Who rated this post

cancel
Showing results for 
Search instead for 
Did you mean: 
Kebin23
Participant

Redundant VPN over BGP

Hi community,

I have carried out a laboratory to test redundant VPNs over BGP, I share with you the topology of my environment and the configurations on the checkpoint side, I hope it helps you.

LAB.

LAB_TOPLGY.png

ASN1 and ASN2 are the remote gateways with which I will set up the VPNs.

OBJECTIVE: The "HOST_LOCAL" connects with the "HOST_REMOTE" through a VPN over BGP with ASN1, if this VPN goes down, there will be a VPN over BGP with ASN2 to reach the "HOST_REMOTE" again, guaranteeing that connectivity is not lost between both hosts using VPNs.

Configuration at the checkpoint.

At the GAIA level, we create a VPN-tunnel interface, where we define the tunnel ID, in this case 1, and we will place the peering IPs that we have defined in the topology, in this case for ASN1 they are those highlighted in green (local 11.11 .11.22 and remote 11.11.11.20)

VPNT1.png

We repeat the same step for the VPN against ASN2, we will change the peering IPs, as shown in the topology the IPs to use would be the purple ones (local 20.20.20.22 and remote 20.20.20.23), we choose the ID = 2 for this VPN.

VPNT2.png

Once the VPN-tunnel interfaces have been created, it would look like this.

VPN_interf.png

In the Advanced Routing > BGP > Change Global Settings option, configure your Router ID (in my case I assigned the IP of my external interface 3.3.3.254) and your AS number, which in my case I set 65000.

ID_AS.png

In the same section of Advanced Routing > BGP, we will add the BGP peers for both VPNS.

Peer_BGP.png

In the BGP Peer, we must place the remote AS as well as the remote peer with which we create the VPN-tunnel interfaces. Don't forget that we must enable the eBGP Multihop option. We repeat the same for the ASN2 peer

Peer_BGP_AS65100.png

Peer_BGP_AS65100_1.png

We will allow all the networks that the remote peer with AS 65100 and 65200 publish to us in the "inbound route filters" option. I am setting the VPN with ASN1 (AS 65100) to be the primary one using the weights (green underline)

inbound.png

In the "Route Redistribution" section I am publishing my network from eth1 to peers AS65100 and AS65200.

distribuir.png

Once configured at the GAIA level, we configure at the SMC level.

We created the 2 domains for both VPNs without anything.

Domain_asn1.png

Domain_asn2.png

We create the "Interoperable Device" with the public IP of the other end, and with the respective domain that we just created. We follow the same sequence for ASN2.

Peer_ASN1.png

Peer_ASN1_1.png

We create a star community with the following steps, repeat the same process for ASN2

VPN1_1.png

VPN1_2.png

VPN1_3.png

VPN1_4.png

In this case, I am not using nateo, but if you want to use it, do not enable that option.

VPN1_5.png

RULE.

RULE.png

After the configurations on the checkpoint side and the configurations of the remote devices, the BGP neighborhood is established with both peers (ASN1 and ASN2), in this case I have configured that both ASN2 and ASN2 publish the HOST network. REMOTE towards the checkpoint.

establecido_ASN1.png

establecido_ASN2.png

Networks received and published using BGP.

Publicación de redes.png

Redes_received.png

Routes at the checkpoint.

show_route.png

VPNs UP.

UP_ASN1.png

UP_ASN2.png

Connectivity test through VPN_ASN1

Test_ping_1.png

Test_ping.png

Failover test

In the simulated environment, I observed that during the failover 3 ping packets were lost, after which the connection was kept constant by the backup VPN that is with ASN2, the test was performed in reverse and 2 ICMP packets were obtained, and then The connection remained constant. As far as I can tell the setup is functional.

failover_test_1.png

failover_test_2.png

failover_test_3.png

Regards

(1)
Who rated this post