cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

FIGW - IPSEC + VXLAN + FRAGMENTATION AND REASSEMBLY over L2 link

FIGW - IPSEC + VXLAN + FRAGMENTATION AND REASSEMBLY over L2 link

EF
Contributor II
Hi team,

In a L2 connection through ISP with MTU less of 1600bytes, IĀ“m using FIGWs for fabric extend (VXLAN) and fragmentation & reassembly to establish isis adjacencies  without problem.

Now I want to add IPSEC but I review all the topologies avalaible for IPSEC and all of them are trought L3, the question is, in a link L2 is IPSEC topology supported?

Regards

EF
1 ACCEPTED SOLUTION

Miguel-Angel_RO
Valued Contributor II
EF,

IPSEC is always over L3. MACSEC is over L2.
Here a possible setup
bcc6d49f81314676b3ada78d661674f7.pngMig

View solution in original post

5 REPLIES 5

Miguel-Angel_RO
Valued Contributor II
EF,
You should describe deeper your setup.
The IPSec tunnel+frag/defrag can be performed at the FIGW level while the isis logical interface is done at the switch level.
You should describe what you have today in a picture to be able to guide you.

Mig

IĀ“ll try better, this is my working environment (VXLAN+FRAGMENTATION) , My deploy is L2 link  with MTU less 1600 bytes between two FIGWs and itĀ“s working fine:

qbEc5y6HT0m0LOXaCzIQ_l2.jpeg

 

Now I want to add IPSEC but I'm unable to add the necessary commands because there are exclusion with this config.

 

After my investigation I see that all topologies with IPSEC are over L3 networks,

mDwTUfSyRXixo0QmODVc_l3.jpeg

 

 

so I begin to suspect that itĀ“s not supported over L2 links.

 

ItĀ“s a question about topologies supported with FIGW and IPSEC.

 

BR

 

EF

Miguel-Angel_RO
Valued Contributor II
EF,

IPSEC is always over L3. MACSEC is over L2.
Here a possible setup
bcc6d49f81314676b3ada78d661674f7.pngMig

Running IPsec tunnels over a L2 WAN (e.g. VPLS) should be possible, but i have never tried it. You would not set any wan-intf-gw-ip on the FIGW.
The FIGW would thus ARP for the remote end-points.
GTM-P2G8KFN