Re: VPN with BGP

ali.tehrani · ‎12-27-2000

I have two 7140's running BGP and they are going to two different ISP's. The two 7140's are connected together via ethernet on the inside network. One of these 7140's does VPN terminations on the serial interface (going to ISP). Depending on what path is taken from the Internet, the VPN connection may or may not come directly to the 7140 serial interface (the one running VPN). The problem is, if a packet leaving the inside network going to a VPN client, may not leave through the VPN router (depending on BGP path), therefor the packet is not encapsulated going out, so it never gets to its destination.

My question is, is there a way to force the packet to go out the same way the connection came in?

Also any other ideas will help.

Thanks

Ali Tehrani

Senior Network Engineer

Network Visions, Inc.

r-simpson · ‎12-29-2000

That is a good question. I can tell you what I know. Obviously the packet is going to follow the routes the router has in its table. There’s nothing you can do to the packet itself that will force it back through the same router. Without having more information the only thing I can suggest is using a static route. If you get an answer on this, please post it!

tmehok · ‎01-04-2001

Ali,

I can think of one thing you may be able to do. It is dependent upon the type of vpn. You could do some policy based routing. This will work is you have another router (in the private network) behind the 7140's and you are doing LAN to LAN VPN. Lets say that the 7140 is router A, the router behind it to router B and the remote network for the VPN is 10.0.0.0. What you can do on router B is tell it to route all traffic destined for network 10.0.0.0 to router A.

Let me know if you find this usefull or not.

Thomas Mehok

WAN Engineer

Ohio Savings Bank

ozan.ocal · ‎01-05-2001

You may run dynamic routing protocol over GRE.Doing this will give you flexibility for load-balacing and redundancy. You may put the IPSEC in the GRE tunnel on both two 7140 routers.

Just an idea..

ali.tehrani · ‎01-05-2001

After re-creating the problem in the LAB and talking to TAC I was able to comeup with a solution.

I applied the crypto map to all of my interfaces leaving the router and also used the following command: crypto map sitename local-address interfacename

This allowed for the encryption of data leaving any of the router interfaces.

Ali Tehrani

Senior Network Engineer

Network Visions, Inc.

net_eng_ineer · ‎01-07-2001

you can do this very easily with route filters, access-lists and route maps.

the easiest way would be to deny that type of traffic on the undesirable interface and allow it on the desireable interface. Most of this is on cisco's website. Check it out. It will save you a lot of time and research in the future.

http://www.cisco.com/pcgi-bin/Support/PSP/psp_view.pl?p=Internetworking:BGP

cisco makes it very easy to find answers online instead of waiting for a reply.

noc · ‎02-02-2001

here how i beat bgp at its own game.. this may or may

not work for you (in my case i know the exact

subnet my vpn was coming from)

bgp has a metric much higher than what im about to

do, (whether its ebgp or ibgp)

so if say my vpn is coming int via

s0/1

i can make it go back out that interface by

ip route 12.12.12.0 255.255.255.0 S0/1

this will make the router think the subnet is

directly connected, so it will beat bgp in sense

all packets from or to that subnet will always

leave that interface, this was for me the best (although not scalable) was to beat bgp's famous

asymmetric routes... so its was easier to config

than a policy route and when i did

redis static

redis conn

in my bgp config, i was able to send that to my other

ibgp peer (other router at office) so it works fine

i just tell all my remote vpn clients to enter via

the ip's relavant to that interface...