Screen OS

Hi, everyone

When i read a concept and example (6.2) vol.5 - chapter 5 (Site-to-site Virtual Private Networks),

especailly Route-Based VPN shown "null interface" in Route configuration part example.

For example (CLI)

Routes

set vrouter trust-vr route 0.0.0.0/0 interface ethernet3 gateway 1.1.1.250

set vrouter trust-vr route 10.2.2.0/24 interface tunnel.1

set vrouter trust-vr route 10.2.2.0/24 interface null metric 10

 All example for Route Based VPN configuration I could see a null interface in Route configuration.

Would you explain the reason why the null interface should be configured and its function? please

Thank you

Best Regards

Jeff LEE

ps. It didnt work VPN when i omitted the configured "null interface" at customer site.

Hi,

The idea is simple: If the tunnel interface remains down for some reason, the route pointing to the VPN tunnel will not get active in the routing table. So due to the longest prefix match algorithm, the next suitable route is chosen, probably the default route and your packets will be forwarded to your internet router. It is likely that you use RFC1918 addresses for your internal networks and therefore the packets will soon be discarded but for security reasons, you might have concerns that packets leak out of your systems.

The route to the null interface (with a priority that makes it only the 2nd choice compared to the tunnel interface) avoids that: If the tunnel doesn't get up, packets are internally discarded.

Null interface is of course not necessary for route based VPN, it is just a good practice.

I hope this helps.

Regards,

Dominik

Hello?  Dominik

Thank you for your crystal-clear explanation.

Jeff LEE