Been working on a solution for a disaster recovery one of the goals was a stretched layer 2 network. Since we would need a similar firewall with similar rules at the DR location I have been investigating vxlan over and IPSEC tunnel.
This is the current test config I will update it when more testing has been completed.
config sys global
set hostname FIREWALL1
end
config system interface
edit "wan1"
set vdom "root"
set mode static
set ip 173.1.1.1 255.255.255.0
set allowaccess ping fgfm
set type physical
set role wan
set snmp-index 1
next
end
config vpn ipsec phase1-interface
edit "to_HQ2"
set interface "wan1"
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set wizard-type static-fortigate
set remote-gw 173.1.1.2
set psksecret supersecret
next
end
config vpn ipsec phase2-interface
edit "to_HQ2"
set phase1name "to_HQ2"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set comments "VPN: to_HQ2 (Created by VPN wizard)1"
set src-addr-type ip
set dst-addr-type ip
set src-start-ip 1.1.1.1
set dst-start-ip 1.1.1.2
next
end
config system vxlan
edit "vxlan1"
set interface "to_HQ2"
set vni 1000
set remote-ip "1.1.1.2"
next
end
config system interface
edit "to_HQ2"
set vdom "root"
set ip 1.1.1.1 255.255.255.255
set type tunnel
set remote-ip 1.1.1.2 255.255.255.255
set snmp-index 8
set interface "wan1"
next
edit vlan100
set vdom root
set vlanid 100
set interface dmz
next
edit vxlan100
set type vlan
set vlanid 100
set vdom root
set interface vxlan1
next
end
config system switch-interface
edit sw1
set vdom root
set member vlan100 vxlan100
next
end
config system interface
edit "sw1"
set vdom "root"
set ip 192.168.4.1 255.255.255.0
set type switch
set snmp-index 12
next
end
config router static
edit 1
set dst 1.1.1.2 255.255.255.255
set device "to_HQ2"
next
end
////////// FIREWALL 2
config sys global
set hostname FIREWALL2
end
config system interface
edit "wan1"
set vdom "root"
set mode static
set ip 173.1.1.2 255.255.255.0
set allowaccess ping fgfm
set type physical
set role wan
set snmp-index 1
next
end
config vpn ipsec phase1-interface
edit "to_HQ1"
set interface "wan1"
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set wizard-type static-fortigate
set remote-gw 173.1.1.1
set psksecret supersecret
next
end
config vpn ipsec phase2-interface
edit "to_HQ1"
set phase1name "to_HQ1"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set src-addr-type ip
set dst-addr-type ip
set src-start-ip 1.1.1.2
set dst-start-ip 1.1.1.1
next
end
config system vxlan
edit "vxlan1"
set interface "to_HQ1"
set vni 1000
set remote-ip "1.1.1.1"
next
end
config system interface
edit "to_HQ1"
set vdom "root"
set ip 1.1.1.2 255.255.255.255
set type tunnel
set remote-ip 1.1.1.1 255.255.255.255
set snmp-index 8
set interface "wan1"
next
edit vlan100
set vdom root
set vlanid 100
set interface dmz
next
edit vxlan100
set type vlan
set vlanid 100
set vdom root
set interface vxlan1
next
end
config system switch-interface
edit sw1
set vdom root
set member vlan100 vxlan100
next
end
config system interface
edit "sw1"
set vdom "root"
set ip 192.168.4.2 255.255.255.0
set type switch
set snmp-index 12
next
end
config router static
edit 1
set dst 1.1.1.1 255.255.255.255
set device "to_HQ1"
next
end