vLANs inside VXLAN over IPsec

obuno | | 4 min read
vLANs inside VXLAN over IPsec

I've recently posted a quick post on LinkedIn about a feature from FortiOS 6.2. It turned out I've received many private messages asking for more in-depth information. Hence this article.

Let's dissect a bit how we could leverage this on FortiOS:

Using set encapsulation vxlan on an IPsec phase1 was created for the simple case of connecting two LANs via IPsec+VXLAN.

If our goal is more complicated, such as wanting to separate vLANs over VXLAN then set encapsulation vxlan is not the solution. Instead we should use config system vxlan and bind that interface to an ipsec-phase1 interface.

Now that we have this in mind, let's detail a bit what we'll need in order to succeed in our orginial goal of having vLANs inside VXLAN over IPsec.

1st things 1st we'll need our IPsec underneath layer to be up and running, i've setup that as a simple custom site to site connection in this lab.

config vpn ipsec phase1-interface
    edit "to_SITE2"
        set interface "port10"
        set ike-version 2
        set peertype any
        set net-device disable
        set proposal ...
        set dhgrp ...
        set remote-gw 192.168.166.22
        set psksecret ghost
    next
end
config vpn ipsec phase2-interface
    edit "to_SITE2"
        set phase1name "to_SITE2"
        set proposal ...
        set dhgrp ...
    next
end

Of course, we'll need a set of IPsec enabler policies in order to bring our tunnel up.

config firewall policy
    edit 50
        set name "SITE1-to-SITE2_IPsec_enabler"
        set srcintf "to_SITE2"
        set dstintf "to_SITE2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL_ICMP"
        set logtraffic all
        set logtraffic-start enable
    next

We can now move on to our next configuration tasks, add IP overlays on our IPsec interface and bind our VXLAN interface on the remote peer overlay IP (representations here applies to "Site1", same config are needed on both sites).

   config system interface
       edit "to_SITE2"
            set vdom "root"
            set ip 10.1.1.1 255.255.255.255
            set allowaccess ping
            set type tunnel
            set remote-ip 10.1.1.2 255.255.255.255
            set snmp-index 12
            set interface "port10"
        next
    config system vxlan
        edit "vxlan"
            set interface "to_SITE2"
            set vni 1000
            set remote-ip "10.1.1.2"
        next
    end
    config system interface
        edit "vxlan"
        set vdom "root"
        set type vxlan
        set snmp-index 13
        set interface "to_SITE2"
    next

What do we have now, our IPsec tunnel, our VXLAN interface bound to it (on the remote overlay IP per site). And here is what you shall see on a GUI perspective:

Now comes the fun part, what we want is to embed vLANs within VXLAN, let's setup a few vLANs interfaces we'll want to L2 extend over VXLAN. We will setup two vLAN interface per wanted vLANs, one bound on our local physical interfaces (vlan444/port2) and another instance (vxlan444/vxlan) bound on our VXLAN interface previously setup. Same applies to our next vlan, vlan555.

config system interface    
    edit "vlan444"
        set vdom "root"
        set alias "vlan444"
        set device-identification enable
        set role lan
        set snmp-index 15
        set interface "port2"
        set vlanid 444
    next
    edit "vxlan444"
        set vdom "root"
        set device-identification enable
        set role lan
        set snmp-index 24
        set interface "vxlan"
        set vlanid 444
    next
    edit "vlan555"
        set vdom "root"
        set alias "vlan555"
        set device-identification enable
        set role lan
        set snmp-index 25
        set interface "port2"
        set vlanid 555
    next
    edit "vxlan555"
        set vdom "root"
        set device-identification enable
        set role lan
        set snmp-index 26
        set interface "vxlan"
        set vlanid 555
    next

Now, in order to bridge these vLANs over VXLAN, we need to leverage the use of software switches, used as pure bridges between local vLANs and VXLAN bound vLANs (vlan444/vxlan444).

config system switch-interface
    edit "br-444-s1"
        set vdom "root"
        set member "vlan444" "vxlan444"
    next
    edit "br-555-s1"
        set vdom "root"
        set member "vlan555" "vxlan555"
    next
end
config system interface    
    edit "br-444-s1"
        set vdom "root"
        set ip 10.10.44.254 255.255.255.0
        set allowaccess ping
        set type switch
    next
    edit "br-555-s1"
        set vdom "root"
        set ip 10.10.55.254 255.255.255.0
        set allowaccess ping
        set type switch
    next

In my setup, the bridge interfaces are the local gateways from each vLANs. Here is what my GUI gives me with this configuration:

As usual, I'm using Zones within my firewall policies, I like them because they give me another abstraction layer meaning that i can change physical properties without changing firewall policies themselves.

A view from a firewall policy from port1 (where a Kali host is sitting, 10.10.111.100, this on site1).

And a view from the Kali box reaching VXLAN extended vLANs resources over IPsec:

.253 are my software switch resources sitting on Site2 respectively for vLAN444 and vLAN555.

One of the advantages of using such configuration to me is that you'll have possibilities to invoke UTM modules (App Control, IPS, ect.) between VXLAN extended vLANs (for example, vlan444 to vlan555 etc).

Hope you've found this interesting. Do not hestitate to reach out to me per email, available on my profile view below.

Kind regards,
Obuno

Share:
Show Comments