I've recently posted a quick post on LinkedIn about a feature from FortiOS 6.2. It turned out I've received many private messages asking for more in-depth information. Hence this article.
Let's dissect a bit how we could leverage this on FortiOS:
Using set encapsulation vxlan
on an IPsec phase1 was created for the simple case of connecting two LANs via IPsec+VXLAN.
If our goal is more complicated, such as wanting to separate vLANs over VXLAN then set encapsulation vxlan
is not the solution. Instead we should use config system vxlan
and bind that interface to an ipsec-phase1 interface.
Now that we have this in mind, let's detail a bit what we'll need in order to succeed in our orginial goal of having vLANs inside VXLAN over IPsec.
1st things 1st we'll need our IPsec underneath layer to be up and running, i've setup that as a simple custom site to site connection in this lab.
config vpn ipsec phase1-interface
edit "to_SITE2"
set interface "port10"
set ike-version 2
set peertype any
set net-device disable
set proposal ...
set dhgrp ...
set remote-gw 192.168.166.22
set psksecret ghost
next
end
config vpn ipsec phase2-interface
edit "to_SITE2"
set phase1name "to_SITE2"
set proposal ...
set dhgrp ...
next
end
Of course, we'll need a set of IPsec enabler policies in order to bring our tunnel up.
config firewall policy
edit 50
set name "SITE1-to-SITE2_IPsec_enabler"
set srcintf "to_SITE2"
set dstintf "to_SITE2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL_ICMP"
set logtraffic all
set logtraffic-start enable
next
We can now move on to our next configuration tasks, add IP overlays on our IPsec interface and bind our VXLAN interface on the remote peer overlay IP (representations here applies to "Site1", same config are needed on both sites).
config system interface
edit "to_SITE2"
set vdom "root"
set ip 10.1.1.1 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 10.1.1.2 255.255.255.255
set snmp-index 12
set interface "port10"
next
config system vxlan
edit "vxlan"
set interface "to_SITE2"
set vni 1000
set remote-ip "10.1.1.2"
next
end
config system interface
edit "vxlan"
set vdom "root"
set type vxlan
set snmp-index 13
set interface "to_SITE2"
next
What do we have now, our IPsec tunnel, our VXLAN interface bound to it (on the remote overlay IP per site). And here is what you shall see on a GUI perspective:

Now comes the fun part, what we want is to embed vLANs within VXLAN, let's setup a few vLANs interfaces we'll want to L2 extend over VXLAN. We will setup two vLAN interface per wanted vLANs, one bound on our local physical interfaces (vlan444/port2) and another instance (vxlan444/vxlan) bound on our VXLAN interface previously setup. Same applies to our next vlan, vlan555.
config system interface
edit "vlan444"
set vdom "root"
set alias "vlan444"
set device-identification enable
set role lan
set snmp-index 15
set interface "port2"
set vlanid 444
next
edit "vxlan444"
set vdom "root"
set device-identification enable
set role lan
set snmp-index 24
set interface "vxlan"
set vlanid 444
next
edit "vlan555"
set vdom "root"
set alias "vlan555"
set device-identification enable
set role lan
set snmp-index 25
set interface "port2"
set vlanid 555
next
edit "vxlan555"
set vdom "root"
set device-identification enable
set role lan
set snmp-index 26
set interface "vxlan"
set vlanid 555
next
Now, in order to bridge these vLANs over VXLAN, we need to leverage the use of software switches, used as pure bridges between local vLANs and VXLAN bound vLANs (vlan444/vxlan444).
config system switch-interface
edit "br-444-s1"
set vdom "root"
set member "vlan444" "vxlan444"
next
edit "br-555-s1"
set vdom "root"
set member "vlan555" "vxlan555"
next
end
config system interface
edit "br-444-s1"
set vdom "root"
set ip 10.10.44.254 255.255.255.0
set allowaccess ping
set type switch
next
edit "br-555-s1"
set vdom "root"
set ip 10.10.55.254 255.255.255.0
set allowaccess ping
set type switch
next
In my setup, the bridge interfaces are the local gateways from each vLANs. Here is what my GUI gives me with this configuration:

As usual, I'm using Zones within my firewall policies, I like them because they give me another abstraction layer meaning that i can change physical properties without changing firewall policies themselves.
A view from a firewall policy from port1 (where a Kali host is sitting, 10.10.111.100, this on site1).

And a view from the Kali box reaching VXLAN extended vLANs resources over IPsec:

.253 are my software switch resources sitting on Site2 respectively for vLAN444 and vLAN555.
One of the advantages of using such configuration to me is that you'll have possibilities to invoke UTM modules (App Control, IPS, ect.) between VXLAN extended vLANs (for example, vlan444 to vlan555 etc).
Hope you've found this interesting. Do not hestitate to reach out to me per email, available on my profile view below.
Kind regards,
Obuno