Solved: Vpn domain based and eBGP + VSX

victor_cortez · ‎2024-11-13

Hello Friends,

I got situation here and Im stucked.

We are talking about r81.20 VSX 26k SG.

I can set eBGP between external router and a Vsys. Vsys can announce own routes and receive routes from external router. But how I can send to external Router a route to a subnet reachead only by vpn domain based?

How I can announce to BGP a (route) vpn domain based ?

The VPN domain based doesnt have routes on the FIB, under # route -n or #ip route show we only can see static routes.

Is there anyway to accomplish this?

Tks a lot,

Victor C

JozkoMrkvicka · ‎2024-11-13

You need to use RIM feature for domain based VPN. Once RIM is activated, you will get content of VPN encryption domain of remote VPN peer as kernel routes. These kernel routes can be propagated over BGP.

More info about RIM feature can be found in R81.20 Site to Site VPN Administration Guide.

Kind regards,
Jozko Mrkvicka

View solution in original post

JozkoMrkvicka · ‎2024-11-13

You need to use RIM feature for domain based VPN. Once RIM is activated, you will get content of VPN encryption domain of remote VPN peer as kernel routes. These kernel routes can be propagated over BGP.

More info about RIM feature can be found in R81.20 Site to Site VPN Administration Guide.

Kind regards,
Jozko Mrkvicka

victor_cortez · ‎2024-11-13

Hello Josko,

Im reading about RIM and sounds like exaclty what I need. Just to confirm, RIM works fine with VSX, correct?

Tks,

Victor C

Wolfgang · ‎2024-11-13

@victor_cortez yes, RIM is working with VSX, no limitation seen in sk79700 - VSNext / VSX supported features

the_rock · ‎2024-11-14

Yes, it does, no issues there.

Best,
Andy

victor_cortez · ‎2024-11-14

Hello,

Im looking here and got stucked once more.

situation 1 - for Vsys XYZ the vpn ipsec we are not defining the subnets in the community, all traffic should go to the tunnel. So in the "interopable device" - topology - group properties - in group - there is only the public Ip of the peer itself.

If im not defining the subnets in the community RIM will work?

1 - I understand is RIM only works as the expected if subnets are defined in the VPN Community.

2 - RIM doesnt work if customized crypt.def and user.defl files.

What you guys think about this?

Tks,

Victor

the_rock · ‎2024-11-14

I believe so as well.

1-yes

2-correct

Andy

Best,
Andy

Wolfgang · ‎2024-11-14

For 1.

- yes, the definition of an encryption domain is necessary

- you can define an encryption domain for all networks as an example with a range „0.0.0.0 - 254.254.254.254“

For 2.

- as @the_rock Andy wrote, entries from these special files are ignored.
- but with the newer releases you can define separate encryption domains for differente VPN communities within SmartConsole, this was the most common use case for changing user.def (I don‘t know which changes you did, but maybe that‘s it)

the_rock · ‎2024-11-13

I agree 100% with @JozkoMrkvicka . All this would be much easier with route based tunnel, as you could just use unnumbered VTIs for BGP. But, for domain based, yes, RIM mechanism seems your best option.

Andy

Best,
Andy

Are you a member of CheckMates?

Vpn domain based and eBGP + VSX