https://community.extremenetworks.com/t5/extremeswitching-vsp-fabric/figw-ipsec-vxlan-fragmentation-and-reassembly-over-l2-link/m-p/8912#M493 EF,<BR /><BR />IPSEC is always over L3. MACSEC is over L2.<BR />Here a possible setup<BR /><span class="lia-inline-image-display-wrapper" image-alt="bcc6d49f81314676b3ada78d661674f7.png"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/4034iB747BEE0B2143D54/image-size/large?v=v2&amp;px=999" role="button" title="bcc6d49f81314676b3ada78d661674f7.png" alt="bcc6d49f81314676b3ada78d661674f7.png" /></span>Mig Fri, 26 Nov 2021 13:23:00 GMT Miguel-Angel_RO 2021-11-26T13:23:00Z https://community.extremenetworks.com/t5/extremeswitching-vsp-fabric/figw-ipsec-vxlan-fragmentation-and-reassembly-over-l2-link/m-p/8909#M490 Hi team,<BR /><BR />In a L2 connection through ISP with MTU less of 1600bytes, I´m using FIGWs for fabric extend (VXLAN) and fragmentation &amp; reassembly to establish isis adjacencies&nbsp; without problem.<BR /><BR />Now I want to add IPSEC but I review all the topologies avalaible for IPSEC and all of them are trought L3, the question is, in a link L2 is IPSEC topology supported? <BR /><BR />Regards<BR /><BR />EF Mon, 22 Nov 2021 11:20:00 GMT https://community.extremenetworks.com/t5/extremeswitching-vsp-fabric/figw-ipsec-vxlan-fragmentation-and-reassembly-over-l2-link/m-p/8909#M490 EF 2021-11-22T11:20:00Z https://community.extremenetworks.com/t5/extremeswitching-vsp-fabric/figw-ipsec-vxlan-fragmentation-and-reassembly-over-l2-link/m-p/8910#M491 EF,<BR />You should describe deeper your setup.<BR />The IPSec tunnel+frag/defrag can be performed at the FIGW level while the isis logical interface is done at the switch level.<BR />You should describe what you have today in a picture to be able to guide you.<BR /><BR />Mig Thu, 25 Nov 2021 11:49:00 GMT https://community.extremenetworks.com/t5/extremeswitching-vsp-fabric/figw-ipsec-vxlan-fragmentation-and-reassembly-over-l2-link/m-p/8910#M491 Miguel-Angel_RO 2021-11-25T11:49:00Z https://community.extremenetworks.com/t5/extremeswitching-vsp-fabric/figw-ipsec-vxlan-fragmentation-and-reassembly-over-l2-link/m-p/8911#M492 <P>I´ll try better, this is my working environment (VXLAN+FRAGMENTATION) , My deploy is L2 link&nbsp; with MTU less 1600 bytes between two FIGWs and it´s working fine:</P> <DIV class="media" style="overflow: hidden; zoom: 1;"><span class="lia-inline-image-display-wrapper" image-alt="qbEc5y6HT0m0LOXaCzIQ_l2.jpeg"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/3377i432F08CD9FDA22F8/image-size/large?v=v2&amp;px=999" role="button" title="qbEc5y6HT0m0LOXaCzIQ_l2.jpeg" alt="qbEc5y6HT0m0LOXaCzIQ_l2.jpeg" /></span></DIV> <P>&nbsp;</P> <P>Now I want to add IPSEC but I'm unable to add the necessary commands because there are exclusion with this config.</P> <P>&nbsp;</P> <P>After my investigation I see that all topologies with IPSEC are over L3 networks,</P> <DIV class="media" style="overflow: hidden; zoom: 1;"><span class="lia-inline-image-display-wrapper" image-alt="mDwTUfSyRXixo0QmODVc_l3.jpeg"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/3309iE7E785CD4D5C4F9C/image-size/large?v=v2&amp;px=999" role="button" title="mDwTUfSyRXixo0QmODVc_l3.jpeg" alt="mDwTUfSyRXixo0QmODVc_l3.jpeg" /></span></DIV> <P>&nbsp;</P> <P>&nbsp;</P> <P>so I begin to suspect that it´s not supported over L2 links.</P> <P>&nbsp;</P> <P>It´s a question about topologies supported with FIGW and IPSEC.</P> <P>&nbsp;</P> <P>BR</P> <P>&nbsp;</P> <P>EF</P> Thu, 25 Nov 2021 16:47:00 GMT https://community.extremenetworks.com/t5/extremeswitching-vsp-fabric/figw-ipsec-vxlan-fragmentation-and-reassembly-over-l2-link/m-p/8911#M492 EF 2021-11-25T16:47:00Z https://community.extremenetworks.com/t5/extremeswitching-vsp-fabric/figw-ipsec-vxlan-fragmentation-and-reassembly-over-l2-link/m-p/8912#M493 EF,<BR /><BR />IPSEC is always over L3. MACSEC is over L2.<BR />Here a possible setup<BR /><span class="lia-inline-image-display-wrapper" image-alt="bcc6d49f81314676b3ada78d661674f7.png"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/4034iB747BEE0B2143D54/image-size/large?v=v2&amp;px=999" role="button" title="bcc6d49f81314676b3ada78d661674f7.png" alt="bcc6d49f81314676b3ada78d661674f7.png" /></span>Mig Fri, 26 Nov 2021 13:23:00 GMT https://community.extremenetworks.com/t5/extremeswitching-vsp-fabric/figw-ipsec-vxlan-fragmentation-and-reassembly-over-l2-link/m-p/8912#M493 Miguel-Angel_RO 2021-11-26T13:23:00Z https://community.extremenetworks.com/t5/extremeswitching-vsp-fabric/figw-ipsec-vxlan-fragmentation-and-reassembly-over-l2-link/m-p/8913#M494 Running IPsec tunnels over a L2 WAN (e.g. VPLS) should be possible, but i have never tried it. You would not set any wan-intf-gw-ip on the FIGW.<BR />The FIGW would thus ARP for the remote end-points. Mon, 29 Nov 2021 17:48:00 GMT https://community.extremenetworks.com/t5/extremeswitching-vsp-fabric/figw-ipsec-vxlan-fragmentation-and-reassembly-over-l2-link/m-p/8913#M494 Ludovico_Steven 2021-11-29T17:48:00Z https://community.extremenetworks.com/t5/extremeswitching-vsp-fabric/figw-ipsec-vxlan-fragmentation-and-reassembly-over-l2-link/m-p/8914#M495 Hi Ludovico,<BR /><BR />this is the problem, if I´m not wrong,&nbsp; that "set global wan-intf-gw-ip&nbsp; " is mandatory for IPSEC config, but in a l2 connection I dont have it.<BR /><BR />Regards<BR /><BR />EF Mon, 29 Nov 2021 17:57:00 GMT https://community.extremenetworks.com/t5/extremeswitching-vsp-fabric/figw-ipsec-vxlan-fragmentation-and-reassembly-over-l2-link/m-p/8914#M495 EF 2021-11-29T17:57:00Z