Configuration Example

Transcription

1 Configuration Example BOVPN Virtual Interface Load Balancing with OSPF Example configuration files created with WSM v11.10 Revised 5/22/2015 Use Case In this configuration example, an organization has networks at two sites and uses a branch office VPN to connect the two networks. To increase the total throughput between sites and to make their VPN connection more fault-tolerant, they want to set up a second VPN tunnel between the two sites, and load balance connections through both VPN tunnels. This configuration example is provided as a guide. Additional configuration settings could be necessary, or more appropriate, for your network environment. Solution Overview A BOVPN virtual interface provides a secure VPN tunnel for traffic between the networks protected by two Firebox devices. You can configure a second BOVPN virtual interface to send traffic through a second external interface. This configuration example shows how to set up two BOVPN virtual interfaces between two sites and use OSPF to load balance connections through the two VPN tunnels with equal priority. Requirements For the BOVPN virtual load balancing described in this example to operate correctly, each Firebox must use Fireware v11.9 or higher, and each Firebox must have two external interfaces.

2 Example How It Works OSPF supports ECMP (equal cost multipath) load balancing. If multiple routes to the same destination have an equal route metric, OSPF uses ECMP to evenly distribute traffic across multiple routes based on source and destination IP addresses, and the number of connections that currently use each route. In this example configuration, two BOVPN virtual interfaces are configured between two Firebox devices. Each VPN uses a different external interface. The two devices use OSPF to exchange information about routes to their local networks through both tunnels. Because the point-to-point connections through each tunnel have the same metric, OSPF load balances traffic through both tunnels with equal priority. With this configuration: Each Firebox uses OSPF to propagate routes to local networks through both BOVPN virtual interfaces. When both VPN tunnels are available, OSPF uses ECMP to load balance connections through the two VPN tunnels. If one external interface or one tunnel goes down, OSPF automatically sends all traffic through the other BOVPN tunnel. Example To illustrate this use case, we present an example of an organization that has Firebox devices at two locations: one in Hamburg, and another in Berlin. This example shows how to set up two VPN tunnels and load balance traffic through both tunnels with equal priority. Topology This configuration example uses the IP addresses shown in the subsequent diagram. 2 WatchGuard Fireware

3 Network Configuration The IP addresses for each site in this configuration: Firebox Interface Berlin Hamburg External-1 IP address: /29 Default GW: External-2 IP address: /29 Default GW: IP address: /29, Default GW: IP address: /29 Default GW: Trusted network / /24 The details of each configuration file are described in the next section. Example Configuration Files For your reference, we include example configuration files with this document. To examine the details of the configuration files, you can open them with Policy Manager. There are two example configuration files, one for each location in the example. Configuration Filename Berlin.xml Hamburg.xml Description Berlin Firebox Hamburg Firebox Configuration Explained Multi-WAN Configuration The Berlin Firebox has two external interfaces, External-1 and External-2, and one trusted interface Configuration Example 3

4 The Hamburg Firebox has two external interfaces, External-1 and External-2, and one trusted interface. Both Firebox devices are configured to use the Routing Table multi-wan method. The multi-wan method controls load balancing for non-ipsec traffic routed through the external interfaces. The multi-wan settings do not enable load balancing of IPSec traffic through the tunnel. The load balancing of traffic through the tunnel is a function of OSPF, as configured in the subsequent section. In this example multi-wan configuration, each Firebox uses the external IP address of the peer device as a ping link monitor target for each external interface. The ping target is not required, but we recommend that you configure a reliable link monitor target any time you configure multi-wan. 4 WatchGuard Fireware

5 VPN Configuration The example configurations contain two BOVPN virtual interfaces for VPN connections between each site. To see the BOVPN virtual interfaces: 1. Open the example configuration file in Policy Manager. 2. Select VPN > BOVPN Virtual Interfaces. Each device has two BOVPN virtual interfaces. Each BOVPN virtual interface is named to represent the location of the remote device, and which local external interface it uses. BOVPN Virtual Interfaces Each Firebox has two BOVPN virtual interfaces. The Berlin Firebox has two BOVPN virtual interfaces: BovpnVif.Hamburg-1 Uses the External-1 interface BovpnVif.Hamburg-2 Uses the External-2 interface The Hamburg Firebox has two BOVPN virtual interfaces: BovpnVif.Berlin-1 Uses the External-1 interface BovpnVif.Berlin-2 Uses the External-2 interface For each BOVPN virtual interface, the remote gateway ID is an external IP address on the peer Firebox. Configuration Example 5

6 VPN-1 Configuration on the Berlin Firebox On the Berlin Firebox, BovpnVif.Hamburg-1 uses the external interface External-1 to connect to the remote gateway at the Hamburg Firebox. In the Gateway Settings tab: The Local Gateway ID is set to the IP address of the local External-1 interface, The Interface is set to External-1. The Remote Gateway IP Address and ID are both set to the IP address of the external interface on the Hamburg Firebox, WatchGuard Fireware

7 To configure dynamic routing through a BOVPN virtual interface, you must assign virtual interface IP addresses in the VPN Routes tab. In the VPN Routes tab, the virtual IP addresses are set to: Local IP address: Peer IP address: For this example, the virtual interface IP addresses used for both tunnels are all in the /24 subnet. This subnet is used in the OSPF configuration to define a point-to-point network. Configuration Example 7

8 VPN-1 Configuration on the Hamburg Firebox On the Hamburg Firebox, BovpnVif.Berlin-1 uses the external interface External-1 to connect to the remote gateway at the BerlinFirebox. In the Gateway Settings tab: The Local Gateway ID is set to the IP address of the local External-1 interface, The Interface is set to External-1. The Remote Gateway IP Address and ID are both set to the IP address of the external interface on the Berlin Firebox, A Local IP address and Peer IP address are configured in the VPN Routes tab. These IP addresses are used in the OSPF configuration to define a point-to-point network. These IP addresses must be the opposite of the addresses configured for this tunnel on the peer Firebox. 8 WatchGuard Fireware

9 Configuration Example 9

10 In the VPN Routes tab, the virtual IP addresses are set to: Local IP address: Peer IP address: VPN-2 Configuration on the Berlin Firebox The second BOVPN virtual interface on each device is configured very similarly, except that the gateway endpoints specify the second external interface, External-2, and use the IP addresses of the second external interface on each device as the local and remote gateway endpoints. In the Gateway Settings tab: The Local Gateway ID is set to the IP address of the local External-2 interface, The Interface is set to External-2. The Remote Gateway IP Address and ID are both set to the IP address of the external-2 interface on the Hamburg Firebox, In the VPN Routes tab the virtual IP addresses are set to: Local IP address: Peer IP address: VPN-2 Configuration on the Hamburg Firebox In the Gateway Settings tab: The Local Gateway ID is set to the IP address of the local External-2 interface, The Interface is set to External-2. The Remote Gateway IP Address and ID are both set to the IP address of the external-2 interface on the Hamburg Firebox, In the VPN Routes tab, the virtual IP addresses are set to: Local IP address: Peer IP address: These IP addresses are the opposite of the addresses configured for this tunnel on the peer Firebox. 10 WatchGuard Fireware

11 Dynamic Routing Configuration In the example dynamic routing configuration: The router-id is set to the IP address of the trusted interface. All interfaces are passive except the two BOVPN virtual interfaces, bvpn1 and bvpn2. Each Firebox announces /24, the subnet used for the point-to-point networks through each tunnel. o The local and peer IP addresses for both BOPVN virtual interfaces fall within this subnet. Each Firebox announces its own trusted network: o The Berlin Firebox announces /24 o The Hamburg Firebox announces /24 Dynamic routing configuration on the Berlin Firebox: router ospf ospf router-id ! exclude all but bvpn virtual interfaces passive-interface default no passive-interface bvpn1 no passive-interface bvpn2! which networks are announced in OSPF area ! bvpn Point-to-Point networks network /24 area ! Trusted network network /24 area Dynamic routing configuration on the Hamburg Firebox: router ospf ospf router-id ! exclude all but bvpn interfaces passive-interface default no passive-interface bvpn1 no passive-interface bvpn2! which networks are announced in OSPF area ! bvpn Point-to-Point networks network /24 area ! Trusted network network /24 area Configuration Example 11

12 Dynamic Routes After the configuration is saved to the two Firebox devices, the routes propagate through the tunnel to each device. With this configuration, each device has two routes to the remote trusted network. Both routes have the same metric, and each uses a different virtual interface. After the tunnels are established between the two devices, you can see the learned routes in the Status Report. Routes on the Berlin Firebox The IPv4 Routes section of the Status Report on the Berlin Firebox shows the two routes to the trusted network on the Hamburg trusted network, one through bvpn1 and one through bvpn2. The OSPF network routing table shows the two routes through each BOVPN virtual interface. 12 WatchGuard Fireware

13 Routes on the Hamburg Firebox On the Hamburg Firebox, the IPv4 Routes table shows two routes to the trusted network of the Berlin Firebox. The OSPF network routing table shows the two routes through each BOVPN virtual interface. Configuration Example 13

14 Conclusion Monitor VPN Load Balancing In Firebox System Manager you can monitor the load balancing through the two VPN tunnels. The images below show an example of what the load balancing looks like when monitored from the Berlin Firebox. On the Traffic Monitor tab, you can see that both VPN tunnels are used for connections from different clients. On the Front Panel tab you can monitor the traffic statistics for both VPN interfaces to see the traffic load balanced through both tunnels. Conclusion This configuration example demonstrates how to configure OSPF to do load balancing through two BOVPN virtual interfaces. This type of configuration provides redundancy for the secure connection between the two networks, as well as load balancing of IPSec VPN traffic through two external interfaces. You could extend this configuration to load balance connections through more than two VPN tunnels if both devices have additional external interfaces. For more information about how to configure BOVPN virtual interfaces and dynamic routing, see the Fireware Help. 14 WatchGuard Fireware

15 About this Configuration Example About this Configuration Example This configuration example is provided as a guide. Additional configuration settings could be necessary, or more appropriate, for your network environment. For complete product documentation, see the Fireware XTM WatchGuard System Manager Help or Fireware XTM Web UI Help on the WatchGuard website at: Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc. Copyright, Trademark, and Patent Information Copyright WatchGuard Technologies, Inc. All rights reserved. All trademarks or trade names mentioned herein, if any, are the property of their respective owners. Complete copyright, trademark, patent, and licensing information can be found in the Copyright and Licensing Guide, available online at: About WatchGuard WatchGuard offers affordable, all-in-one network and content security solutions that provide defense-in-depth and help meet regulatory compliance requirements. The WatchGuard XTM line combines firewall, VPN, GAV, IPS, spam blocking and URL filtering to protect your network from spam, viruses, malware, and intrusions. The new XCS line offers and web content security combined with data loss prevention. WatchGuard extensible solutions scale to offer rightsized security ranging from small businesses to enterprises with 10,000+ employees. WatchGuard builds simple, reliable, and robust security appliances featuring fast implementation and comprehensive management and reporting tools. Enterprises throughout the world rely on our signature red boxes to maximize security without sacrificing efficiency and productivity. For more information, please call or visit Address 505 Fifth Avenue South Suite 500 Seattle, WA Support U.S. and Canada All Other Countries Sales U.S. and Canada All Other Countries Configuration Example 15

16 About this Configuration Example Configuration Example 16