jtlr

Been working on a solution for a disaster recovery one of the goals was a stretched layer 2 network. Since we would need a similar firewall with similar rules at the DR location I have been investigating vxlan over and IPSEC tunnel.

This is the current test config I will update it when more testing has been completed.

config sys global
 set hostname FIREWALL1
end

config system interface
    edit "wan1"
        set vdom "root"
        set mode static
        set ip 173.1.1.1 255.255.255.0
        set allowaccess ping fgfm
        set type physical
        set role wan
        set snmp-index 1
    next
end

config vpn ipsec phase1-interface
    edit "to_HQ2"
        set interface "wan1"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set wizard-type static-fortigate
        set remote-gw 173.1.1.2
        set psksecret supersecret
    next
end
   
config vpn ipsec phase2-interface
    edit "to_HQ2"
        set phase1name "to_HQ2"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set comments "VPN: to_HQ2 (Created by VPN wizard)1"
        set src-addr-type ip
        set dst-addr-type ip
        set src-start-ip 1.1.1.1
        set dst-start-ip 1.1.1.2
    next
end


config system vxlan
    edit "vxlan1"
        set interface "to_HQ2"
        set vni 1000
        set remote-ip "1.1.1.2"
    next
end



config system interface
   edit "to_HQ2"
        set vdom "root"
        set ip 1.1.1.1 255.255.255.255
        set type tunnel
        set remote-ip 1.1.1.2 255.255.255.255
        set snmp-index 8
        set interface "wan1"
    next
   edit vlan100
     set vdom root
     set vlanid 100
     set interface dmz
   next
   edit vxlan100
     set type vlan
     set vlanid 100
     set vdom root
     set interface vxlan1
   next
end


config system switch-interface
  edit sw1
    set vdom root
    set member vlan100 vxlan100
  next
end
config system interface 
edit "sw1"
        set vdom "root"
        set ip 192.168.4.1 255.255.255.0
        set type switch
        set snmp-index 12
next
end
config router static
    edit 1
        set dst 1.1.1.2 255.255.255.255
        set device "to_HQ2"
    next
end


//////////  FIREWALL 2

config sys global
 set hostname FIREWALL2
end

config system interface
    edit "wan1"
        set vdom "root"
        set mode static
        set ip 173.1.1.2 255.255.255.0
        set allowaccess ping fgfm
        set type physical
        set role wan
        set snmp-index 1
    next
end

config vpn ipsec phase1-interface
    edit "to_HQ1"
        set interface "wan1"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set wizard-type static-fortigate
        set remote-gw 173.1.1.1
        set psksecret supersecret
    next
end
   
config vpn ipsec phase2-interface
    edit "to_HQ1"
        set phase1name "to_HQ1"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set src-addr-type ip
        set dst-addr-type ip
        set src-start-ip 1.1.1.2
        set dst-start-ip 1.1.1.1
    next
end


config system vxlan
    edit "vxlan1"
        set interface "to_HQ1"
        set vni 1000
        set remote-ip "1.1.1.1"
    next
end



config system interface
   edit "to_HQ1"
        set vdom "root"
        set ip 1.1.1.2 255.255.255.255
        set type tunnel
        set remote-ip 1.1.1.1 255.255.255.255
        set snmp-index 8
        set interface "wan1"
    next

   edit vlan100
     set vdom root
     set vlanid 100
     set interface dmz
   next
   edit vxlan100
     set type vlan
     set vlanid 100
     set vdom root
     set interface vxlan1
   next
end


config system switch-interface
  edit sw1
    set vdom root
    set member vlan100 vxlan100
  next
end
config system interface 


edit "sw1"
        set vdom "root"
        set ip 192.168.4.2 255.255.255.0
        set type switch
        set snmp-index 12
next
end

config router static
    edit 1
        set dst 1.1.1.1 255.255.255.255
        set device "to_HQ1"
    next
end