Configuration Example



Similar documents
Configuration Example

Configuration Example

Configuration Example

Configuration Example

Configuration Example

Configuration Example

WatchGuard Certified Training Partner (WCTP) Program

WatchGuard Certified Training Partner (WCTP) Program

WatchGuard Certified Training Partner (WCTP) Program

DOWNTIME CAN SPELL DISASTER

How do I set up a branch office VPN tunnel with the Management Server?

IREBOX X. Firebox X Family of Security Products. Comprehensive Unified Threat Management Solutions That Scale With Your Business

How do I configure multi-wan in Routing Table mode?

Fireware Essentials Exam Study Guide

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

WATCHGUARD FIREBOX SOHO 6TC AND SOHO 6

VPN Tracker for Mac OS X

Fireware How To Network Configuration

WatchGuard XCSv Setup Guide

Firebox X550e, Firebox X750e, Firebox X1250e Firebox X5500e, Firebox X6500e, Firebox X8500e, Firebox X8500e-F

Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1

Branch Office VPN Tunnels and Mobile VPN

How To Manage Outgoing Traffic On Fireware Xtm

Clustering and Queue Replication:

Fireware XTM Traffic Management

Fireware How To Logging and Notification

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

High Availability Branch Office VPN

VPN Configuration Guide WatchGuard Fireware XTM

WatchGuard Technologies WatchGuard Technologies

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

Integration Guide. LogicNow MAXfocus

Configuring Dual VPNs with Dual ISP Links Using ECMP Tech Note PAN-OS 7.0

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Sonicwall Firewall.

Komplettschutz für den Mittelstand

WatchGuard SSL Web UI 3.2 User Guide

Route Based Virtual Private Network

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

WatchGuard System Manager User Guide. WatchGuard System Manager v8.0

WatchGuard SSL Web UI User Guide

Configuring IPsec VPN with a FortiGate and a Cisco ASA

What s New in Fireware XTM v11.5.1

Fireware How To Dynamic Routing

Watchguard Firebox X Edge e-series

DFL-210/260, DFL-800/860, DFL-1600/2500 How to setup IPSec VPN connection

WatchGuard Technologies, Inc. 505 Fifth Avenue South Suite 500, Seattle, WA

Abstract. Avaya Solution & Interoperability Test Lab

Configuring a WatchGuard SOHO to SOHO IPSec Tunnel

Multi-Homing Security Gateway

VPNC Interoperability Profile

Using IPsec VPN to provide communication between offices

VPN Tracker for Mac OS X

Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel

XTM 3, 5, 8, 800, 1500, and 2500 Series XTM 25, XTM 26, XTM 1050, XTM 2050 Firebox T10, XTMv, WatchGuard AP

Cisco QuickVPN Installation Tips for Windows Operating Systems

Creating a VPN with overlapping subnets

UTM - VPN: Configuring a Site to Site VPN Policy using Main Mode (Static IP address on both sites) i...

Workflow Guide. Establish Site-to-Site VPN Connection using RSA Keys. For Customers with Sophos Firewall Document Date: November 2015

Configuring IPsec VPN between a FortiGate and Microsoft Azure

GNAT Box VPN and VPN Client

WatchGuard Mobile User VPN Guide

Howto: How to configure static port mapping in the corporate router/firewall for Panda GateDefender Integra VPN networks

Quick Note 20. Configuring a GRE tunnel over an IPSec tunnel and using BGP to propagate routing information. (GRE over IPSec with BGP)

WATCHGUARD FIREBOX VCLASS

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

VPN Solution Guide Peplink Balance Series. Peplink Balance. VPN Solution Guide Copyright 2015 Peplink

HOWTO: How to configure IPSEC gateway (office) to gateway

Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation

Fireware How To Authentication

OvisLink 8000VPN VPN Guide WL/IP-8000VPN. Version 0.6

DEFENDING THE REMOTE OFFICE: WHICH VPN TECHNOLOGY IS BEST? AUGUST 2004

Configuring an IPSec Tunnel between a Firebox & a Cisco PIX 520

How To Load Balance On A Cisco Cisco Cs3.X With A Csono Css 3.X And Csonos 3.5.X (Cisco Css) On A Powerline With A Powerpack (C

How To Load balance traffic of Mail server hosted in the Internal network and redirect traffic over preferred Interface

How To Industrial Networking

WatchGuard Gateway AntiVirus

TheGreenBow IPsec VPN Client. Configuration Guide Cisco RV325 v1. Website: Contact:

VPN Tracker for Mac OS X

CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Fortinet Firewall. Overview

Connecting Remote Offices by Setting Up VPN Tunnels

Workflow Guide. Establish Site-to-Site VPN Connection using Digital Certificates. For Customers with Sophos Firewall Document Date: November 2015

Step-by-Step Guide for Setting Up IPv6 in a Test Lab

Configure IPSec VPN Tunnels With the Wizard

Configuring Windows 2000/XP IPsec for Site-to-Site VPN

Technical Brief ActiveSync Configuration for WatchGuard SSL 100

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

Security Gateway R75. for Amazon VPC. Getting Started Guide

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

VPN Configuration Guide. Cisco Small Business (Linksys) RV016 / RV042 / RV082

Firewall and UTM Solutions Guide

Cisco SA 500 Series Security Appliance

Transcription:

Configuration Example BOVPN Virtual Interface Load Balancing with OSPF Example configuration files created with WSM v11.10 Revised 5/22/2015 Use Case In this configuration example, an organization has networks at two sites and uses a branch office VPN to connect the two networks. To increase the total throughput between sites and to make their VPN connection more fault-tolerant, they want to set up a second VPN tunnel between the two sites, and load balance connections through both VPN tunnels. This configuration example is provided as a guide. Additional configuration settings could be necessary, or more appropriate, for your network environment. Solution Overview A BOVPN virtual interface provides a secure VPN tunnel for traffic between the networks protected by two Firebox devices. You can configure a second BOVPN virtual interface to send traffic through a second external interface. This configuration example shows how to set up two BOVPN virtual interfaces between two sites and use OSPF to load balance connections through the two VPN tunnels with equal priority. Requirements For the BOVPN virtual load balancing described in this example to operate correctly, each Firebox must use Fireware v11.9 or higher, and each Firebox must have two external interfaces.

Example How It Works OSPF supports ECMP (equal cost multipath) load balancing. If multiple routes to the same destination have an equal route metric, OSPF uses ECMP to evenly distribute traffic across multiple routes based on source and destination IP addresses, and the number of connections that currently use each route. In this example configuration, two BOVPN virtual interfaces are configured between two Firebox devices. Each VPN uses a different external interface. The two devices use OSPF to exchange information about routes to their local networks through both tunnels. Because the point-to-point connections through each tunnel have the same metric, OSPF load balances traffic through both tunnels with equal priority. With this configuration: Each Firebox uses OSPF to propagate routes to local networks through both BOVPN virtual interfaces. When both VPN tunnels are available, OSPF uses ECMP to load balance connections through the two VPN tunnels. If one external interface or one tunnel goes down, OSPF automatically sends all traffic through the other BOVPN tunnel. Example To illustrate this use case, we present an example of an organization that has Firebox devices at two locations: one in Hamburg, and another in Berlin. This example shows how to set up two VPN tunnels and load balance traffic through both tunnels with equal priority. Topology This configuration example uses the IP addresses shown in the subsequent diagram. 2 WatchGuard Fireware

Network Configuration The IP addresses for each site in this configuration: Firebox Interface Berlin Hamburg External-1 IP address: 192.0.2.1/29 Default GW: 192.0.2.6 External-2 IP address: 203.0.113.1/29 Default GW: 203.0.113.6 IP address: 192.0.2.9/29, Default GW: 192.0.2.14 IP address: 203.0.113.9/29 Default GW: 203.0.113.14 Trusted network 172.16.100.0/24 172.16.101.0/24 The details of each configuration file are described in the next section. Example Configuration Files For your reference, we include example configuration files with this document. To examine the details of the configuration files, you can open them with Policy Manager. There are two example configuration files, one for each location in the example. Configuration Filename Berlin.xml Hamburg.xml Description Berlin Firebox Hamburg Firebox Configuration Explained Multi-WAN Configuration The Berlin Firebox has two external interfaces, External-1 and External-2, and one trusted interface Configuration Example 3

The Hamburg Firebox has two external interfaces, External-1 and External-2, and one trusted interface. Both Firebox devices are configured to use the Routing Table multi-wan method. The multi-wan method controls load balancing for non-ipsec traffic routed through the external interfaces. The multi-wan settings do not enable load balancing of IPSec traffic through the tunnel. The load balancing of traffic through the tunnel is a function of OSPF, as configured in the subsequent section. In this example multi-wan configuration, each Firebox uses the external IP address of the peer device as a ping link monitor target for each external interface. The ping target is not required, but we recommend that you configure a reliable link monitor target any time you configure multi-wan. 4 WatchGuard Fireware

VPN Configuration The example configurations contain two BOVPN virtual interfaces for VPN connections between each site. To see the BOVPN virtual interfaces: 1. Open the example configuration file in Policy Manager. 2. Select VPN > BOVPN Virtual Interfaces. Each device has two BOVPN virtual interfaces. Each BOVPN virtual interface is named to represent the location of the remote device, and which local external interface it uses. BOVPN Virtual Interfaces Each Firebox has two BOVPN virtual interfaces. The Berlin Firebox has two BOVPN virtual interfaces: BovpnVif.Hamburg-1 Uses the External-1 interface BovpnVif.Hamburg-2 Uses the External-2 interface The Hamburg Firebox has two BOVPN virtual interfaces: BovpnVif.Berlin-1 Uses the External-1 interface BovpnVif.Berlin-2 Uses the External-2 interface For each BOVPN virtual interface, the remote gateway ID is an external IP address on the peer Firebox. Configuration Example 5

VPN-1 Configuration on the Berlin Firebox On the Berlin Firebox, BovpnVif.Hamburg-1 uses the external interface External-1 to connect to the remote gateway at the Hamburg Firebox. In the Gateway Settings tab: The Local Gateway ID is set to the IP address of the local External-1 interface, 192.0.2.1 The Interface is set to External-1. The Remote Gateway IP Address and ID are both set to the IP address of the external interface on the Hamburg Firebox, 192.0.2.9. 6 WatchGuard Fireware

To configure dynamic routing through a BOVPN virtual interface, you must assign virtual interface IP addresses in the VPN Routes tab. In the VPN Routes tab, the virtual IP addresses are set to: Local IP address: 10.0.10.1 Peer IP address: 10.0.10.3 For this example, the virtual interface IP addresses used for both tunnels are all in the 10.0.10.0/24 subnet. This subnet is used in the OSPF configuration to define a point-to-point network. Configuration Example 7

VPN-1 Configuration on the Hamburg Firebox On the Hamburg Firebox, BovpnVif.Berlin-1 uses the external interface External-1 to connect to the remote gateway at the BerlinFirebox. In the Gateway Settings tab: The Local Gateway ID is set to the IP address of the local External-1 interface, 192.0.2.9. The Interface is set to External-1. The Remote Gateway IP Address and ID are both set to the IP address of the external interface on the Berlin Firebox, 192.0.2.1. A Local IP address and Peer IP address are configured in the VPN Routes tab. These IP addresses are used in the OSPF configuration to define a point-to-point network. These IP addresses must be the opposite of the addresses configured for this tunnel on the peer Firebox. 8 WatchGuard Fireware

Configuration Example 9

In the VPN Routes tab, the virtual IP addresses are set to: Local IP address: 10.0.10.3 Peer IP address: 10.0.10.1 VPN-2 Configuration on the Berlin Firebox The second BOVPN virtual interface on each device is configured very similarly, except that the gateway endpoints specify the second external interface, External-2, and use the IP addresses of the second external interface on each device as the local and remote gateway endpoints. In the Gateway Settings tab: The Local Gateway ID is set to the IP address of the local External-2 interface, 203.0.113.1 The Interface is set to External-2. The Remote Gateway IP Address and ID are both set to the IP address of the external-2 interface on the Hamburg Firebox, 203.0.113.9. In the VPN Routes tab the virtual IP addresses are set to: Local IP address: 10.0.10.4 Peer IP address: 10.0.10.2 VPN-2 Configuration on the Hamburg Firebox In the Gateway Settings tab: The Local Gateway ID is set to the IP address of the local External-2 interface, 203.0.113.9 The Interface is set to External-2. The Remote Gateway IP Address and ID are both set to the IP address of the external-2 interface on the Hamburg Firebox, 203.0.113.2. In the VPN Routes tab, the virtual IP addresses are set to: Local IP address: 10.0.10.2 Peer IP address: 10.0.10.4 These IP addresses are the opposite of the addresses configured for this tunnel on the peer Firebox. 10 WatchGuard Fireware

Dynamic Routing Configuration In the example dynamic routing configuration: The router-id is set to the IP address of the trusted interface. All interfaces are passive except the two BOVPN virtual interfaces, bvpn1 and bvpn2. Each Firebox announces 10.0.10.0/24, the subnet used for the point-to-point networks through each tunnel. o The local and peer IP addresses for both BOPVN virtual interfaces fall within this subnet. Each Firebox announces its own trusted network: o The Berlin Firebox announces 172.16.100.0/24 o The Hamburg Firebox announces 172.15.101.0/24 Dynamic routing configuration on the Berlin Firebox: router ospf ospf router-id 172.16.100.1! exclude all but bvpn virtual interfaces passive-interface default no passive-interface bvpn1 no passive-interface bvpn2! which networks are announced in OSPF area 0.0.0.0! bvpn Point-to-Point networks network 10.0.10.0/24 area 0.0.0.0! Trusted network network 172.16.100.0/24 area 0.0.0.0 Dynamic routing configuration on the Hamburg Firebox: router ospf ospf router-id 172.16.101.1! exclude all but bvpn interfaces passive-interface default no passive-interface bvpn1 no passive-interface bvpn2! which networks are announced in OSPF area 0.0.0.0! bvpn Point-to-Point networks network 10.0.10.0/24 area 0.0.0.0! Trusted network network 172.16.101.0/24 area 0.0.0.0 Configuration Example 11

Dynamic Routes After the configuration is saved to the two Firebox devices, the routes propagate through the tunnel to each device. With this configuration, each device has two routes to the remote trusted network. Both routes have the same metric, and each uses a different virtual interface. After the tunnels are established between the two devices, you can see the learned routes in the Status Report. Routes on the Berlin Firebox The IPv4 Routes section of the Status Report on the Berlin Firebox shows the two routes to the trusted network on the Hamburg trusted network, one through bvpn1 and one through bvpn2. The OSPF network routing table shows the two routes through each BOVPN virtual interface. 12 WatchGuard Fireware

Routes on the Hamburg Firebox On the Hamburg Firebox, the IPv4 Routes table shows two routes to the trusted network of the Berlin Firebox. The OSPF network routing table shows the two routes through each BOVPN virtual interface. Configuration Example 13

Conclusion Monitor VPN Load Balancing In Firebox System Manager you can monitor the load balancing through the two VPN tunnels. The images below show an example of what the load balancing looks like when monitored from the Berlin Firebox. On the Traffic Monitor tab, you can see that both VPN tunnels are used for connections from different clients. On the Front Panel tab you can monitor the traffic statistics for both VPN interfaces to see the traffic load balanced through both tunnels. Conclusion This configuration example demonstrates how to configure OSPF to do load balancing through two BOVPN virtual interfaces. This type of configuration provides redundancy for the secure connection between the two networks, as well as load balancing of IPSec VPN traffic through two external interfaces. You could extend this configuration to load balance connections through more than two VPN tunnels if both devices have additional external interfaces. For more information about how to configure BOVPN virtual interfaces and dynamic routing, see the Fireware Help. 14 WatchGuard Fireware

About this Configuration Example About this Configuration Example This configuration example is provided as a guide. Additional configuration settings could be necessary, or more appropriate, for your network environment. For complete product documentation, see the Fireware XTM WatchGuard System Manager Help or Fireware XTM Web UI Help on the WatchGuard website at: http://www.watchguard.com/help/documentation/. Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc. Copyright, Trademark, and Patent Information Copyright 1998-2014 WatchGuard Technologies, Inc. All rights reserved. All trademarks or trade names mentioned herein, if any, are the property of their respective owners. Complete copyright, trademark, patent, and licensing information can be found in the Copyright and Licensing Guide, available online at: http://www.watchguard.com/help/documentation/. About WatchGuard WatchGuard offers affordable, all-in-one network and content security solutions that provide defense-in-depth and help meet regulatory compliance requirements. The WatchGuard XTM line combines firewall, VPN, GAV, IPS, spam blocking and URL filtering to protect your network from spam, viruses, malware, and intrusions. The new XCS line offers email and web content security combined with data loss prevention. WatchGuard extensible solutions scale to offer rightsized security ranging from small businesses to enterprises with 10,000+ employees. WatchGuard builds simple, reliable, and robust security appliances featuring fast implementation and comprehensive management and reporting tools. Enterprises throughout the world rely on our signature red boxes to maximize security without sacrificing efficiency and productivity. For more information, please call 206.613.6600 or visit www.watchguard.com. Address 505 Fifth Avenue South Suite 500 Seattle, WA 98104 Support www.watchguard.com/support U.S. and Canada +877.232.3531 All Other Countries +1.206.521.3575 Sales U.S. and Canada +1.800.734.9905 All Other Countries +1.206.613.0895 Configuration Example 15

About this Configuration Example Configuration Example 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information