topic Re: BGP over IPSec using vIPs for VTIs in Firewall and Security Management

BGP over IPSec using vIPs for VTIs

Vladimir — Wed, 27 Jan 2021 03:05:05 GMT

I have to ask for your help on this one:

Client has a cluster running R80.40.

Connected to the peer's network via IPSec using VTIs.

Despite being provided with single IP address for our side of the tunnel(s), TAC recommended using /29 network with vIPs to assign the tunnel IP address, claiming that the peer should not be concerned about it, since they will only see vIP.

I have seen this approach used for AWS VPN connectivity with Static Routes, but the IPs for VTIs were generated by AWS.

In the BGP via IPSec implementation guide for AWS there are no references to this approach.

Tunnel IPs on both sides are in 10.x.x.x range.

There is also a static route for the 10.0.0.0/8 pointing to the internal gateway on the cluster.

VPN is established.

We can see the 19X.XXX.XXX.0/24 networks advertised by the peer via BGP.

But in the routing table, the peer's network have the same next hop as the one defined for the 10.0.0.0/8.

I have never seen VTIs used as the cluster interfaces with vIPs, so please confirm that this is acceptable.

I would also appreciate the pointers for the reason the BGP routes having incorrect next hop.

Thank you.

Re: BGP over IPSec using vIPs for VTIs

vinceneil666 — Wed, 27 Jan 2021 07:44:09 GMT

Hi,

Do you have a very brief drawing of the setup ?

I understand you see an advertised network from the peer, but in the routing table it has the wrong gateway ? -- the routing table absolutly shows this as a BGP route ?

show ip bgp neighbor <ip> received-routes - what does this show ?

Re: BGP over IPSec using vIPs for VTIs

Vladimir — Wed, 27 Jan 2021 12:56:49 GMT

Do not have a diagram handy, but the output of the received routes shows correct networks with correct next hops.

And yes, the routes are clearly labeled as BGP ( with "B" in the Type column).

Additional tidbit of information: the vIP/VTI interfaces configured as "External". As I do not have access to the environment now, I cannot vouch for it, but I think that anti-spoofing is enabled on that interface.

Sorry for the sparse data, I have walked-in on this project just now, after client was working with TAC for a while.

Re: BGP over IPSec using vIPs for VTIs

_zball_ — Fri, 19 Mar 2021 18:13:24 GMT

I am have a similar problem. Did you get bgp peering working. My cluster is send the bgp tcp messages at the Firewall ip and not the Vip of the vpnt interface.