route based vpn
TRANSCRIPT
-
8/3/2019 Route Based VPN
1/9
Route based VPN Every time new network or subnet is added in a site, VPN
domain should be updated. Configuration update should bedone not only on local gateway, but also in remote gateways.
Route based VPN solves above problems.
In route based VPN, a point-to-point L3 interface is created and
all traffic sent to this interface are tunneled to the remote
gateway. For a given pair of gateways, only one tunnel is created.
Once this is done, administrator only needs to add routes to
remote networks via tunnel interfaces. If dynamic routing
protocols are used, admin need not even create routes explicitly.
-
8/3/2019 Route Based VPN
2/9
Route based VPN
With a Route based VPN, an NGX gateway can decide to encrypt anddecrypt a packet using a VPN tunnel interface which is an OS level virtualinterface that provides a door to a VPN tunnel.
When properly configured, the packet will then go through a route based
VPN via appropriate VTIs
Route based VPN is only supported on secure platform and IPSO 3.9 (orhigher)
To implement route based VPN you need to configure VTI (Virtual TunnelInterface)
-
8/3/2019 Route Based VPN
3/9
Virtual Tunnel Interface
VTI is a OS level virtual interface that can be used as a security gateway to
the VPN domain of the peer gateway
Each VTI is associated with a single tunnel to a VPN-1 peer gateway
Peer gateway should also be configured with a corresponding VTI
The native IP routing mechanism can direct traffic into the tunnel just as it
would for any other type of interface
All traffic specific to a network will be routed through an associated VTI
-
8/3/2019 Route Based VPN
4/9
VPN routing process for VTI
An IP address with destination address X is matched against the routingtable
Routing table indicates that IP address X should be routed through a point-to-point link, which is the VTI associated with gateway Y
VPN-1 kernel intercepts the packet as it enters the VTI
The packet is encrypted using IPSec SA parameters with peer gateway Y asdefined in the VPN community
Based on the new destination IP the packet is rerouted by VPN-1 into thephysical interface, again, according to the appropriate routing table entryfor Ys address
-
8/3/2019 Route Based VPN
5/9
VPN Tunnel Interface
VPN Routing Process
10
-
8/3/2019 Route Based VPN
6/9
Numbered VTI
Supported only on SPLAT
If the VPN Tunnel Interface is numbered, the interfaceis assigned a local IP Address and a remote IP Address.
The local IP Address will be the source IP for theconnections originating from the Gateway and goingthrough the VTI.
VTIs may share an IP Address but cannot use analready existing physical interface IP address
-
8/3/2019 Route Based VPN
7/9
Numbered VTI (contd)
VTIs can be manually configured using vpn shell
Syntax for creating VTIs
Expert# vpn shell interface add numbered
Syntax for viewing VTIs
Vpn shell show interface summary all
For route based VTIs after VTIs are created, it is necessary to add static routes,
pointing to the VTI as the interface to access a peers internal network
-
8/3/2019 Route Based VPN
8/9
Unnumbered VTI
Supported only on IPSO 3.9 or higher If the VTI is
unnumbered, local and remote IP addresses are
not configured.
Unnumbered VTIs must be assigned a proxy
interface. The proxy interface is used as the source
IP for outbound traffic.
-
8/3/2019 Route Based VPN
9/9
Domain-Based Vs Route based VPN
It is important to note that a route-based VPN does notreplace a domain-based VPN, but expands it. Domain-based VPNtakes precedence over route-based VPN
Dynamic routing protocol information can propagateover the VPN. VPN device can be automaticallyupdated with network changes on any VPN peergateway
In case of one tunnel failure, other tunnels may beused to route the traffic
10