Emanoel_Krieger,
daphnissov is correct that vSAN can/does support L3, but static routes are required, because vSAN uses the same TCP stack as the Management VMkernel interface.
If you're deploying a "normal" Stretched Cluster, you'll have to use static routes to connect the "backend" vSAN VMkernel interfaces to the vSAN Witness Host's vSAN VMkernel interface.
If you're deploying vSAN 6.7 or higher, Witness Traffic Separation is an alternative mechanism. Today, this could require static routes, or possibly not.
Witness Traffic Separation enables communication with the vSAN Witness Host over an alternate VMkernel interface (requires the "witness" traffic type, which is set from the command line). Additionally, as of vSAN 6.7 U1, you can even use Mixed MTU values for the "backend" and "frontend" vSAN networking.
I have a couple different blog posts on WTS here:
Understanding the vSAN Witness Host - Traffic Tagging - Virtual Blocks
Understanding Mixed MTU support in Stretched & 2 Node vSAN 6.7 U1
And you can find more about WTS on StorageHub in the Stretched Cluster Guide under New Concepts.
vSAN Stretched Cluster Guide
Some folks consider tagging "witness" on the Management VMkernel interface to avoid the requirement for any static routes to be configured.
Some would argue that this isn't a great practice. The jury is out on that, but if you consider that, you want to make sure the Management network is (as any Management network should be) isolated from non-administrative traffic.