Extreme Networks

EF · ‎11-22-2021

Hi team,

In a L2 connection through ISP with MTU less of 1600bytes, I´m using FIGWs for fabric extend (VXLAN) and fragmentation & reassembly to establish isis adjacencies without problem.

Now I want to add IPSEC but I review all the topologies avalaible for IPSEC and all of them are trought L3, the question is, in a link L2 is IPSEC topology supported?

Regards

EF

Miguel-Angel_RO · ‎11-26-2021

EF,

IPSEC is always over L3. MACSEC is over L2.
Here a possible setup

Mig

View solution in original post

Miguel-Angel_RO · ‎11-25-2021

EF,
You should describe deeper your setup.
The IPSec tunnel+frag/defrag can be performed at the FIGW level while the isis logical interface is done at the switch level.
You should describe what you have today in a picture to be able to guide you.

Mig

EF · ‎11-25-2021

I´ll try better, this is my working environment (VXLAN+FRAGMENTATION) , My deploy is L2 link with MTU less 1600 bytes between two FIGWs and it´s working fine:

Now I want to add IPSEC but I'm unable to add the necessary commands because there are exclusion with this config.

After my investigation I see that all topologies with IPSEC are over L3 networks,

so I begin to suspect that it´s not supported over L2 links.

It´s a question about topologies supported with FIGW and IPSEC.

BR

EF

Miguel-Angel_RO · ‎11-26-2021

EF,

IPSEC is always over L3. MACSEC is over L2.
Here a possible setup

Mig

Ludovico_Steven · ‎11-29-2021

Running IPsec tunnels over a L2 WAN (e.g. VPLS) should be possible, but i have never tried it. You would not set any wan-intf-gw-ip on the FIGW.
The FIGW would thus ARP for the remote end-points.

Extreme Networks

FIGW - IPSEC + VXLAN + FRAGMENTATION AND REASSEMBLY over L2 link

FIGW - IPSEC + VXLAN + FRAGMENTATION AND REASSEMBLY over L2 link