Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces and OSPF

Transcription

1 v Configuration Example Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces and OSPF WatchGuard Fireboxes

2 2 WatchGuard Technologies, Inc.

3 Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces and OSPF Configuration files created with Policy Manager v Configuration files created for Fireware v Use Case An organization has networks at multiple remote sites that connect with two main corporate sites through BOVPN virtual interfaces. It is important that the remote sites remain connected to both corporate sites at all times. Because a link failure could disrupt business, the organization wants to add redundancy so remote sites have more than one route to each corporate site. In this configuration example, we use OSPF to configure redundant routes. This configuration example is provided as a basic guide. Your network environment might require additional configuration settings. Solution Overview This configuration example describes two solutions. Both solutions include BOVPN virtual interfaces, dynamic routing with OSPF, and an MPLS line between the main corporate sites. The solutions differ in these ways: In Solution A, the MPLS endpoints are on the same subnet. A BOVPN virtual interface between the MPLS endpoints is not required. In Solution B, the MPLS endpoints are on different subnets. A BOVPN virtual interface between the MPLS endpoints is included in the configuration. The OSPF configuration includes additional information so the two sites can advertise routes to each other. Configuration Example Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces and OSPF 1

4 Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces and OSPF To implement and support this configuration on your network, you must understand dynamic routing. How It Works For both solutions in this configuration example, the organization has multiple retail stores with VPN connections to networks at Headquarters and a Datacenter. Headquarters and the Datacenter ares connected by an MPLS link. The OSPF dynamic routing protocol is configured on a Firebox at each site. Each store has routes to Headquarters and the Datacenter. Traffic is always routed along the best (lowest cost) route. For example, traffic from Store 1 to Headquarters is normally routed through the VPN tunnel between Store 1 and Headquarters. Traffic from Store 1 to the Datacenter is normally routed through the VPN tunnel between Store 1 to the Datacenter. If the link between Store 1 and Headquarters becomes unavailable, Store 1 can still access the network at Headquarters after this process occurs: OSPF recalculates metrics for routes in its table to find the best route. After a brief delay, Store 1 traffic destined for Headquarters is automatically routed along the best route, which is now through the VPN tunnel from Store 1 to the Datacenter, and from the Datacenter to Headquarters. If the failed link becomes available again, OSPF recalculates metrics and sends traffic along the best route. 2 WatchGuard Technologies, Inc.

5 Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces and OSPF Example Configuration Files For your reference, we included example configuration files with this document. To view the configuration files, you can open them with Policy Manager. The two retail store configuration files, Store1.xml and Store2.xml, are the same for both Solution A and B. Solution A (MPLS without a VPN): Configuration File Name SolutionA-Headquarters.xml SolutionA-Datacenter.xml Store1.xml Store2.xml Description Headquarters Firebox Datacenter Firebox Store 1 Firebox Store 2 Firebox Solution B (MPLS with a VPN): Configuration Filename SolutionB-Headquarters.xml SolutionB-Datacenter.xml Store1.xml Store2.xml Description Headquarters Firebox Datacenter Firebox Store 1 Firebox Store 2 Firebox Requirements This configuration example has these requirements: Firebox at each site BOVPN virtual interfaces configured on each Firebox OSPF configured on each Firebox MPLS link between Headquarters and the Datacenter without a BOVPN (for Solution A) MPLS link between Headquarters and the Datacenter with a BOVPN (for Solution B) Configuration Example Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces and OSPF 3

6 Solution A Configuration Explained Solution A Configuration Explained The next few sections explain the configuration for Solution A: Network Topology BOVPN Configuration OSPF Configuration For an explanation of Solution B, see Solution B Configured Explained. Network Topology for Solution A This diagram shows the network topology for Solution A. This solution includes two remote sites and a MPLS connection without a VPN. You can add more remote sites as needed which is indicated by the Firebox at Retail Store (n) in OSPF Area (n). 4 WatchGuard Technologies, Inc.

7 Solution A Configuration Explained This list summarizes the interface IP addresses used in Solution A. Firebox Interface Headquarters Datacenter Store 1 Store 2 External Trusted Optional-MPLS n/a n/a VPN Configuration for Solution A The Firebox at each retail store has two BOVPN virtual interfaces. The interface names indicate the location of the peer Firebox. The Fireboxes at Headquarters and the Datacenter also have two BOVPN virtual interfaces: Configuration Example Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces and OSPF 5

8 Solution A Configuration Explained BOVPN Virtual Interface Gateway Settings On the Gateway Settings tab for each virtual interface, configure these settings: Local Gateway ID IP address of the local external interface Interface Set to External Remote Gateway IP Address IP address of the external interface on the peer Firebox Remote Gateway ID IP address of the external interface on the peer Firebox Store 1 Gateway settings on the Store 1 Firebox for a connection to Headquarters: 6 WatchGuard Technologies, Inc.

9 Solution A Configuration Explained Gateway settings on the Store 1 Firebox for a connection to the Datacenter: Configuration Example Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces and OSPF 7

10 Solution A Configuration Explained Store 2 Gateway settings on the Store 2 Firebox for a connection to Headquarters: 8 WatchGuard Technologies, Inc.

11 Solution A Configuration Explained Gateway settings on the Store 2 Firebox for a connection to the Datacenter: Configuration Example Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces and OSPF 9

12 Solution A Configuration Explained Headquarters Gateway settings on the Headquarters Firebox for a connection to Store 1: 10 WatchGuard Technologies, Inc.

13 Solution A Configuration Explained Gateway Settings on the Headquarters Firebox for a connection to Store 2: Configuration Example Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces and OSPF 11

14 Solution A Configuration Explained Datacenter Gateway Settings on the Datacenter Firebox for a connection to Store 1: 12 WatchGuard Technologies, Inc.

15 Solution A Configuration Explained Gateway Settings on the Datacenter Firebox for a connection to Store 2: Configuration Example Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces and OSPF 13

16 Solution A Configuration Explained BOVPN Virtual Interface Phase 1 and 2 Settings The configuration files include these recommended security settings: Phase 1: Authentication SHA-2 (256) Encryption AES (256) Key Group Diffie-Helman Group 15 Phase 2: Type ESP Authentication SHA-2 (256) Encryption AES (256) SHA-2 is not supported on XTM 505, 510, 520, 530, 515, 525, 535, 545, 810, 820, 830, 1050, and 2050 devices. The hardware cryptographic acceleration in those models does not support SHA-2. All other models support SHA-2. If your XTM device does not support SHA-2, we recommend these settings: Phase 1: Authentication SHA-1 Encryption AES (256) Key Group Diffie-Helman Group 2 Phase 2: Keep the default proposal, which is ESP-AES-SHA1. If your MPLS link is a leased line, and you want to avoid the overhead from encryption, we recommend these Phase 2 settings: Type ESP Authentication SHA-1 Encryption None 14 WatchGuard Technologies, Inc.

17 Solution A Configuration Explained BOVPN Virtual Interface IP Addresses To configure dynamic routing through a BOVPN virtual interface, you must assign virtual interface IP addresses in the VPN Routes tab. You can specify any IP addresses that do not conflict with IP addresses already on your network. We recommend that you specify a unique IP address for each virtual interface IP address on your network. We also recommend that you plan which IP addresses to use in advance. For administrative convenience, we used the third octet of each virtual IP address to indicate the OSPF area number. For example, the third octet in the IP addresses and indicates a VPN tunnel that terminates in Area 1. The third octet in the IP addresses and indicates a VPN tunnel that terminates in Area 2. For more information about OSPF areas, see the OSPF Configuration section. In our example, we use these virtual IP addresses: Firebox Location Virtual IP Addresses Headquarters Datacenter Store Store On the VPN Routes tab, these settings are configured: Local IP address The virtual IP address of the local Firebox Peer IP address or netmask The virtual IP address of the peer Firebox Configuration Example Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces and OSPF 15

18 Solution A Configuration Explained For example, on the Firebox at Store 1, type these IP addresses for a VPN connection to Headquarters: 16 WatchGuard Technologies, Inc.

19 Solution A Configuration Explained On the Firebox at Store 1, for a connection to the Datacenter: For examples of virtual interface IP addresses for all other sites, see the attached configuration files. OSPF Configuration for Solution A OSPF is enabled on the Firebox at each site. The OSPF configuration includes: Routes Area definitions Route filters Large networks are typically divided into areas, which are subsets of the OSPF network. Each area has its own number. Configuration Example Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces and OSPF 17

20 Solution A Configuration Explained To reduce convergence times, and to take advantage of route filters, we recommend that you define OSPF areas. In our example, Area 0 includes both Headquarters and the Datacenter. Each store has its own area, which means Store 1 is in Area 1, and Store 2 is in Area 2. Firebox Location OSPF Area Headquarters 0 Datacenter 0 Store 1 1 Store 2 2 To prevent unnecessary route table entries, we recommend that you specify route filters in the OSPF configuration. Your Firebox only advertises routes permitted by the route filter. In our example, route filters in the Headquarters and Datacenter configurations deny advertisements for intra-area routes between retail stores. For the router-id, specify the virtual IP address of the local Firebox. For Solution A, the OSPF configurations for each Firebox are as follows. Store 1 router ospf ospf router-id !BOVPN to HQ network /32 area 1!BOVPN to DC network /32 area 1!Local network network /24 area 1 Store 2 router ospf ospf router-id !BOVPN to HQ network /32 area 2!BOVPN to DC network /32 area 2!Local network network /24 area 2 18 WatchGuard Technologies, Inc.

21 Solution A Configuration Explained Headquarters!Distribute inter-area routes from HQ and DC to Remote ip prefix-list Central-2-Remote permit /24 ip prefix-list Central-2-Remote permit /24 ip prefix-list Central-2-Remote permit /24 ip prefix-list Central-2-Remote deny any router ospf ospf router-id !Internal network area 0 network /24 area 0 network /24 area 0!Remote sites individual area network /32 area 1 network /32 area 2!Filter the routes from HQ to remote area 1 filter-list prefix Central-2-Remote in area 2 filter-list prefix Central-2-Remote in Datacenter!Filter propagated lists ip prefix-list Central-2-Remote permit /24 ip prefix-list Central-2-Remote permit /24 ip prefix-list Central-2-Remote permit /24 ip prefix-list Central-2-Remote deny any router ospf ospf router-id !Add the local network to area 0 network /24 area 0 network /24 area 0!VIF sites network /32 area 1 network /32 area 2!Filter the routes from DC to remotes area 1 filter-list prefix Central-2-Remote in area 2 filter-list prefix Central-2-Remote in Configuration Example Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces and OSPF 19

22 Solution B Configuration Explained Solution B Configuration Explained The next sections explain the configuration for Solution B: Network Topology BOVPN Configuration OSPF Configuration Network Topology for Solution B This diagram shows the network topology for Solution B which includes a VPN for the MPLS connection. In this diagram, we show configuration information for two remote sites. You can add more remote sites as needed which is indicated by "OSPF Area (n)." 20 WatchGuard Technologies, Inc.

23 Solution B Configuration Explained This list summarizes the interface IP addresses used in Solution B. Firebox Interface Headquarters Datacenter Store 1 Store 2 External Trusted Optional-MPLS n/a n/a VPN Configuration for Solution B The Firebox at each retail store has two BOVPN virtual interfaces. The interface names indicate the location of the peer Firebox. The Firebox at Headquarters has these BOVPN virtual interfaces. Solution B requires a BOVPN between Headquarters and the Datacenter: Configuration Example Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces and OSPF 21

24 Solution B Configuration Explained The Firebox at the Datacenter has these BOVPN virtual interfaces: BOVPN Virtual Interface Gateway Settings On the Gateway Settings tab for each virtual interface, configure these settings: Local Gateway ID IP address of the local external interface Interface Set to External Remote Gateway IP Address IP address of the external interface on the peer Firebox Remote Gateway ID IP address of the external interface on the peer Firebox 22 WatchGuard Technologies, Inc.

25 Solution B Configuration Explained Store 1 Gateway settings on the Store 1 Firebox for a connection to Headquarters: Configuration Example Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces and OSPF 23

26 Solution B Configuration Explained Gateway settings on the Store 1 Firebox for a connection to the Datacenter: 24 WatchGuard Technologies, Inc.

27 Solution B Configuration Explained Store 2 Gateway settings on the Store 2 Firebox for a connection to Headquarters: Configuration Example Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces and OSPF 25

28 Solution B Configuration Explained Gateway settings on the Store 2 Firebox for a connection to the Datacenter: 26 WatchGuard Technologies, Inc.

29 Solution B Configuration Explained Headquarters Gateway settings on the Headquarters Firebox for a connection to Store 1: Configuration Example Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces and OSPF 27

30 Solution B Configuration Explained Gateway Settings on the Headquarters Firebox for a connection to Store 2: 28 WatchGuard Technologies, Inc.

31 Solution B Configuration Explained Gateway Settings on the Headquarters Firebox for an MPLS connection the Datacenter: Configuration Example Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces and OSPF 29

32 Solution B Configuration Explained Datacenter Gateway Settings on the Datacenter Firebox for a connection to Store 1: 30 WatchGuard Technologies, Inc.

33 Solution B Configuration Explained Gateway Settings on the Datacenter Firebox for a connection to Store 2: Configuration Example Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces and OSPF 31

34 Solution B Configuration Explained Gateway Settings on the Datacenter Firebox for an MPLS connection Headquarters: 32 WatchGuard Technologies, Inc.

35 Solution B Configuration Explained BOVPN Virtual Interface Phase 1 and 2 Settings The configuration files include these recommended security settings: Phase 1: Authentication SHA-2 (256) Encryption AES (256) Key Group Diffie-Helman Group 15 Phase 2: Type ESP Authentication SHA-2 (256) Encryption AES (256) SHA-2 is not supported on XTM 505, 510, 520, 530, 515, 525, 535, 545, 810, 820, 830, 1050, and 2050 devices. The hardware cryptographic acceleration in those models does not support SHA-2. All other models support SHA-2. If your XTM device does not support SHA-2, we recommend these settings: Phase 1: Authentication SHA-1 Encryption AES (256) Key Group Diffie-Helman Group 2 Phase 2: Keep the default proposal, which is ESP-AES-SHA1. If your MPLS link is a leased line, and you want to avoid the overhead required for encryption, we recommend these Phase 2 settings: Type ESP Authentication SHA-1 Encryption None Configuration Example Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces and OSPF 33

36 Solution B Configuration Explained BOVPN Virtual Interface IP Addresses To configure dynamic routing through a BOVPN virtual interface, you must assign virtual interface IP addresses in the VPN Routes tab. You can specify any IP addresses that do not conflict with IP addresses already on your network. We recommend that you specify a unique IP address for each virtual interface IP address on your network. We also recommend that you plan which IP addresses to use in advance. For administrative convenience, we used the third octet of each virtual IP address to indicate the OSPF area number. For example, the third octet in the IP addresses and indicates a VPN tunnel that terminates in Area 1. The third octet in the IP addresses and indicates a VPN tunnel that terminates in Area 2. For more information about OSPF areas, see the OSPF Configuration section. In our example, we use these virtual IP addresses: Firebox Location Virtual IP Addresses Headquarters Datacenter Store Store On the VPN Routes tab, these settings are configured: Local IP address The virtual IP address of the local Firebox Peer IP address or netmask The virtual IP address of the peer Firebox 34 WatchGuard Technologies, Inc.

37 Solution B Configuration Explained For example, on the Firebox at Store 1, type these IP addresses for a VPN connection to Headquarters: Configuration Example Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces and OSPF 35

38 Solution B Configuration Explained On the Firebox at Store 1, for a connection to the Datacenter: For examples of virtual interface IP addresses for all other sites, see the attached configuration files. 36 WatchGuard Technologies, Inc.

39 Solution B Configuration Explained OSPF Configuration for Solution B OSPF is enabled on the Firebox at each site. The OSPF configuration includes: Routes Area definitions Route filters Large networks are typically divided into areas, which are subsets of the OSPF network. Each area has its own number. To reduce convergence times, and to take advantage of route filters, we recommend that you define OSPF areas. In our example, Area 0 includes both Headquarters and the Datacenter. Each store has its own area, which means Store 1 is in Area 1, and Store 2 is in Area 2. Firebox Location OSPF Area Headquarters 0 Datacenter 0 Store 1 1 Store 2 2 To prevent unnecessary route table entries, we recommend that you specify route filters in the OSPF configuration. Your Firebox only advertises routes permitted by the route filter. In our example, route filters in the Headquarters and Datacenter configurations deny advertisements for intra-area routes between retail stores. For the router-id, specify the virtual IP address of the local Firebox. For Solution B, the OSPF configuration for the Headquarters and Datacenter Fireboxes has an additional network command. The OSPF configuration for the retail stores is the same as in Solution A. Store 1 router ospf ospf router-id !BOVPN to HQ network /32 area 1!BOVPN to DC network /32 area 1!Local network network /24 area 1 Configuration Example Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces and OSPF 37

40 Solution B Configuration Explained Store 2 router ospf ospf router-id !BOVPN to HQ network /32 area 2!BOVPN to DC network /32 area 2!Local network network /24 area 2 Headquarters!Distribute inter-area routes from HQ and DC to Remote ip prefix-list Central-2-Remote permit /24 ip prefix-list Central-2-Remote permit /24 ip prefix-list Central-2-Remote deny any router ospf ospf router-id !Internal network area 0 network /24 area 0 network /24 area 0 #To exchange OSPF info with HQ, we must create a BOVPN VIF between the Datacenter and HQ via the interface connected to the MPLS line #The IP address of this BOVPN VIF is set as (local peer /32) #Add it to area 0 as well network /32 area 0!Remote sites individual area network /32 area 1 network /32 area 2!Filter the routes from HQ to remote area 1 filter-list prefix Central-2-Remote in area 2 filter-list prefix Central-2-Remote in 38 WatchGuard Technologies, Inc.

41 Solution B Configuration Explained Datacenter!Filter propagated lists ip prefix-list Central-2-Remote permit /24 ip prefix-list Central-2-Remote permit /24 ip prefix-list Central-2-Remote deny any router ospf ospf router-id !Add the local network to area 0 network /24 area 0 network /24 area 0 #To exchange OSPF info with HQ, we must create a BOVPN VIF between the Datacenter and HQ via the interface connected to the MPLS line #The IP address of this BOVPN VIF is set as (local peer /32) #Add it to area 0 as well network /32 area 0!VIF sites network /32 area 1 network /32 area 2!Filter the routes from DC to remotes area 1 filter-list prefix Central-2-Remote in area 2 filter-list prefix Central-2-Remote in Conclusion This configuration example demonstrates how to configure redundant links and OSPF on a large distributed network. This type of configuration provides redundant VPN connections between the remote sites and the main corporate network sites. This example includes two remote sites, but you can add as many remote sites as needed. This example describes two different solutions. Solution A shows an MPLS connection without a VPN. Solution B shows an MPLS connection with a VPN. For more information about how to configure BOVPN virtual interfaces and dynamic routing, see the Fireware Help. Configuration Example Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces and OSPF 39

42 Configuration Example Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces and OSPF 40