fireware configuration example - bovpn virtual interface ... ·...

BOVPN Virtual Interface Load Balancing withOSPF

Example configuration files created with—WSM v11.10

Revised— 9/24/2015

Use Case

In this configuration example, an organization has networks at two sites and uses a branch office VPN to connect the twonetworks. To increase the total throughput between sites and to make their VPN connection more fault-tolerant, they want toset up a second VPN tunnel between the two sites, and load balance connections through both VPN tunnels.

This configuration example is provided as a guide. Additional configuration settings could be necessary, ormore appropriate, for your network environment.

Solution Overview

A BOVPN virtual interface provides a secure VPN tunnel for traffic between the networks protected by two Firebox devices.You can configure a second BOVPN virtual interface to send traffic through a second external interface. This configurationexample shows how to set up two BOVPN virtual interfaces between two sites and use OSPF to load balance connectionsthrough the two VPN tunnels with equal priority.

RequirementsFor the BOVPN virtual load balancing described in this example to operate correctly, each Firebox must use Fireware v11.9or higher, and each Firebox must have two external interfaces.

ConfigurationExample

How It WorksOSPF supports ECMP (equal cost multipath) load balancing. If multiple routes to the same destination have an equal routemetric, OSPF uses ECMP to evenly distribute traffic across multiple routes based on source and destination IP addresses, andthe number of connections that currently use each route. In this example configuration, two BOVPN virtual interfaces areconfigured between two Firebox devices. Each VPN uses a different external interface. The two devices use OSPF toexchange information about routes to their local networks through both tunnels. Because the point-to-point connectionsthrough each tunnel have the same metric, OSPF load balances traffic through both tunnels with equal priority.

With this configuration:

n Each Firebox uses OSPF to propagate routes to local networks through both BOVPN virtual interfaces.n When both VPN tunnels are available, OSPF uses ECMP to load balance connections through the two VPN tunnels.n If one external interface or one tunnel goes down, OSPF automatically sends all traffic through the other BOVPN tunnel.

Example

To illustrate this use case, we present an example of an organization that has Firebox devices at two locations: one inHamburg, and another in Berlin. This example shows how to set up two VPN tunnels and load balance traffic through bothtunnels with equal priority.

TopologyThis configuration example uses the IP addresses shown in the subsequent diagram.

Example

2 WatchGuard Fireware

Configuration Explained

Configuration Example 3

Network ConfigurationThe IP addresses for each site in this configuration:

Firebox Interface Berlin Hamburg

External-1 IP address: 192.0.2.1/29Default GW: 192.0.2.6

IP address: 192.0.2.9/29,Default GW: 192.0.2.14

External-2 IP address: 203.0.113.1/29Default GW: 203.0.113.6

IP address: 203.0.113.9/29Default GW: 203.0.113.14

Trusted network 172.16.100.0/24 172.16.101.0/24

The details of each configuration file are described in the next section.

Example Configuration FilesFor your reference, we include example configuration files with this document. To examine the details of the configuration files,you can open them with Policy Manager. There are two example configuration files, one for each location in the example.

Configuration Filename Description

Berlin.xml Berlin Firebox

Hamburg.xml Hamburg Firebox


Multi-WAN ConfigurationThe Berlin Firebox has two external interfaces, External-1 and External-2, and one trusted interface

The Hamburg Firebox has two external interfaces, External-1 and External-2, and one trusted interface.

Both Firebox devices are configured to use the Routing Table multi-WAN method. The multi-WAN method controls loadbalancing for non-IPSec traffic routed through the external interfaces. The multi-WAN settings do not enable load balancing ofIPSec traffic through the tunnel. The load balancing of traffic through the tunnel is a function of OSPF, as configured in thesubsequent section.

In this example multi-WAN configuration, each Firebox uses the external IP address of the peer device as a ping link monitortarget for each external interface. The ping target is not required, but we recommend that you configure a reliable link monitortarget any time you configure multi-WAN.





VPN ConfigurationThe example configurations contain two BOVPN virtual interfaces for VPN connections between each site.

To see the BOVPN virtual interfaces:

1. Open the example configuration file in Policy Manager.2. Select VPN > BOVPN Virtual Interfaces.

Each device has two BOVPN virtual interfaces. Each BOVPN virtual interface is named to represent the location of the remotedevice, and which local external interface it uses.

BOVPN Virtual InterfacesEach Firebox has two BOVPN virtual interfaces.

The Berlin Firebox has two BOVPN virtual interfaces:

n BovpnVif.Hamburg-1 — Uses the External-1 interfacen BovpnVif.Hamburg-2 — Uses the External-2 interface

The Hamburg Firebox has two BOVPN virtual interfaces:

n BovpnVif.Berlin-1 — Uses the External-1 interfacen BovpnVif.Berlin-2 — Uses the External-2 interface

For each BOVPN virtual interface, the remote gateway ID is an external IP address on the peer Firebox.

VPN-1 Configuration on the Berlin FireboxOn the Berlin Firebox, BovpnVif.Hamburg-1 uses the external interface External-1 to connect to the remote gateway at theHamburg Firebox.

In the Gateway Settings tab:

n The Local Gateway ID is set to the IP address of the local External-1 interface, 192.0.2.1n The Interface is set to External-1.n The Remote Gateway IP Address and ID are both set to the IP address of the external interface on the Hamburg

Firebox, 192.0.2.9.





To configure dynamic routing through a BOVPN virtual interface, you must assign virtual interface IP addresses in the VPNRoutes tab.

In the VPN Routes tab, the virtual IP addresses are set to:

n Local IP address: 10.0.10.1n Peer IP address: 10.0.10.3

For this example, the virtual interface IP addresses used for both tunnels are all in the 10.0.10.0/24 subnet. This subnet is usedin the OSPF configuration to define a point-to-point network.

VPN-1 Configuration on the Hamburg FireboxOn the Hamburg Firebox, BovpnVif.Berlin-1 uses the external interface External-1 to connect to the remote gateway at theBerlinFirebox.


n The Local Gateway ID is set to the IP address of the local External-1 interface, 192.0.2.9.n The Interface is set to External-1.n The Remote Gateway IP Address and ID are both set to the IP address of the external interface on the Berlin Firebox,

192.0.2.1.

A Local IP address and Peer IP address are configured in the VPN Routes tab. These IP addresses are used in the OSPFconfiguration to define a point-to-point network. These IP addresses must be the opposite of the addresses configured for thistunnel on the peer Firebox.





VPN-2 Configuration on the Berlin FireboxThe second BOVPN virtual interface on each device is configured very similarly, except that the gateway endpoints specify thesecond external interface, External-2, and use the IP addresses of the second external interface on each device as the localand remote gateway endpoints.


n The Local Gateway ID is set to the IP address of the local External-2 interface, 203.0.113.1n The Interface is set to External-2.n The Remote Gateway IP Address and ID are both set to the IP address of the external-2 interface on the Hamburg

Firebox, 203.0.113.9.

In the VPN Routes tab the virtual IP addresses are set to:


VPN-2 Configuration on the Hamburg FireboxIn the Gateway Settings tab:

n The Local Gateway ID is set to the IP address of the local External-2 interface, 203.0.113.9n The Interface is set to External-2.n The Remote Gateway IP Address and ID are both set to the IP address of the external-2 interface on the Hamburg

Firebox, 203.0.113.2.



These IP addresses are the opposite of the addresses configured for this tunnel on the peer Firebox.





Dynamic Routing ConfigurationIn the example dynamic routing configuration:

n The router-id is set to the IP address of the trusted interface.n All interfaces are passive except the two BOVPN virtual interfaces, bvpn1 and bvpn2.n Each Firebox announces 10.0.10.0/24, the subnet used for the point-to-point networks through each tunnel.

o The local and peer IP addresses for both BOPVN virtual interfaces fall within this subnet.n Each Firebox announces its own trusted network:

o The Berlin Firebox announces 172.16.100.0/24o The Hamburg Firebox announces 172.16.101.0/24

Dynamic routing configuration on the Berlin Firebox:

router ospfospf router-id 172.16.100.1

! exclude all but bvpn virtual interfacespassive-interface defaultno passive-interface bvpn1no passive-interface bvpn2

! which networks are announced in OSPF area 0.0.0.0! bvpn Point-to-Point networksnetwork 10.0.10.0/24 area 0.0.0.0! Trusted networknetwork 172.16.100.0/24 area 0.0.0.0

Dynamic routing configuration on the Hamburg Firebox:

router ospfospf router-id 172.16.101.1

! exclude all but bvpn interfacespassive-interface defaultno passive-interface bvpn1no passive-interface bvpn2

! which networks are announced in OSPF area 0.0.0.0! bvpn Point-to-Point networksnetwork 10.0.10.0/24 area 0.0.0.0! Trusted networknetwork 172.16.101.0/24 area 0.0.0.0

Dynamic RoutesAfter the configuration is saved to the two Firebox devices, the routes propagate through the tunnel to each device. With thisconfiguration, each device has two routes to the remote trusted network. Both routes have the same metric, and each uses adifferent virtual interface. After the tunnels are established between the two devices, you can see the learned routes in theStatus Report.

Routes on the Berlin FireboxThe IPv4 Routes section of the Status Report on the Berlin Firebox shows the two routes to the trusted network on theHamburg trusted network, one through bvpn1 and one through bvpn2.

The OSPF network routing table shows the two routes through each BOVPN virtual interface.





Routes on the Hamburg FireboxOn the Hamburg Firebox, the IPv4 Routes table shows two routes to the trusted network of the Berlin Firebox.

The OSPF network routing table shows the two routes through each BOVPN virtual interface.

Monitor VPN Load BalancingIn Firebox System Manager you can monitor the load balancing through the two VPN tunnels. The images below show anexample of what the load balancing looks like when monitored from the Berlin Firebox.

On the Traffic Monitor tab, you can see that both VPN tunnels are used for connections from different clients.

On the Front Panel tab you can monitor the traffic statistics for both VPN interfaces to see the traffic load balanced throughboth tunnels.

Conclusion

This configuration example demonstrates how to configure OSPF to do load balancing through two BOVPN virtual interfaces.This type of configuration provides redundancy for the secure connection between the two networks, as well as load balancingof IPSec VPN traffic through two external interfaces. You could extend this configuration to load balance connections throughmore than two VPN tunnels if both devices have additional external interfaces.

For more information about how to configure BOVPN virtual interfaces and dynamic routing, see the Fireware Help.

Conclusion


About this Configuration Example



This configuration example is provided as a guide. Additional configuration settings could be necessary, or more appropriate,for your network environment.

For complete product documentation, see the Fireware Help on the WatchGuard website at:http://www.watchguard.com/help/documentation/.

Information in this document is subject to change without notice. Companies, names, and data used in examples herein arefictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means,electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.

Copyright, Trademark, and Patent InformationCopyright © 1998-2015 WatchGuard Technologies, Inc. All rights reserved. All trademarks or trade names mentioned herein, ifany, are the property of their respective owners.

Complete copyright, trademark, patent, and licensing information can be found in the Copyright and Licensing Guide,available online at: http://www.watchguard.com/help/documentation/.

About WatchGuardWatchGuard offers affordable, all-in-one network and content securitysolutions that provide defense-in-depth and help meet regulatorycompliance requirements. The WatchGuard Firebox line combinesfirewall, VPN, GAV, IPS, spam blocking and URL filtering to protectyour network from spam, viruses, malware, and intrusions. The XCSline offers email and web content security combined with data lossprevention. WatchGuard extensible solutions scale to offer right-sizedsecurity ranging from small businesses to enterprises with 10,000+employees. WatchGuard builds simple, reliable, and robust securityappliances featuring fast implementation and comprehensivemanagement and reporting tools. Enterprises throughout the worldrely on our signature red boxes to maximize security withoutsacrificing efficiency and productivity.

For more information, please call 206.613.6600 or visitwww.watchguard.com.

Address505 Fifth Avenue SouthSuite 500Seattle, WA 98104

Supportwww.watchguard.com/supportU.S. and Canada +877.232.3531All Other Countries +1.206.521.3575

SalesU.S. and Canada +1.800.734.9905All Other Countries +1.206.613.0895

http://www.watchguard.com/help/documentation/

http://www.watchguard.com/help/documentation

fireware configuration example - bovpn virtual interface ... ·...

Documents