https://community.checkpoint.com/t5/Firewall-and-Security-Management/VXLAN-over-IPSEC-configuration/m-p/159613#M27987 <P>Hey Guys,</P><P>thank you for your feedback.</P><P>I just solved, the missing key point was related to VTI; once created on fortinet side (<A href="https://community.fortinet.com/t5/FortiGate/Technical-Tip-VXLAN-over-IPsec-for-multiple-VLANs-using-software/ta-p/195488)" target="_blank" rel="noopener">https://community.fortinet.com/t5/FortiGate/Technical-Tip-VXLAN-over-IPsec-for-multiple-VLANs-using-software/ta-p/195488)&nbsp;&nbsp;</A>I created it also on Check Point side and VXLAN started to work properly.</P><P>It is important to remember:</P><P>- allow traffic from peer's VTI to the Check Point GW on port&nbsp;<SPAN>4789.</SPAN></P><P><SPAN>- Add to the bridge the VXLAN interface and a&nbsp;<STRONG>VLAN interface</STRONG>, not a normal interface (eth1.10 is good, eth1 is not)</SPAN></P><P><SPAN>- configure L3 for that VLAN on a port </SPAN><STRONG>outside </STRONG><SPAN>the bridge.</SPAN></P><P>&nbsp;</P><P>Hope to help someone in the future <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 14 Oct 2022 19:54:53 GMT CheckPointerXL 2022-10-14T19:54:53Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VXLAN-over-IPSEC-configuration/m-p/159447#M27909 <P>Hi all,</P><P>anyone has experience/quick guide with implementation of VXLAN over IPSEC?</P><P>I'm trying to set it up with a Fortinet firewall and no success.</P><P>&nbsp;</P><P>Tried to follow this guide <A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk170014" target="_blank" rel="noopener">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk170014</A>&nbsp;+ VPN with empty group.</P><P>I correctly see phase 1 UP and phase 2 UP with same subnet for MyTS and PeerTS, so the IPSEC part seems to be ok.</P><P>&nbsp;</P><P>Thank you</P><DIV><DIV class="">&nbsp;</DIV></DIV> Thu, 13 Oct 2022 14:10:26 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VXLAN-over-IPSEC-configuration/m-p/159447#M27909 CheckPointerXL 2022-10-13T14:10:26Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VXLAN-over-IPSEC-configuration/m-p/159486#M27920 <P>Did you attempt to troubleshoot the VXLAN portion of this?<BR />The SK you linked should provide some troubleshooting steps.<BR />You might also check with fw monitor/tcpdump to see if the traffic is appearing on the correct interfaces.</P> Thu, 13 Oct 2022 20:11:31 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VXLAN-over-IPSEC-configuration/m-p/159486#M27920 PhoneBoy 2022-10-13T20:11:31Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VXLAN-over-IPSEC-configuration/m-p/159591#M27973 <P>I did VxLan with OPNSense across IPSEC. Did you look for UDP/4789 packets traversing the IPSEC tunnel?</P> Fri, 14 Oct 2022 16:44:08 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VXLAN-over-IPSEC-configuration/m-p/159591#M27973 dphonovation 2022-10-14T16:44:08Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VXLAN-over-IPSEC-configuration/m-p/159613#M27987 <P>Hey Guys,</P><P>thank you for your feedback.</P><P>I just solved, the missing key point was related to VTI; once created on fortinet side (<A href="https://community.fortinet.com/t5/FortiGate/Technical-Tip-VXLAN-over-IPsec-for-multiple-VLANs-using-software/ta-p/195488)" target="_blank" rel="noopener">https://community.fortinet.com/t5/FortiGate/Technical-Tip-VXLAN-over-IPsec-for-multiple-VLANs-using-software/ta-p/195488)&nbsp;&nbsp;</A>I created it also on Check Point side and VXLAN started to work properly.</P><P>It is important to remember:</P><P>- allow traffic from peer's VTI to the Check Point GW on port&nbsp;<SPAN>4789.</SPAN></P><P><SPAN>- Add to the bridge the VXLAN interface and a&nbsp;<STRONG>VLAN interface</STRONG>, not a normal interface (eth1.10 is good, eth1 is not)</SPAN></P><P><SPAN>- configure L3 for that VLAN on a port </SPAN><STRONG>outside </STRONG><SPAN>the bridge.</SPAN></P><P>&nbsp;</P><P>Hope to help someone in the future <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 14 Oct 2022 19:54:53 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VXLAN-over-IPSEC-configuration/m-p/159613#M27987 CheckPointerXL 2022-10-14T19:54:53Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VXLAN-over-IPSEC-configuration/m-p/189779#M34967 <P>Hi did you configured a Layer 2 VXLAN or a Layer 3 VXLAN tunnel?</P><P>I have configured a Layer 2 VXLAN tunnel which is working but I want to encrypt it using IPSEC.</P><P>I stuck and don't know what to do? Can you give me some insight, thx.</P> Thu, 17 Aug 2023 14:01:05 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VXLAN-over-IPSEC-configuration/m-p/189779#M34967 uwillems 2023-08-17T14:01:05Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VXLAN-over-IPSEC-configuration/m-p/189782#M34968 <P>Hey</P> <P>VXLAN is a technolgy to allow layer 2 connectivity thanks to layer3, so i cannot understand your first question</P> <P>Anyway, follow this sk&nbsp;<A href="https://support.checkpoint.com/results/sk/sk170014" target="_blank" rel="noopener">https://support.checkpoint.com/results/sk/sk170014</A> and what i wrote in the old post</P> Thu, 17 Aug 2023 14:25:40 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VXLAN-over-IPSEC-configuration/m-p/189782#M34968 CheckPointerXL 2023-08-17T14:25:40Z