large-scaledistributed enterprisewithbovpn ... · configuration example — large-scale distributed...
TRANSCRIPT
v11.12.2
Configuration Example
Large-Scale DistributedEnterprise with BOVPN
Virtual Interfaces and OSPF
WatchGuard Fireboxes
2 WatchGuard Technologies, Inc.
Large-Scale Distributed Enterprise with BOVPN VirtualInterfaces and OSPF
Configuration files created with — Policy Manager v11.12.2
Configuration files created for — Fireware v11.12.2
Use Case
An organization has networks at multiple remote sites that connect with twomain corporate sites through BOVPN virtual
interfaces. It is important that the remote sites remain connected to both corporate sites at all times. Because a link failure
could disrupt business, the organization wants to add redundancy so remote sites havemore than one route to each
corporate site. In this configuration example, we useOSPF to configure redundant routes.
This configuration example is provided as a basic guide. Your network environment mightrequire additional configuration settings.
Solution Overview
This configuration example describes two solutions. Both solutions include BOVPN virtual interfaces, dynamic routing with
OSPF, and anMPLS line between themain corporate sites. The solutions differ in these ways:
n In Solution A, theMPLS endpoints are on the same subnet. A BOVPN virtual interface between theMPLS endpoints isnot required.
n In Solution B, theMPLS endpoints are on different subnets. A BOVPN virtual interface between theMPLS endpoints isincluded in the configuration. TheOSPF configuration includes additional information so the two sites can advertiseroutes to each other.
Configuration Example— Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces andOSPF 1
To implement and support this configuration on your network, youmust understand dynamicrouting.
How It Works
For both solutions in this configuration example, the organization has multiple retail stores with VPN connections to
networks at Headquarters and a Datacenter. Headquarters and the Datacenter ares connected by anMPLS link. TheOSPF
dynamic routing protocol is configured on a Firebox at each site.
Each store has routes to Headquarters and the Datacenter. Traffic is always routed along the best (lowest cost) route. For
example, traffic from Store 1 to Headquarters is normally routed through the VPN tunnel between Store 1 and Headquarters.
Traffic from Store 1 to the Datacenter is normally routed through the VPN tunnel between Store 1 to the Datacenter.
If the link between Store 1 and Headquarters becomes unavailable, Store 1 can still access the network at Headquarters
after this process occurs:
n OSPF recalculates metrics for routes in its table to find the best route.n After a brief delay, Store 1 traffic destined for Headquarters is automatically routed along the best route, which is now
through the VPN tunnel from Store 1 to the Datacenter, and from the Datacenter to Headquarters.
If the failed link becomes available again, OSPF recalculates metrics and sends traffic along the best route.
Large-ScaleDistributedEnterprisewith BOVPNVirtual Interfaces andOSPF
2 WatchGuard Technologies, Inc.
Large-ScaleDistributedEnterprisewith BOVPNVirtual Interfaces andOSPF
Configuration Example— Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces andOSPF 3
Example Configuration Files
For your reference, we included example configuration files with this document. To view the configuration files, you can open
them with Policy Manager. The two retail store configuration files, Store1.xml and Store2.xml, are the same for both
Solution A and B.
Solution A (MPLS without a VPN):
Configuration File Name Description
SolutionA-Headquarters.xml Headquarters Firebox
SolutionA-Datacenter.xml Datacenter Firebox
Store1.xml Store 1 Firebox
Store2.xml Store 2 Firebox
Solution B (MPLS with a VPN):
Configuration Filename Description
SolutionB-Headquarters.xml Headquarters Firebox
SolutionB-Datacenter.xml Datacenter Firebox
Store1.xml Store 1 Firebox
Store2.xml Store 2 Firebox
Requirements
This configuration example has these requirements:
n Firebox at each siten BOVPN virtual interfaces configured on each Fireboxn OSPF configured on each Fireboxn MPLS link between Headquarters and the Datacenter without a BOVPN (for Solution A)n MPLS link between Headquarters and the Datacenter with a BOVPN (for Solution B)
Solution A Configuration Explained
The next few sections explain the configuration for Solution A:
n Network Topology
n BOVPNConfiguration
n OSPF Configuration
For an explanation of Solution B, see Solution B Configured Explained.
Network Topology for Solution A
This diagram shows the network topology for Solution A. This solution includes two remote sites and aMPLS connection
without a VPN. You can addmore remote sites as needed which is indicated by the Firebox at Retail Store (n) in OSPF Area
(n).
Solution AConfiguration Explained
4 WatchGuard Technologies, Inc.
Solution AConfiguration Explained
Configuration Example— Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces andOSPF 5
This list summarizes the interface IP addresses used in Solution A.
Firebox Interface Headquarters Datacenter Store 1 Store 2
External 22.22.22.5 100.0.0.5 15.15.15.1 21.21.21.5
Trusted 10.0.0.1 192.168.0.1 10.0.1.1 10.0.2.1
Optional-MPLS 192.168.10.1 192.168.10.2 n/a n/a
VPN Configuration for Solution A
The Firebox at each retail store has two BOVPN virtual interfaces. The interface names indicate the location of the
peer Firebox.
The Fireboxes at Headquarters and the Datacenter also have two BOVPN virtual interfaces:
BOVPN Virtual Interface Gateway Settings
On theGateway Settings tab for each virtual interface, configure these settings:
n Local Gateway ID — IP address of the local external interfacen Interface — Set to Externaln Remote Gateway IP Address — IP address of the external interface on the peer Fireboxn Remote Gateway ID — IP address of the external interface on the peer Firebox
Store 1
Gateway settings on the Store 1 Firebox for a connection to Headquarters:
Solution AConfiguration Explained
6 WatchGuard Technologies, Inc.
Solution AConfiguration Explained
Configuration Example— Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces andOSPF 7
Gateway settings on the Store 1 Firebox for a connection to the Datacenter:
Store 2
Gateway settings on the Store 2 Firebox for a connection to Headquarters:
Solution AConfiguration Explained
8 WatchGuard Technologies, Inc.
Solution AConfiguration Explained
Configuration Example— Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces andOSPF 9
Gateway settings on the Store 2 Firebox for a connection to the Datacenter:
Headquarters
Gateway settings on the Headquarters Firebox for a connection to Store 1:
Solution AConfiguration Explained
10 WatchGuard Technologies, Inc.
Solution AConfiguration Explained
Configuration Example— Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces andOSPF 11
Gateway Settings on the Headquarters Firebox for a connection to Store 2:
Datacenter
Gateway Settings on the Datacenter Firebox for a connection to Store 1:
Solution AConfiguration Explained
12 WatchGuard Technologies, Inc.
Solution AConfiguration Explained
Configuration Example— Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces andOSPF 13
Gateway Settings on the Datacenter Firebox for a connection to Store 2:
BOVPN Virtual Interface Phase 1 and 2 Settings
The configuration files include these recommended security settings:
Phase 1:
Authentication — SHA-2 (256)
Encryption — AES (256)
Key Group — Diffie-HelmanGroup 15
Phase 2:
Type — ESP
Authentication— SHA-2 (256)
Encryption— AES (256)
SHA-2 is not supported on XTM505, 510, 520, 530, 515, 525, 535, 545, 810, 820, 830, 1050,and 2050 devices. The hardware cryptographic acceleration in thosemodels does not supportSHA-2. All other models support SHA-2.
If your XTM device does not support SHA-2, we recommend these settings:
Phase 1:
Authentication — SHA-1
Encryption — AES (256)
Key Group — Diffie-HelmanGroup 2
Phase 2:
Keep the default proposal, which is ESP-AES-SHA1.
If your MPLS link is a leased line, and you want to avoid the overhead from encryption, we recommend these Phase 2
settings:
Type — ESP
Authentication — SHA-1
Encryption — None
Solution AConfiguration Explained
14 WatchGuard Technologies, Inc.
Solution AConfiguration Explained
Configuration Example— Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces andOSPF 15
BOVPN Virtual Interface IP Addresses
To configure dynamic routing through a BOVPN virtual interface, youmust assign virtual interface IP addresses in the VPN
Routes tab.
You can specify any IP addresses that do not conflict with IP addresses already on your network. We recommend that you
specify a unique IP address for each virtual interface IP address on your network.
We also recommend that you plan which IP addresses to use in advance. For administrative convenience, we used the third
octet of each virtual IP address to indicate the OSPF area number. For example, the third octet in the IP addresses
172.30.1.1 and 172.30.1.2 indicates a VPN tunnel that terminates in Area 1. The third octet in the IP addresses 172.30.2.1
and 172.30.2.2 indicates a VPN tunnel that terminates in Area 2. For more information about OSPF areas, see theOSPF
Configuration section.
In our example, we use these virtual IP addresses:
Firebox Location Virtual IP Addresses
Headquarters 172.30.1.1
172.30.2.1
Datacenter 172.31.1.1
172.31.2.1
Store 1 172.30.1.2172.31.1.2
Store 2 172.30.2.2172.31.2.2
On the VPN Routes tab, these settings are configured:
n Local IP address — The virtual IP address of the local Fireboxn Peer IP address or netmask — The virtual IP address of the peer Firebox
For example, on the Firebox at Store 1, type these IP addresses for a VPN connection to Headquarters:
Solution AConfiguration Explained
16 WatchGuard Technologies, Inc.
Solution AConfiguration Explained
Configuration Example— Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces andOSPF 17
On the Firebox at Store 1, for a connection to the Datacenter:
For examples of virtual interface IP addresses for all other sites, see the attached configuration files.
OSPF Configuration for Solution A
OSPF is enabled on the Firebox at each site. TheOSPF configuration includes:
n Routesn Area definitionsn Route filters
Large networks are typically divided into areas, which are subsets of the OSPF network. Each area has its own number.
To reduce convergence times, and to take advantage of route filters, we recommend that you define OSPF areas. In our
example, Area 0 includes both Headquarters and the Datacenter. Each store has its own area, whichmeans Store 1 is in
Area 1, and Store 2 is in Area 2.
Firebox Location OSPF Area
Headquarters 0
Datacenter 0
Store 1 1
Store 2 2
To prevent unnecessary route table entries, we recommend that you specify route filters in the OSPF configuration. Your
Firebox only advertises routes permitted by the route filter. In our example, route filters in the Headquarters and Datacenter
configurations deny advertisements for intra-area routes between retail stores.
For the router-id, specify the virtual IP address of the local Firebox.
For Solution A, the OSPF configurations for each Firebox are as follows.
Store 1
router ospfospf router-id 172.30.1.2
!BOVPN to HQnetwork 172.30.1.1/32 area 1
!BOVPN to DCnetwork 172.31.1.1/32 area 1
!Local networknetwork 10.0.1.0/24 area 1
Store 2
router ospfospf router-id 172.30.2.2
!BOVPN to HQnetwork 172.30.2.1/32 area 2
!BOVPN to DCnetwork 172.31.2.1/32 area 2
!Local networknetwork 10.0.2.0/24 area 2
Solution AConfiguration Explained
18 WatchGuard Technologies, Inc.
Solution AConfiguration Explained
Configuration Example— Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces andOSPF 19
Headquarters
!Distribute inter-area routes from HQ and DC to Remoteip prefix-list Central-2-Remote permit 10.0.0.0/24ip prefix-list Central-2-Remote permit 192.168.10.0/24ip prefix-list Central-2-Remote permit 192.168.0.0/24ip prefix-list Central-2-Remote deny any
router ospfospf router-id 172.30.1.1
!Internal network area 0network 10.0.0.0/24 area 0network 192.168.10.0/24 area 0
!Remote sites individual areanetwork 172.30.1.2/32 area 1network 172.30.2.2/32 area 2
!Filter the routes from HQ to remotearea 1 filter-list prefix Central-2-Remote inarea 2 filter-list prefix Central-2-Remote in
Datacenter
!Filter propagated listsip prefix-list Central-2-Remote permit 10.0.0.0/24ip prefix-list Central-2-Remote permit 192.168.0.0/24ip prefix-list Central-2-Remote permit 192.168.10.0/24ip prefix-list Central-2-Remote deny any
router ospfospf router-id 172.31.1.1
!Add the local network to area 0network 192.168.0.0/24 area 0network 192.168.10.0/24 area 0
!VIF sitesnetwork 172.30.1.2/32 area 1network 172.30.2.2/32 area 2
!Filter the routes from DC to remotesarea 1 filter-list prefix Central-2-Remote inarea 2 filter-list prefix Central-2-Remote in
Solution B Configuration Explained
The next sections explain the configuration for Solution B:
n Network Topology
n BOVPNConfiguration
n OSPF Configuration
Network Topology for Solution B
This diagram shows the network topology for Solution B which includes a VPN for theMPLS connection.
In this diagram, we show configuration information for two remote sites. You can addmore remote sites as needed which is
indicated by "OSPF Area (n)."
Solution BConfiguration Explained
20 WatchGuard Technologies, Inc.
Solution BConfiguration Explained
Configuration Example— Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces andOSPF 21
This list summarizes the interface IP addresses used in Solution B.
Firebox Interface Headquarters Datacenter Store 1 Store 2
External 22.22.22.5 100.0.0.5 15.15.15.1 21.21.21.5
Trusted 10.0.0.1 192.168.0.1 10.0.1.1 10.0.2.1
Optional-MPLS 192.168.10.1 172.16.21.2 n/a n/a
VPN Configuration for Solution B
The Firebox at each retail store has two BOVPN virtual interfaces. The interface names indicate the location of the peer
Firebox.
The Firebox at Headquarters has these BOVPN virtual interfaces. Solution B requires a BOVPN between Headquarters and
the Datacenter:
The Firebox at the Datacenter has these BOVPN virtual interfaces:
BOVPN Virtual Interface Gateway Settings
On theGateway Settings tab for each virtual interface, configure these settings:
n Local Gateway ID — IP address of the local external interfacen Interface — Set to Externaln Remote Gateway IP Address — IP address of the external interface on the peer Fireboxn Remote Gateway ID — IP address of the external interface on the peer Firebox
Solution BConfiguration Explained
22 WatchGuard Technologies, Inc.
Solution BConfiguration Explained
Configuration Example— Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces andOSPF 23
Store 1
Gateway settings on the Store 1 Firebox for a connection to Headquarters:
Gateway settings on the Store 1 Firebox for a connection to the Datacenter:
Solution BConfiguration Explained
24 WatchGuard Technologies, Inc.
Solution BConfiguration Explained
Configuration Example— Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces andOSPF 25
Store 2
Gateway settings on the Store 2 Firebox for a connection to Headquarters:
Gateway settings on the Store 2 Firebox for a connection to the Datacenter:
Solution BConfiguration Explained
26 WatchGuard Technologies, Inc.
Solution BConfiguration Explained
Configuration Example— Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces andOSPF 27
Headquarters
Gateway settings on the Headquarters Firebox for a connection to Store 1:
Gateway Settings on the Headquarters Firebox for a connection to Store 2:
Solution BConfiguration Explained
28 WatchGuard Technologies, Inc.
Solution BConfiguration Explained
Configuration Example— Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces andOSPF 29
Gateway Settings on the Headquarters Firebox for anMPLS connection the Datacenter:
Datacenter
Gateway Settings on the Datacenter Firebox for a connection to Store 1:
Solution BConfiguration Explained
30 WatchGuard Technologies, Inc.
Solution BConfiguration Explained
Configuration Example— Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces andOSPF 31
Gateway Settings on the Datacenter Firebox for a connection to Store 2:
Gateway Settings on the Datacenter Firebox for anMPLS connection Headquarters:
Solution BConfiguration Explained
32 WatchGuard Technologies, Inc.
Solution BConfiguration Explained
Configuration Example— Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces andOSPF 33
BOVPN Virtual Interface Phase 1 and 2 Settings
The configuration files include these recommended security settings:
Phase 1:
Authentication — SHA-2 (256)
Encryption — AES (256)
Key Group — Diffie-HelmanGroup 15
Phase 2:
Type — ESP
Authentication— SHA-2 (256)
Encryption— AES (256)
SHA-2 is not supported on XTM505, 510, 520, 530, 515, 525, 535, 545, 810, 820, 830, 1050,and 2050 devices. The hardware cryptographic acceleration in thosemodels does not supportSHA-2. All other models support SHA-2.
If your XTM device does not support SHA-2, we recommend these settings:
Phase 1:
Authentication — SHA-1
Encryption — AES (256)
Key Group — Diffie-HelmanGroup 2
Phase 2:
Keep the default proposal, which is ESP-AES-SHA1.
If your MPLS link is a leased line, and you want to avoid the overhead required for encryption, we recommend these Phase 2
settings:
Type — ESP
Authentication — SHA-1
Encryption — None
BOVPN Virtual Interface IP Addresses
To configure dynamic routing through a BOVPN virtual interface, youmust assign virtual interface IP addresses in the VPN
Routes tab.
You can specify any IP addresses that do not conflict with IP addresses already on your network. We recommend that you
specify a unique IP address for each virtual interface IP address on your network.
We also recommend that you plan which IP addresses to use in advance. For administrative convenience, we used the third
octet of each virtual IP address to indicate the OSPF area number. For example, the third octet in the IP addresses
172.30.1.1 and 172.30.1.2 indicates a VPN tunnel that terminates in Area 1. The third octet in the IP addresses 172.30.2.1
and 172.30.2.2 indicates a VPN tunnel that terminates in Area 2. For more information about OSPF areas, see theOSPF
Configuration section.
In our example, we use these virtual IP addresses:
Firebox Location Virtual IP Addresses
Headquarters 172.30.1.1
172.30.2.1
172.16.48.1
Datacenter 172.31.1.1
172.31.2.1
172.16.48.2
Store 1 172.30.1.2172.31.1.2
Store 2 172.30.2.2172.31.2.2
On the VPN Routes tab, these settings are configured:
n Local IP address — The virtual IP address of the local Fireboxn Peer IP address or netmask — The virtual IP address of the peer Firebox
Solution BConfiguration Explained
34 WatchGuard Technologies, Inc.
Solution BConfiguration Explained
Configuration Example— Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces andOSPF 35
For example, on the Firebox at Store 1, type these IP addresses for a VPN connection to Headquarters:
On the Firebox at Store 1, for a connection to the Datacenter:
For examples of virtual interface IP addresses for all other sites, see the attached configuration files.
Solution BConfiguration Explained
36 WatchGuard Technologies, Inc.
Solution BConfiguration Explained
Configuration Example— Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces andOSPF 37
OSPF Configuration for Solution B
OSPF is enabled on the Firebox at each site. TheOSPF configuration includes:
n Routesn Area definitionsn Route filters
Large networks are typically divided into areas, which are subsets of the OSPF network. Each area has its own number.
To reduce convergence times, and to take advantage of route filters, we recommend that you define OSPF areas. In our
example, Area 0 includes both Headquarters and the Datacenter. Each store has its own area, whichmeans Store 1 is in
Area 1, and Store 2 is in Area 2.
Firebox Location OSPF Area
Headquarters 0
Datacenter 0
Store 1 1
Store 2 2
To prevent unnecessary route table entries, we recommend that you specify route filters in the OSPF configuration. Your
Firebox only advertises routes permitted by the route filter. In our example, route filters in the Headquarters and Datacenter
configurations deny advertisements for intra-area routes between retail stores.
For the router-id, specify the virtual IP address of the local Firebox.
For Solution B, the OSPF configuration for the Headquarters and Datacenter Fireboxes has an additional network command.
TheOSPF configuration for the retail stores is the same as in Solution A.
Store 1
router ospfospf router-id 172.30.1.2
!BOVPN to HQnetwork 172.30.1.1/32 area 1
!BOVPN to DCnetwork 172.31.1.1/32 area 1
!Local networknetwork 10.0.1.0/24 area 1
Store 2
router ospfospf router-id 172.30.2.2
!BOVPN to HQnetwork 172.30.2.1/32 area 2
!BOVPN to DCnetwork 172.31.2.1/32 area 2
!Local networknetwork 10.0.2.0/24 area 2
Headquarters
!Distribute inter-area routes from HQ and DC to Remote
ip prefix-list Central-2-Remote permit 10.0.0.0/24ip prefix-list Central-2-Remote permit 192.168.0.0/24ip prefix-list Central-2-Remote deny any
router ospfospf router-id 172.30.1.1
!Internal network area 0network 10.0.0.0/24 area 0network 192.168.10.0/24 area 0
#To exchange OSPF info with HQ, we must create a BOVPN VIF between the Datacenter and HQ via theinterface connected to the MPLS line
#The IP address of this BOVPN VIF is set as (local 172.16.48.1 — peer 172.16.48.2/32)#Add it to area 0 as wellnetwork 172.16.48.2/32 area 0
!Remote sites individual areanetwork 172.30.1.2/32 area 1network 172.30.2.2/32 area 2
!Filter the routes from HQ to remotearea 1 filter-list prefix Central-2-Remote inarea 2 filter-list prefix Central-2-Remote in
Solution BConfiguration Explained
38 WatchGuard Technologies, Inc.
Solution BConfiguration Explained
Configuration Example— Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces andOSPF 39
Datacenter
!Filter propagated listsip prefix-list Central-2-Remote permit 10.0.0.0/24ip prefix-list Central-2-Remote permit 192.168.0.0/24ip prefix-list Central-2-Remote deny any
router ospfospf router-id 172.31.1.1
!Add the local network to area 0network 192.168.0.0/24 area 0network 192.168.10.0/24 area 0
#To exchange OSPF info with HQ, we must create a BOVPN VIF between the Datacenter and HQ via theinterface connected to the MPLS line
#The IP address of this BOVPN VIF is set as (local 172.16.48.2 — peer 172.16.48.1/32)#Add it to area 0 as wellnetwork 172.16.48.1/32 area 0
!VIF sitesnetwork 172.30.1.2/32 area 1network 172.30.2.2/32 area 2
!Filter the routes from DC to remotesarea 1 filter-list prefix Central-2-Remote inarea 2 filter-list prefix Central-2-Remote in
Conclusion
This configuration example demonstrates how to configure redundant links andOSPF on a large distributed network. This
type of configuration provides redundant VPN connections between the remote sites and themain corporate network sites.
This example includes two remote sites, but you can add as many remote sites as needed.
This example describes two different solutions. Solution A shows anMPLS connection without a VPN. Solution B shows an
MPLS connection with a VPN.
For more information about how to configure BOVPN virtual interfaces and dynamic routing, see the Fireware Help.
Configuration Example— Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces andOSPF 40