap-remote-gw4 12.1.1.2 
               set remote-gw 12.1.1.2
               set psksecret Fortinet2020!
          next
end

In this Phase I configuration, you can see we gave it a descriptive name, we chose the proper egress interface, hard-coded the proposal we want to use, set the encap for this VPN as vxlan​, gave it local and remote IPs and finally a PSK.

Phase II Configuration

Phase II is really not needed because by default, it will use all 0’s which is essentially what we have here.  Since I wanted to force a single proposal, I configured it.

config vpn ipsec phase2-interface
        edit "Phase2-to-Sec2"
             set phase1name "VPN-to-Sec1"
             set proposal aes256-sha256 
        next
end

 

Creating Soft-Switch

You need to make sure you do this in the proper order.  I had an issue where I could NOT add the VPN name to the soft-switch.

config system switch-interface
        edit "VXLAN-SS"
               set vdom "root"
               set intra-switch-policy explicit
               set member "VPN-to-Sec2" "port6" 
       next
end

So the issue is when you try to set members and the intra-switch-policy is set to implicit as opposed to set intra-switch-policy explicit. Once you set this, THEN you can add the members.  See below.

“Witout”

2020-01-17_23-25-22.png

As you can see in the screenshot, you cannot see any VPN interface.

“Wit”

2020-01-17_23-25-39.png

Now with the command in place, you can now see my VPN-to-Sec1 interface and it can be added to the soft-switch.

Firewall Address Objects

We will create a Firewall Address to be used in the IPv4 Policies

config firewall address 
        edit "Extended-LAN"
               set color 18
               set subnet 10.243.1.0 255.255.255.0
         next
end

NOTE: Color is optional, but I like it 🙂

Firewall Policies

We will now create the firewall policies needed to pass the traffic.

config firewall policy
        edit 1
               set name "VXLAN to SEC2"
               set srcintf "port6"
               set dstintf "VPN-to-Sec2"
               set srcaddr "Extended-LAN"
               set dstaddr "Extended-LAN"
               set action accept
               set schedule "always"
               set service "ALL"
              set fsso disable
        next
        edit 2
              set name "SEC2 to VXLAN"
              set srcintf "VPN-to-Sec2"
              set dstintf "port6"
              set srcaddr "Extended-LAN"
              set dstaddr "Extended-LAN"
              set action accept
              set schedule "always"
              set service "ALL"
              set fsso disable
         next
end

 

SecPrimate-02

Phase I Configuration

config vpn ipsec phase1-interface
        edit "VPN-to-Sec1"
               set interface "wan1"
               set peertype any
               set proposal aes256-sha256
               set encapsulation vxlan
               set encapsulation-address ipv4
               set encap-local-gw4 12.1.1.2
               set encap-remote-gw4 12.1.1.1 
               set remote-gw 12.1.1.1
               set psksecret Fortinet2020!
          next
end

Phase II Configuration

Phase II is really not needed because by default, it will use all 0’s which is essentially what we have here.  Since I wanted to force a single proposal, I configured it.

config vpn ipsec phase2-interface
        edit "Phase2-to-Sec1"
             set phase1name "VPN-to-Sec1"
             set proposal aes256-sha256 
        next
end

Creating Soft-Switch

You need to make sure you do this in the proper order.  I had an issue where I could NOT add the VPN name to the soft-switch.

config system switch-interface
        edit "VXLAN-SS"
               set vdom "root"
               set intra-switch-policy explicit
               set member "VPN-to-Sec2" "port6" 
       next
end

NOTE: See message of command order above

Firewall Address Objects

We will create a Firewall Address to be used in the IPv4 Policies

config firewall address 
        edit "Extended-LAN"
               set color 18
               set subnet 10.243.1.0 255.255.255.0
         next
end

Firewall Policies

We will now create the firewall policies needed to pass the traffic.

config firewall policy
        edit 1
               set name "VXLAN to SEC1"
               set srcintf "port6"
               set dstintf "VPN-to-Sec1"
               set srcaddr "Extended-LAN"
               set dstaddr "Extended-LAN"
               set action accept
               set schedule "always"
               set service "ALL"
              set fsso disable
        next
        edit 2
              set name "SEC2 to VXLAN"
              set srcintf "VPN-to-Sec1"
              set dstintf "port6"
              set srcaddr "Extended-LAN"
              set dstaddr "Extended-LAN"
              set action accept
              set schedule "always"
              set service "ALL"
              set fsso disable
         next
end

 

Results

 

Ping from Mac.png

Above, we can see the MacBook Pro is pinging the 10.243.1.50 which is the Windows 10 machine connected to SecPrimate-02 across the VXLAN connection.

Capture2.PNG

Here we see the reverse traffic from the Windows 10 machine to the MacBook Pro

UPDATE

After posting this article, I got a response from someone saying that they had experienced some MTU issues when sending non-ping packets due to packet size.  I went ahead and ran some additional test to see if I could reproduce.

First test after the initial pings was making an RDP connection to the Windows 10 box from my MacBook Pro.

Screen Shot 2020-01-18 at 11.11.21 AM

Above, you can see the MacOS Screen and the RDP Session to the Windows 10 box.  No issues.  RDP packets are not large at all so, this was barely a “stress test” on the connection.

Next, I tested by mounting a CIFS connection from my MacBook Pro to the Windows 10 box using a share.  I transferred a series of files totaling over 32GB.

Screen Shot 2020-01-18 at 11.43.40 AM.png

Screen Shot 2020-01-18 at 11.50.04 AM.png

There were multiple files being copied at the same time.    Again equally over 32GB in total size.  I did not see any issues.

I will however configure my FortiTester and run some serious traffic through the VXLAN configuration and report back.

NOTE: You MAY need to modify the MTU size if you DO experience issues since there is an overhead for the VXLAN.

 

 

 

 

 

 

 

 

Hope this helps.

Recent posts

  • If you've spent any time configuring user authentication on... Full Story

  • DNS is one of those technologies that quietly underpins... Full Story

  • BGP issues on FortiGate firewalls usually trace back to... Full Story

  • Every time your laptop talks to your router, a... Full Story

  • If you've spent any time configuring NAT on a... Full Story

  • If you have spent any time configuring firewall policies... Full Story

  • High availability on FortiGate is one of those features... Full Story

  • If you've configured SD-WAN on a FortiGate, you've almost... Full Story

  • FortiLink is the management protocol that turns a FortiSwitch... Full Story

  • FortiSwitches are pretty rock solid from Mean Time Between... Full Story

  • This is a quicky tip.  Have you ever gone... Full Story

  • DNS is one of those quiet pieces of internet... Full Story

  • This article is an updated version of the previous... Full Story

  • You will add ns2 as a secondary (slave) BIND9... Full Story

  • In the process of deploying my lab, I needed... Full Story

  • RFC 8805, used to be known as Self-Correcting IP... Full Story

  • Years back, I wrote an article about certificate pinning. ... Full Story

  • FortiGates have the ability to send alerts to Microsoft... Full Story

  • In this post, I am going to walk through... Full Story

  • Troubleshooting VoIP on a FortiGate can feel like trying... Full Story

  • Prior to FortiOS 7.0, there were three commands to... Full Story

  • In this post, I am going to go over... Full Story

  • What we are going to do:  We are going... Full Story

  • Choosing between FGCP (FortiGate Clustering Protocol) and FGSP (FortiGate... Full Story

  • Creating a VLAN on macOS (The "Pro" Move) A... Full Story

  • This blog post explores the logic behind how macOS... Full Story

  • Pretty Fly for a Wi-Fi Tell My Wi-Fi Love... Full Story

  • Part of my daily gig is creating BoMs (Bill-of-Materials)... Full Story

  • ICMP introduces several security risks, but careful filtering, rate... Full Story

  • The command diag debug application dhcps -1 enables full... Full Story

  • In the world of FortiOS, execute tac report is... Full Story

  • LLDP; What is it The Link Layer Discovery Protocol... Full Story

  • What it actually does When you run diagnose fdsm... Full Story

  • Monkey Bites are bite-sized, high-impact security insights designed for... Full Story

  • I have run macOS in macOS with Parallels but... Full Story

  • Don't be confused with my other FortiNAC posts where... Full Story

  • This is the third session in a multi-part article... Full Story

  • Today I was configuring key-based authentication on a FortiGate... Full Story

  • Netcat, often called the "Swiss Army knife" of networking,... Full Story

  • At its core, IEEE 802.1X is a network layer... Full Story

  • In case you did not see the previous FortiNAC... Full Story

  • This is our 5th session where we are going... Full Story

  • Now that we have Wireshark installed and somewhat configured,... Full Story

  • The Philosophy of Packet Analysis Troubleshooting isn't about looking... Full Story

  • Overview FortiOS 8.0 introduces custom tags as a first-class... Full Story

  • These are two distinct mechanisms on FortiOS, and conflating... Full Story

  • Replacement messages are the pages and text blocks that... Full Story