Setup IPSec tunnel/site2site on BGP assigned public IP address
Bbialy
Newbie ✭
Hi,
I have NSa 3650 HA (Active/Passive) cluster stretched between two Datacenters.
in each I have Internet connection to the same provider with BGP address but different connection links:
Let's assume:
Datacenter I (X1) 1.2.3.4 - gateway 1.2.3.5
Datacenter II (X2) 6.7.8.9 gateway 6.7.8.10
all gateways are BGP neighbors of the same private AS
BGP network is 10.10.10.32/28
I need to set VPN connection to 3rd party and give them IP address 10.10.10.33 as my VPN address, so I don't have to care about my VPN tunnels during failover.
Is it possible?. I know that on Fortigate it is possible but on Sonicwall I have problem (IMHO) with setting this policy bound to in advanced setting in vpn interface/site2site setup.
Any ideas?
Category: Mid Range Firewalls
Tagged:
0
Answers
10.10.10.33 is an RFC 1918 address and no one will route to it. Im assuming you are just masking the real one.
AFAIK BGP configuration is only possible on the CLI, so you might have to try configuring your tunnel there.
@TKWITS you're right. ip address are just an example. I could use A.B.C.D.
I know that BGP on sonicwall is only by CLI. The real question is: Does anyone know how to bind VPN policy (either tunnel interface or site2site) to BGP IP address. As far as I was able to dig in, sonicwall allows to bind VPN to an IP address which is set on interface and I was wondering if someone was smarter than me. it even doesn't allow to set VPN to address within pool of IP addresses set on Interface. i.e. my WAN network 10.20.30.40/29 so my X1 might be 10.20.30.42/29 with gateway pointing 10.20.30.41. in that particular case i'm not able to setup VPN on address 10.20.30.43.
I'm most interested in setting up VPN on BGP addresses. Anyone?
I do not have experience setting up a VPN tunnel using a BGP address.
Have you tried seeing what options are available for configuring the tunnels 'bound-to' settings in the CLI?
Contact support and let us know what you come up with.
Sad thing is that on FORTIGATE such config is available even with hardware acceleration even on internally routed VDOMs.
I thought I will be able to kick forti, but know it isn’t so obvious.
PS.
For all interested: case number 44155819.
What do you mean by "BGP assigned public IP address"? BGP is a way of exchanging routing information, not assigning IPs, right?
I feel like your real question is, how do I bind a VPN policy to an IP that doesn't belong to an interface?, to which I think the answer is "you can't".
Even though all vpn traffic goes out from router with interface source ip. Incoming traffic is banned by firewall because of ip spoofing.
So...maybe my interpretation of your question is wrong? "with interface source ip": is this the IP you're expecting and wanting it to use, but the replies are discarded? You can disable "IP Spoof checking" in the internal settings.
Hi,
"What do you mean by "BGP assigned public IP address"?"