This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Vladimir
Champion
Champion
‎2021-01-26 06:32 PM

BGP over IPSec using vIPs for VTIs

I have to ask for your help on this one:

Client has a cluster running R80.40.

Connected to the peer's network via IPSec using VTIs.

Despite being provided with single IP address for our side of the tunnel(s), TAC recommended using /29 network with vIPs to assign the tunnel IP address, claiming that the peer should not be concerned about it, since they will only see vIP.

 

I have seen this approach used for AWS VPN connectivity with Static Routes, but the IPs for VTIs were generated by AWS.

In the BGP via IPSec implementation guide for AWS there are no references to this approach.

Tunnel IPs on both sides are in 10.x.x.x range.

There is also a static route for the 10.0.0.0/8 pointing to the internal gateway on the cluster.

VPN is established.

We can see the 19X.XXX.XXX.0/24 networks advertised by the peer via BGP.

But in the routing table, the peer's network have the same next hop as the one defined for the 10.0.0.0/8.

 

I have never seen VTIs used as the cluster interfaces with vIPs, so please confirm that this is acceptable.

I would also appreciate the pointers for the reason the BGP routes having incorrect next hop.

Thank you.

0 Kudos
3 Replies
vinceneil666
Advisor
‎2021-01-26 11:42 PM

Hi,

Do you have a very brief drawing of the setup ? 

I understand you see an advertised network from the peer, but in the routing table it has the wrong gateway ? -- the routing table absolutly shows this as a BGP route ? 

show ip bgp neighbor <ip> received-routes   - what does this show ? 

0 Kudos
Vladimir
Champion
Champion
‎2021-01-27 04:47 AM
In response to vinceneil666

Do not have a diagram handy, but the output of the received routes shows correct networks with correct next hops.

And yes, the routes are clearly labeled as BGP ( with "B" in the Type column).

Additional tidbit of information: the vIP/VTI interfaces configured as "External". As I do not have access to the environment now, I cannot vouch for it, but I think that anti-spoofing is enabled on that interface.

Sorry for the sparse data, I have walked-in on this project just now, after client was working with TAC for a while.

0 Kudos
_zball_
Explorer
‎2021-03-19 11:13 AM
In response to Vladimir

I am have a similar problem. Did you get bgp peering working. My cluster is send the bgp tcp messages at the Firewall ip and not the Vip of the vpnt interface.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events