This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
CheckPointerXL
Advisor
Advisor
‎2022-10-13 07:10 AM
Jump to solution

VXLAN over IPSEC configuration

Hi all,

anyone has experience/quick guide with implementation of VXLAN over IPSEC?

I'm trying to set it up with a Fortinet firewall and no success.

 

Tried to follow this guide https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... + VPN with empty group.

I correctly see phase 1 UP and phase 2 UP with same subnet for MyTS and PeerTS, so the IPSEC part seems to be ok.

 

Thank you

 
0 Kudos
1 Solution

Accepted Solutions
CheckPointerXL
Advisor
Advisor
‎2022-10-14 12:48 PM
In response to dphonovation
Jump to solution

Hey Guys,

thank you for your feedback.

I just solved, the missing key point was related to VTI; once created on fortinet side (https://community.fortinet.com/t5/FortiGate/Technical-Tip-VXLAN-over-IPsec-for-multiple-VLANs-using-...I created it also on Check Point side and VXLAN started to work properly.

It is important to remember:

- allow traffic from peer's VTI to the Check Point GW on port 4789.

- Add to the bridge the VXLAN interface and a VLAN interface, not a normal interface (eth1.10 is good, eth1 is not)

- configure L3 for that VLAN on a port outside the bridge.

 

Hope to help someone in the future 🙂

View solution in original post

5 Replies
PhoneBoy
Admin
Admin
‎2022-10-13 01:11 PM
Jump to solution

Did you attempt to troubleshoot the VXLAN portion of this?
The SK you linked should provide some troubleshooting steps.
You might also check with fw monitor/tcpdump to see if the traffic is appearing on the correct interfaces.

0 Kudos
dphonovation
Collaborator
‎2022-10-14 09:44 AM
Jump to solution

I did VxLan with OPNSense across IPSEC. Did you look for UDP/4789 packets traversing the IPSEC tunnel?

CheckPointerXL
Advisor
Advisor
‎2022-10-14 12:48 PM
In response to dphonovation
Jump to solution

Hey Guys,

thank you for your feedback.

I just solved, the missing key point was related to VTI; once created on fortinet side (https://community.fortinet.com/t5/FortiGate/Technical-Tip-VXLAN-over-IPsec-for-multiple-VLANs-using-...I created it also on Check Point side and VXLAN started to work properly.

It is important to remember:

- allow traffic from peer's VTI to the Check Point GW on port 4789.

- Add to the bridge the VXLAN interface and a VLAN interface, not a normal interface (eth1.10 is good, eth1 is not)

- configure L3 for that VLAN on a port outside the bridge.

 

Hope to help someone in the future 🙂

uwillems
Explorer
‎2023-08-17 07:01 AM
In response to CheckPointerXL
Jump to solution

Hi did you configured a Layer 2 VXLAN or a Layer 3 VXLAN tunnel?

I have configured a Layer 2 VXLAN tunnel which is working but I want to encrypt it using IPSEC.

I stuck and don't know what to do? Can you give me some insight, thx.

0 Kudos
CheckPointerXL
Advisor
Advisor
‎2023-08-17 07:25 AM
In response to uwillems
Jump to solution

Hey

VXLAN is a technolgy to allow layer 2 connectivity thanks to layer3, so i cannot understand your first question

Anyway, follow this sk https://support.checkpoint.com/results/sk/sk170014 and what i wrote in the old post

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events