SRX Services Gateway
Reply
Visitor
rbalugu
Posts: 5
Registered: ‎01-05-2011
0

BGP Configuration for hub and Spoke IPSec VPN

Hi ,

I am looking for BGP routing configuration for IPSec Protected networks routes population between IPSec gateways assuming one or more networks at each VPN end.

 

Basically I would be using BGP to populated my protected networks in to Spokes over the tunnel interfaces.

 

Could some one point me any available document, i searched though didn't get much.

 

Thanks in advance.

 

Ravi

 

 

Distinguished Expert
keithr
Posts: 979
Registered: ‎09-10-2009
0

Re: BGP Configuration for hub and Spoke IPSec VPN

BGP is not normally used for this purpose.  This is typically done with OSPF or static routes.

 

BGP is an exterior gateway protocol, meant for routing between Internet Autonomous Systems (AS). It's not meant to be used for LAN routing.

 

You will find copious amounts of documentation describing how to achieve this with OSPF and/or static routes.

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Distinguished Expert
Raheel
Posts: 414
Registered: ‎06-18-2008

Re: BGP Configuration for hub and Spoke IPSec VPN

BGP over IPSEC configuration attached.

 


gateway1 config:
===============


[edit]
regress@gw1# show security ike
proposal p1_prop {
    authentication-method pre-shared-keys;
    authentication-algorithm sha1;
    encryption-algorithm aes-128-cbc;
}
policy p1_pol {
    mode main;
    proposals p1_prop;
    pre-shared-key ascii-text "$9$ctXrK8-VYZUHX7UHqmF3SrevX7dbs4JG"; ## SECRET-DATA
}
gateway gw1 {
    ike-policy p1_pol;
    address 2.10.1.1;
    external-interface ge-0/0/1;
}

[edit]
regress@gw1# show security ipsec
vpn-monitor-options {
    interval 10;
    threshold 10;
}
proposal p2_prop {
    protocol esp;
    authentication-algorithm hmac-sha1-96;
    encryption-algorithm aes-256-cbc;
    lifetime-seconds 900;
}
policy p2_pol {
    perfect-forward-secrecy {
        keys group5;
    }
    proposals p2_prop;
}
vpn vpn1 {
    bind-interface st0.0;
    vpn-monitor {
        optimized;
    }
    ike {
        gateway gw1;
        ipsec-policy p2_pol;
    }
    establish-tunnels immediately;     
}

[edit]
regress@gw1# show interfaces st0
unit 0 {
    family inet {
        mtu 1500;
        address 30.1.1.1/24;
    }
}

[edit]
regress@gw1# show protocols bgp
group internal {
    type internal;
    export export-bgp;
    neighbor 30.1.1.2 {
        bfd-liveness-detection {
            version 1;
            minimum-interval 750;
            multiplier 2;
        }
    }
    }


gateway2 config:
================

[edit]
regress@gw2# show security ike
proposal p1_prop {
    authentication-method pre-shared-keys;
    authentication-algorithm sha1;
    encryption-algorithm aes-128-cbc;
}
policy p1_pol {
    mode main;
    proposals p1_prop;
    pre-shared-key ascii-text "$9$ctXrK8-VYZUHX7UHqmF3SrevX7dbs4JG"; ## SECRET-DATA
}
gateway gw2 {
    ike-policy p1_pol;
    address 5.10.1.1;
    external-interface ge-0/0/7;
}

[edit]
regress@gw2# show security ipsec
vpn-monitor-options {
    interval 10;
    threshold 10;
}
proposal p2_prop {
    protocol esp;
    authentication-algorithm hmac-sha1-96;
    encryption-algorithm aes-256-cbc;
    lifetime-seconds 900;
}
policy p2_pol {
    perfect-forward-secrecy {
        keys group5;
    }
    proposals p2_prop;
}
vpn vpn2 {
    bind-interface st0.0;
    vpn-monitor {
        optimized;
    }
    ike {
        gateway gw2;
        ipsec-policy p2_pol;
    }
    establish-tunnels immediately;     
}

[edit]
regress@gw2# show interfaces st0
unit 0 {
    family inet {
        mtu 1500;
        address 30.1.1.2/24;
    }
}

[edit]
regress@gw2# show protocols bgp
group internal {
    type internal;
    export export-bgp;
    neighbor 30.1.1.1 {
        bfd-liveness-detection {
            version 1;
            minimum-interval 750;
            multiplier 2;
        }
    }
    }

Follow me on Twitter @anwar_raheel

--
If this post was helpful, please mark this post as an "Accepted Solution".
Kudos are always appreciated!
Recognized Expert
sfouant
Posts: 190
Registered: ‎11-28-2007

Re: BGP Configuration for hub and Spoke IPSec VPN


keithr wrote:

BGP is not normally used for this purpose.  This is typically done with OSPF or static routes.

 

BGP is an exterior gateway protocol, meant for routing between Internet Autonomous Systems (AS). It's not meant to be used for LAN routing.


Keith,

 

There are plenty of instances where people use BGP to advertise interior routing information between VPN sites.  I know of plenty of enterprise organizations that do just the above, because they are running OSPF in their Corporate site and do not want to span OSPF across to all of their remote branches.  Because OSPF lacks policy control, some organizations choose to use BGP internally to gain more fine-grained control over the routing between VPN sites.

Stefan Fouant
JNCIE-SEC, JNCIE-SP, JNCIE-ENT, JNCI
Technical Trainer, Juniper Networks

Follow us on Twitter @JuniperEducate

--
If this post was helpful, please mark this post as an "Accepted Solution".
Kudos are always appreciated!
Visitor
rbalugu
Posts: 5
Registered: ‎01-05-2011
0

Re: BGP Configuration for hub and Spoke IPSec VPN

Hi Raheel,

 

Thanks a lot for attaching this configuration. However have few questions on this.

how Does this configuration takes care of protected networks reachablity from each VPN peer? Should i have configure the protected networks routes separately on VPN peer, since BGP does talk to peer as?

And the confiuguration doesn't defined AS and peer-as, is that not required? i was in assumption that As is must.

 

could you please clarify?

 

Thanks,

Ravindhar

Distinguished Expert
keithr
Posts: 979
Registered: ‎09-10-2009

Re: BGP Configuration for hub and Spoke IPSec VPN


sfouant wrote:
There are plenty of instances where people use BGP to advertise interior routing information between VPN sites.  I know of plenty of enterprise organizations that do just the above, because they are running OSPF in their Corporate site and do not want to span OSPF across to all of their remote branches.  Because OSPF lacks policy control, some organizations choose to use BGP internally to gain more fine-grained control over the routing between VPN sites.

While that may be true, I consider it a case of "just because you can do something, doesn't always mean you should."

 

I'm sure there are reasons to run BGP over an IPsec link, but I've not run into any overwhelmingly compelling cases to do so that couldn't be solved in other ways.

 

Your first sentence:  "There are plenty of instances where people use BGP to advertise interior routing information between VPN sites."   Again, let's not forget, BGP is designed and defined as an Exterior Gateway Protocol.  While it *can* be used to exchange interior route information, that's not what it was meant to do.  It may be a matter of perspective -- a VPN site, by most definitions, is logically considered to be an extension of the corporate LAN, and therefore should most often be treated as such.  Don't want full OSPF routing information?  Set up a stub or NSSA area.  I'm not sure what you mean by "OSPF lacks policy control," because routes can be filtered in and out of OSPF areas and filtered from being imported or exported out of Junos routing tables.

 

The almost countless examples of OSPF over IPsec all over the Internet across most major vendors' products and support demonstrate that it is the widely accepted solution.  The notable lack of examples or documentation for BGP over IPsec define it intrinsically as an edge case, and not something commonly done or widely deployed.

 

I'm glad you provided an example to assist Ravi.  I was trying to offer an alternative solution that he would have likely found more widespread support for in general. 

 

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Visitor
rbalugu
Posts: 5
Registered: ‎01-05-2011
0

Re: BGP Configuration for hub and Spoke IPSec VPN

Hi ,

Thank you all.

Now i got more clarity with your points and with the understanding i am able to populate the protected network static routes in to other end VPN peer.

 

I have configured the BGP between the tunnel interfaces(session between IP's) and added policy-options to export static routes.

 

Here i have configured separate AS for each spoke/hub, would like to hear comments.

 

Hub :

-------------------------------------------------------------------------------------

##route-options

static {
    route 0.0.0.0/0 next-hop 10.213.63.254;
    route 3.3.3.0/24 next-hop 192.168.1.4;
    route 4.4.4.0/24 next-hop 192.168.1.1;

}
router-id 192.168.1.2;
autonomous-system 65001;


##BGP protocol configuration

 

bgp {
    group vpn-bgp {
        type external;
        local-address 192.168.1.4;
        export VPN_HUB;
        neighbor 192.168.1.1 {
            peer-as 65002;
        }
        neighbor 192.168.1.4 {
            peer-as 65003;
        }    }

}


## policy-options configuration

 

policy-statement VPN_HUB {
    from protocol static;
    then accept;
}


-------------------------------------------------------------------------------------

 

Spoke 1:

-------------------------------------------------------------------------------------

##route-options

static {
    route 0.0.0.0/0 next-hop 10.213.63.254;
    route 5.5.5.0/24 next-hop 192.168.1.2;
}
router-id 192.168.1.4;
autonomous-system 65003;


##BGP protocol configuration

 

bgp {
    group vpn-bgp {
        type external;
        local-address 192.168.1.4;
        export VPN_SPOKE1;
        neighbor 192.168.1.2 {
            peer-as 65001;
        }
    }
}


## policy-options configuration

 

policy-statement VPN_SPOKE1 {
    from protocol static;
    then accept;
}


-------------------------------------------------------------------------------------

 

Spoke 2:

-------------------------------------------------------------------------------------

##route-options

static {
    route 0.0.0.0/0 next-hop 10.213.63.254;
    route 5.5.5.0/24 next-hop 192.168.1.2;
}
router-id 192.168.1.1;
autonomous-system 65002;


##BGP protocol configuration

 

bgp {
    group vpn-bgp {
        type external;
        local-address 192.168.1.1;
        export VPN_SPOKE2;
        neighbor 192.168.1.2 {
            peer-as 65001;
        }
    }
}


## policy-options configuration

 

policy-statement VPN_SPOKE2 {
    from protocol static;
    then accept;
}


Recognized Expert
sfouant
Posts: 190
Registered: ‎11-28-2007
0

Re: BGP Configuration for hub and Spoke IPSec VPN


keithr wrote:

Again, let's not forget, BGP is designed and defined as an Exterior Gateway Protocol.  While it *can* be used to exchange interior route information, that's not what it was meant to do.   

There are many, many instances of BGP being used for other purposes (VPLS, NG-VPN Multicast, signalling, etc.).  For the record, I have seen many customers that use BGP across their tunnels.  You mention that OSPF can be filtered across areas - what if the customer doesn't want to go through the process of configuring disparate areas at each on of their locations?  What if they have a large network and want to ensure LSA flooding doesn't cause excessive churn in other parts of the network?  Lots of reasons why OSPF might not be the preferred approach... also, what if they want to carry other NLRI that OSPF is not designed to support... tada... this is precisely what BGP was designed for.

 

Let's stop making generalist statements and get back on topic...

Stefan Fouant
JNCIE-SEC, JNCIE-SP, JNCIE-ENT, JNCI
Technical Trainer, Juniper Networks

Follow us on Twitter @JuniperEducate

--
If this post was helpful, please mark this post as an "Accepted Solution".
Kudos are always appreciated!
Distinguished Expert
keithr
Posts: 979
Registered: ‎09-10-2009
0

Re: BGP Configuration for hub and Spoke IPSec VPN


sfouant wrote:

Let's stop making generalist statements and get back on topic...


My generalist statement was simply the accepted definition of the protocol.

 

You're being a bit generalist by asserting that the BGP shoe fits all feet because it's appropriate in some specific cases.

 

My contention that this is a monster truck on a railroad track is because I'm operating under the assumption that since no specific needs were illustrated, that perhaps a simpler and more widely-accepted solution would be apropos.

 

Your contention was that BGP over a tunnel is useful in some cases.

 

I never said there was *never* a case to use BGP over a tunnel, just that it wasn't GENERALLY done except in specific need cases.

 

I suppose we are both right, and both wrong here, because neither of us bothered to ask the original poster what their needs were in this case.  Raheel posted the basic config to answer the original question, but you and I have argued about whether it was appropriate or not without ever asking the person if they had specific needs that were served by this configuration.

 

I didn't realize you were the sheriff of these here parts, but aye-aye.  Back on topic I go.

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Distinguished Expert
Raheel
Posts: 414
Registered: ‎06-18-2008
0

Re: BGP Configuration for hub and Spoke IPSec VPN

config looks good, are you encountering any issue?

 

thanks,

raheel

Follow me on Twitter @anwar_raheel

--
If this post was helpful, please mark this post as an "Accepted Solution".
Kudos are always appreciated!
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.