route based vpn

8/3/2019 Route Based VPN

1/9

Route based VPN Every time new network or subnet is added in a site, VPN

domain should be updated. Configuration update should bedone not only on local gateway, but also in remote gateways.

Route based VPN solves above problems.

In route based VPN, a point-to-point L3 interface is created and

all traffic sent to this interface are tunneled to the remote

gateway. For a given pair of gateways, only one tunnel is created.

Once this is done, administrator only needs to add routes to

remote networks via tunnel interfaces. If dynamic routing

protocols are used, admin need not even create routes explicitly.


2/9

Route based VPN

With a Route based VPN, an NGX gateway can decide to encrypt anddecrypt a packet using a VPN tunnel interface which is an OS level virtualinterface that provides a door to a VPN tunnel.

When properly configured, the packet will then go through a route based

VPN via appropriate VTIs

Route based VPN is only supported on secure platform and IPSO 3.9 (orhigher)

To implement route based VPN you need to configure VTI (Virtual TunnelInterface)


3/9

Virtual Tunnel Interface

VTI is a OS level virtual interface that can be used as a security gateway to

the VPN domain of the peer gateway

Each VTI is associated with a single tunnel to a VPN-1 peer gateway

Peer gateway should also be configured with a corresponding VTI

The native IP routing mechanism can direct traffic into the tunnel just as it

would for any other type of interface

All traffic specific to a network will be routed through an associated VTI


4/9

VPN routing process for VTI

An IP address with destination address X is matched against the routingtable

Routing table indicates that IP address X should be routed through a point-to-point link, which is the VTI associated with gateway Y

VPN-1 kernel intercepts the packet as it enters the VTI

The packet is encrypted using IPSec SA parameters with peer gateway Y asdefined in the VPN community

Based on the new destination IP the packet is rerouted by VPN-1 into thephysical interface, again, according to the appropriate routing table entryfor Ys address


5/9

VPN Tunnel Interface

VPN Routing Process

10


6/9

Numbered VTI

Supported only on SPLAT

If the VPN Tunnel Interface is numbered, the interfaceis assigned a local IP Address and a remote IP Address.

The local IP Address will be the source IP for theconnections originating from the Gateway and goingthrough the VTI.

VTIs may share an IP Address but cannot use analready existing physical interface IP address


7/9

Numbered VTI (contd)

VTIs can be manually configured using vpn shell

Syntax for creating VTIs

Expert# vpn shell interface add numbered

Syntax for viewing VTIs

Vpn shell show interface summary all

For route based VTIs after VTIs are created, it is necessary to add static routes,

pointing to the VTI as the interface to access a peers internal network


8/9

Unnumbered VTI

Supported only on IPSO 3.9 or higher If the VTI is

unnumbered, local and remote IP addresses are

not configured.

Unnumbered VTIs must be assigned a proxy

interface. The proxy interface is used as the source

IP for outbound traffic.


9/9

Domain-Based Vs Route based VPN

It is important to note that a route-based VPN does notreplace a domain-based VPN, but expands it. Domain-based VPNtakes precedence over route-based VPN

Dynamic routing protocol information can propagateover the VPN. VPN device can be automaticallyupdated with network changes on any VPN peergateway

In case of one tunnel failure, other tunnels may beused to route the traffic

10

route based vpn

Documents