Documente Academic
Documente Profesional
Documente Cultură
Example
BOVPN Virtual Interface Load Balancing with
OSPF
Example configuration files created with — WSM v11.10
Revised — 9/24/2015
Use Case
In this configuration example, an organization has networks at two sites and uses a branch office VPN to connect the two
networks. To increase the total throughput between sites and to make their VPN connection more fault-tolerant, they want to
set up a second VPN tunnel between the two sites, and load balance connections through both VPN tunnels.
This configuration example is provided as a guide. Additional configuration settings could be necessary, or
more appropriate, for your network environment.
Solution Overview
A BOVPN virtual interface provides a secure VPN tunnel for traffic between the networks protected by two Firebox devices.
You can configure a second BOVPN virtual interface to send traffic through a second external interface. This configuration
example shows how to set up two BOVPN virtual interfaces between two sites and use OSPF to load balance connections
through the two VPN tunnels with equal priority.
Requirements
For the BOVPN virtual load balancing described in this example to operate correctly, each Firebox must use Fireware v11.9
or higher, and each Firebox must have two external interfaces.
Example
How It Works
OSPF supports ECMP (equal cost multipath) load balancing. If multiple routes to the same destination have an equal route
metric, OSPF uses ECMP to evenly distribute traffic across multiple routes based on source and destination IP addresses, and
the number of connections that currently use each route. In this example configuration, two BOVPN virtual interfaces are
configured between two Firebox devices. Each VPN uses a different external interface. The two devices use OSPF to
exchange information about routes to their local networks through both tunnels. Because the point-to-point connections
through each tunnel have the same metric, OSPF load balances traffic through both tunnels with equal priority.
n Each Firebox uses OSPF to propagate routes to local networks through both BOVPN virtual interfaces.
n When both VPN tunnels are available, OSPF uses ECMP to load balance connections through the two VPN tunnels.
n If one external interface or one tunnel goes down, OSPF automatically sends all traffic through the other BOVPN tunnel.
Example
To illustrate this use case, we present an example of an organization that has Firebox devices at two locations: one in
Hamburg, and another in Berlin. This example shows how to set up two VPN tunnels and load balance traffic through both
tunnels with equal priority.
Topology
This configuration example uses the IP addresses shown in the subsequent diagram.
2 WatchGuard Fireware
Configuration Explained
Network Configuration
The IP addresses for each site in this configuration:
The details of each configuration file are described in the next section.
Configuration Explained
Multi-WAN Configuration
The Berlin Firebox has two external interfaces, External-1 and External-2, and one trusted interface
Configuration Example 3
Configuration Explained
The Hamburg Firebox has two external interfaces, External-1 and External-2, and one trusted interface.
Both Firebox devices are configured to use the Routing Table multi-WAN method. The multi-WAN method controls load
balancing for non-IPSec traffic routed through the external interfaces. The multi-WAN settings do not enable load balancing of
IPSec traffic through the tunnel. The load balancing of traffic through the tunnel is a function of OSPF, as configured in the
subsequent section.
In this example multi-WAN configuration, each Firebox uses the external IP address of the peer device as a ping link monitor
target for each external interface. The ping target is not required, but we recommend that you configure a reliable link monitor
target any time you configure multi-WAN.
4 WatchGuard Fireware
Configuration Explained
VPN Configuration
The example configurations contain two BOVPN virtual interfaces for VPN connections between each site.
Each device has two BOVPN virtual interfaces. Each BOVPN virtual interface is named to represent the location of the remote
device, and which local external interface it uses.
BOVPN Virtual Interfaces
Each Firebox has two BOVPN virtual interfaces.
For each BOVPN virtual interface, the remote gateway ID is an external IP address on the peer Firebox.
Configuration Example 5
Configuration Explained
n The Local Gateway ID is set to the IP address of the local External-1 interface, 192.0.2.1
n The Interface is set to External-1.
n The Remote Gateway IP Address and ID are both set to the IP address of the external interface on the Hamburg
Firebox, 192.0.2.9.
6 WatchGuard Fireware
Configuration Explained
To configure dynamic routing through a BOVPN virtual interface, you must assign virtual interface IP addresses in the VPN
Routes tab.
In the VPN Routes tab, the virtual IP addresses are set to:
n Local IP address: 10.0.10.1
n Peer IP address: 10.0.10.3
For this example, the virtual interface IP addresses used for both tunnels are all in the 10.0.10.0/24 subnet. This subnet is used
in the OSPF configuration to define a point-to-point network.
Configuration Example 7
Configuration Explained
n The Local Gateway ID is set to the IP address of the local External-1 interface, 192.0.2.9.
n The Interface is set to External-1.
n The Remote Gateway IP Address and ID are both set to the IP address of the external interface on the Berlin Firebox,
192.0.2.1.
A Local IP address and Peer IP address are configured in the VPN Routes tab. These IP addresses are used in the OSPF
configuration to define a point-to-point network. These IP addresses must be the opposite of the addresses configured for this
tunnel on the peer Firebox.
8 WatchGuard Fireware
Configuration Explained
Configuration Example 9
Configuration Explained
In the VPN Routes tab, the virtual IP addresses are set to:
n Local IP address: 10.0.10.3
n Peer IP address: 10.0.10.1
n The Local Gateway ID is set to the IP address of the local External-2 interface, 203.0.113.1
n The Interface is set to External-2.
n The Remote Gateway IP Address and ID are both set to the IP address of the external-2 interface on the Hamburg
Firebox, 203.0.113.9.
In the VPN Routes tab the virtual IP addresses are set to:
n The Local Gateway ID is set to the IP address of the local External-2 interface, 203.0.113.9
n The Interface is set to External-2.
n The Remote Gateway IP Address and ID are both set to the IP address of the external-2 interface on the Hamburg
Firebox, 203.0.113.2.
In the VPN Routes tab, the virtual IP addresses are set to:
n Local IP address: 10.0.10.2
n Peer IP address: 10.0.10.4
These IP addresses are the opposite of the addresses configured for this tunnel on the peer Firebox.
10 WatchGuard Fireware
Configuration Explained
router ospf
ospf router-id 172.16.100.1
! exclude all but bvpn virtual interfaces
passive-interface default
no passive-interface bvpn1
no passive-interface bvpn2
! which networks are announced in OSPF area 0.0.0.0
! bvpn Point-to-Point networks
network 10.0.10.0/24 area 0.0.0.0
! Trusted network
network 172.16.100.0/24 area 0.0.0.0
router ospf
ospf router-id 172.16.101.1
! exclude all but bvpn interfaces
passive-interface default
no passive-interface bvpn1
no passive-interface bvpn2
! which networks are announced in OSPF area 0.0.0.0
! bvpn Point-to-Point networks
network 10.0.10.0/24 area 0.0.0.0
! Trusted network
network 172.16.101.0/24 area 0.0.0.0
Configuration Example 11
Configuration Explained
Dynamic Routes
After the configuration is saved to the two Firebox devices, the routes propagate through the tunnel to each device. With this
configuration, each device has two routes to the remote trusted network. Both routes have the same metric, and each uses a
different virtual interface. After the tunnels are established between the two devices, you can see the learned routes in the
Status Report.
The OSPF network routing table shows the two routes through each BOVPN virtual interface.
12 WatchGuard Fireware
Configuration Explained
The OSPF network routing table shows the two routes through each BOVPN virtual interface.
Configuration Example 13
Conclusion
On the Traffic Monitor tab, you can see that both VPN tunnels are used for connections from different clients.
On the Front Panel tab you can monitor the traffic statistics for both VPN interfaces to see the traffic load balanced through
both tunnels.
Conclusion
This configuration example demonstrates how to configure OSPF to do load balancing through two BOVPN virtual interfaces.
This type of configuration provides redundancy for the secure connection between the two networks, as well as load balancing
of IPSec VPN traffic through two external interfaces. You could extend this configuration to load balance connections through
more than two VPN tunnels if both devices have additional external interfaces.
For more information about how to configure BOVPN virtual interfaces and dynamic routing, see the Fireware Help.
14 WatchGuard Fireware
About this Configuration Example
For complete product documentation, see the Fireware Help on the WatchGuard website at:
http://www.watchguard.com/help/documentation/.
Information in this document is subject to change without notice. Companies, names, and data used in examples herein are
fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means,
electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.
Complete copyright, trademark, patent, and licensing information can be found in the Copyright and Licensing Guide,
available online at: http://www.watchguard.com/help/documentation/.
About WatchGuard
Address
WatchGuard offers affordable, all-in-one network and content security
505 Fifth Avenue South
solutions that provide defense-in-depth and help meet regulatory
Suite 500
compliance requirements. The WatchGuard Firebox line combines
Seattle, WA 98104
firewall, VPN, GAV, IPS, spam blocking and URL filtering to protect
your network from spam, viruses, malware, and intrusions. The XCS
line offers email and web content security combined with data loss Support
prevention. WatchGuard extensible solutions scale to offer right-sized
security ranging from small businesses to enterprises with 10,000+ www.watchguard.com/support
employees. WatchGuard builds simple, reliable, and robust security U.S. and Canada +877.232.3531
appliances featuring fast implementation and comprehensive All Other Countries +1.206.521.3575
management and reporting tools. Enterprises throughout the world
rely on our signature red boxes to maximize security without
Sales
sacrificing efficiency and productivity.
U.S. and Canada +1.800.734.9905
For more information, please call 206.613.6600 or visit
All Other Countries +1.206.613.0895
www.watchguard.com.
Configuration Example 15
About this Configuration Example
Configuration Example 16