topic Re: Domain-Based VPN with Dynamic Routing in General Topics

Domain-Based VPN with Dynamic Routing

Alex_Shpilman — Tue, 18 Dec 2018 01:51:11 GMT

Hi,

I'm trying to investigate if it's possible to stop the VPN routes propagation with Domain-Based VPN in a order to control the routing with BGP.

Migrating to Route-Based is an option but has it's limitations when running a mixture of Route-Based VPN with Domain-Based VPN (as per sk109340).

Is this a valid solution to disable "reroute_encrypted_packets" on the relevant gateways using GuiDBedit?

Any other ideas how it can be achieved?

Thanks.

Re: Domain-Based VPN with Dynamic Routing

PhoneBoy — Wed, 19 Dec 2018 00:29:16 GMT

Are you saying the routes from the VPN propagate to BGP or vice versa?

Perhaps you can filter with routemaps: How to configure Routemaps in Gaia Clish

Re: Domain-Based VPN with Dynamic Routing

Alex_Shpilman — Wed, 19 Dec 2018 00:36:38 GMT

If I use BGP on top of a domain-based VPN, the gateway always prefers the VPN routes. I am trying to find a way to stop the VPN routes to be propagated automatically so Gaia routing can be used instead.

Due to the amount of existing VPN communities this is a bit painful to transition to route-based VPN.

Re: Domain-Based VPN with Dynamic Routing

PhoneBoy — Wed, 19 Dec 2018 00:47:04 GMT

It's not an issue of the routes propagating to BGP, it's an issue of the gateway preferring VPN routes, which are basically happening in the kernel.

Got it

Having read the SK you referenced, I would come to the same conclusion: change the reroute_encrypted_packets setting.

I also see you have a TAC case and that we're checking on this.

Re: Domain-Based VPN with Dynamic Routing

Alex_Shpilman — Wed, 19 Dec 2018 00:54:44 GMT

Thanks Dameon Welch-Abernathy‌, I just needed an assurance that this is a valid solution and will be supported by the TAC in case of any issues.

I didn't raise a TAC case (yet) but ran it passed our local SE, so perhaps he opened one on my behalf.

Re: Domain-Based VPN with Dynamic Routing

PhoneBoy — Wed, 19 Dec 2018 00:58:36 GMT

Misspoke on the TAC case, but your SE is definitely asking around

Re: Domain-Based VPN with Dynamic Routing

Alex_Shpilman — Thu, 20 Dec 2018 11:15:12 GMT

Just an update, I tested this scenario in the lab and disabling reroute_encrypted_packets works like a charm. The kernel VPN routes are still there but not being used to forward traffic, OS routing is being used instead.

Re: Domain-Based VPN with Dynamic Routing

PhoneBoy — Thu, 20 Dec 2018 15:45:03 GMT

Glad it works.

I'm curious what your exact use case is here (i.e. why you want to override the VPN routes with BGP).

Re: Domain-Based VPN with Dynamic Routing

Alex_Shpilman — Thu, 20 Dec 2018 19:21:54 GMT

Our customer got 2 sites with on-premise clusters running VPNs to bunch of CloudGaurd clusters hosted on Azure/AWS.

My predecessor chose to configure MEP for fail-over between the on-premise clusters.

However, in a fail-over scenario all the users are still routed (static routing being to date) through the primary site and causing asymmetric routing.

My goal is run dynamic routing to fail-over automatically the public clouds connectivity.

The issue currently is the domain-based VPN which always prefers VPN kernel routes and the idea is to control how traffic is routed to the public cloud using BGP (CORE switches <--BGP--> On-Premise clusters <--BGP--> Public Cloud Clusters).

Route-based VPN will resolve it as well but will introduce another challenges like narrowing down the encryption domains while we have another Domain-Based VPNs with 3rd parties.

I guess we'll have some healthy debates after xmas whether to go ahead with disabling reroute_encrypted_packets or converting everything to Route-based VPN.

Cheers!

Re: Domain-Based VPN with Dynamic Routing

Rick_Ther — Mon, 29 Jul 2019 14:24:31 GMT

I have just stumbled across this post, and am curious to know the final outcome as i´m in a similar situation. Was disabling reroute_encrypted_packets a valid option? Or did you choose to migrate to route-based vpn?

Re: Domain-Based VPN with Dynamic Routing

Alex_Shpilman — Tue, 22 Oct 2019 21:40:43 GMT

Sorry about the late response, just saw it now.

After many delays we're migrating to route-based VPN very soon.

I did some further testing and couldn't achieve the desired outcome with domain-based VPN, with route-based VPN it's a very painful migration but we'll get there.

Re: Domain-Based VPN with Dynamic Routing

Rick_Ther — Wed, 23 Oct 2019 15:57:46 GMT

Np. Ok, thx for the feedback.

Once you are done, I would appreciate the opportunity to hear how your migration to route based VPN went (pitfalls, unexpected limitations, etc.) . Personally, when I compare route based VPN to domain based VPN, I do not see any (technical) pro points for domain based VPN. Domain based VPNs are way to inflexible.

When all the limitations for route based VPNs are lifted in R80.xx I am curious to know how many migrations to route based VPN will takes place