cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Domain-Based VPN with Dynamic Routing

Jump to solution

Hi,

I'm trying to investigate if it's possible to stop the VPN routes propagation with Domain-Based VPN  in a order to control the routing with BGP.

Migrating to Route-Based is an option but has it's limitations when running a mixture of Route-Based VPN with Domain-Based VPN (as per sk109340).

Is this a valid solution to disable "reroute_encrypted_packets" on the relevant gateways using GuiDBedit?

Any other ideas how it can be achieved?

Thanks.

1 Solution

Accepted Solutions
Admin
Admin

Re: Domain-Based VPN with Dynamic Routing

Jump to solution

It's not an issue of the routes propagating to BGP, it's an issue of the gateway preferring VPN routes, which are basically happening in the kernel.

Got it Smiley Happy

Having read the SK you referenced, I would come to the same conclusion: change the reroute_encrypted_packets setting.

I also see you have a TAC case and that we're checking on this.

0 Kudos
8 Replies
Admin
Admin

Re: Domain-Based VPN with Dynamic Routing

Jump to solution

Are you saying the routes from the VPN propagate to BGP or vice versa?

Perhaps you can filter with routemaps: How to configure Routemaps in Gaia Clish 

0 Kudos

Re: Domain-Based VPN with Dynamic Routing

Jump to solution

If I use BGP on top of a  domain-based VPN, the gateway always prefers the VPN routes. I am trying to find a way to stop the VPN routes to be propagated automatically so Gaia routing can be used instead.

Due to the amount of existing VPN communities this is a bit painful to transition to route-based VPN.

0 Kudos
Admin
Admin

Re: Domain-Based VPN with Dynamic Routing

Jump to solution

It's not an issue of the routes propagating to BGP, it's an issue of the gateway preferring VPN routes, which are basically happening in the kernel.

Got it Smiley Happy

Having read the SK you referenced, I would come to the same conclusion: change the reroute_encrypted_packets setting.

I also see you have a TAC case and that we're checking on this.

0 Kudos

Re: Domain-Based VPN with Dynamic Routing

Jump to solution

Thanks Dameon Welch-Abernathy‌, I just needed an assurance that this is a valid solution and will be supported by the TAC in case of any issues.

I didn't raise a TAC case (yet) but ran it passed our local SE, so perhaps he opened one on my behalf.

0 Kudos
Admin
Admin

Re: Domain-Based VPN with Dynamic Routing

Jump to solution

Misspoke on the TAC case, but your SE is definitely asking around Smiley Happy

0 Kudos

Re: Domain-Based VPN with Dynamic Routing

Jump to solution

Just an update, I tested this scenario in the lab and disabling reroute_encrypted_packets works like a charm. The kernel VPN routes are still there but not being used to forward traffic, OS routing is being used instead.

Admin
Admin

Re: Domain-Based VPN with Dynamic Routing

Jump to solution

Glad it works.

I'm curious what your exact use case is here (i.e. why you want to override the VPN routes with BGP).

0 Kudos

Re: Domain-Based VPN with Dynamic Routing

Jump to solution

Our customer got 2 sites with on-premise clusters running VPNs to bunch of CloudGaurd clusters hosted on Azure/AWS.

My predecessor chose to configure MEP for fail-over between the on-premise clusters.

However, in a fail-over scenario all the users are still routed (static routing being to date) through the primary site and causing asymmetric routing.

My goal is run dynamic routing to fail-over automatically the public clouds connectivity.

The issue currently is the domain-based VPN which always prefers VPN kernel routes and the idea is to control how traffic is routed to the public cloud using BGP (CORE switches <--BGP--> On-Premise clusters <--BGP--> Public Cloud Clusters).

Route-based VPN will resolve it as well but will introduce another challenges like narrowing down the encryption domains while we have another Domain-Based VPNs with 3rd parties.

I guess we'll have some healthy debates after xmas whether to go ahead with disabling reroute_encrypted_packets or converting everything to Route-based VPN.

Cheers!

0 Kudos