|
Requirements: CLI and IKEv2.
Without network-id not more than one overlay tunnel can be established with the same pair of underlay IP addresses:
FGT-A(192.0.2.1)----------Ipsec1-------(203.0.113.2)FGT-B
FGT-A(192.0.2.1)----------Ipsec2-------(203.0.113.2)FGT-B <- Not possible.
With network-id multiple overlay tunnels over the same pair of underlay IP addresses are possible.
FGT-A(192.0.2.1)----------Ipsec1-------(203.0.113.2)FGT-B
FGT-A(192.0.2.1)----------Ipsec2-------(203.0.113.2)FGT-B <- Possible.
Use case of Network_IDs:
With ADVPN , it is possible to leverage the Network-ids to configure multiple shortcut tunnels on the Branches those only have single ISPs.
Branch1(port1:x.x.x.x)---Advpn1---(port:y.y.y.y) Branch2
Branch1(port1:x.x.x.x)---Advpn2---(port:y.y.y.y) Branch2
Example:
- Branch1 and Branch2 have a single Internet access (ISP) and the Hub has two ISPs.
- Two overlay tunnels are built between each Branch and the Hub Advpn1 and Advpn2.
- Initially, traffic from the Branch1 to Branch2 will pass via B1---Advpn1---HUB--Advpn1--B2.
- The Hub will facilitate a shortcut tunnel negotiation between Branch1 and Branch2 over Advpn1.
- A shortcut tunnel over Advpn1 is established between Branch1 and Branch2. B1(port1)==Shortcut_advpn1==(port1)B2.
- Traffic from the Branch1 to Branch2 will traverse over the Shortcut _Advpn1.
- If ISP-1 on the HUB goes down:
- The Parent tunnel between Hub(ISP-1) and Branch1 will go down and same will happen between Hub(ISP-1) and Branch2.
- However, the Shortcut tunnel B1(port1)====Shortcut_advpn1====(port1)B2 will stay up as the lifetime of an ADVPN shortcut is independent of the lifetime of its original parent tunnel.
- Branch1↔Hub and Branch2↔Hub BGP peering over advpn1 go down.
- Routing between B1 and B2 converge over advpn2 via the Hub:
- Traffic from B1 to B2 flows through the Hub since there is no shortcut yet between B1 and B2 over advpn2.
- The Hub will try to facilitate a shortcut tunnel between Branch1 and Branch2 over Advpn2.
If Network-id is configured: Shortcut over advpn2 will established between Branch1 and Branch2 over Advpn2:
- Shortcuts for advpn2 and advpn1 are both established over the same underlay IP addresses Branch1/port1 ↔ Branch2/port1.
- These two 'overlapping' shortcuts can be simultaneously established because different network-id are configured for each overlay tunnel.
- After routing has converged, traffic flows through the advpn2 shortcut:
B1(port1:x.x.x.x)---Shortcut_advpn1---(port:y.y.y.y) B2
B1(port1:x.x.x.x)---Shortcut_advpn2---(port:y.y.y.y) B2
If Network-id is not configured: Shortcut-offer over advpn2 is ignored by Branch1 and Branch2.
- Because there already exists a shortcut (advpn1) over the same underlay IP addresses Branch1/port1 ↔ Branch2/port1. Two 'overlapping' shortcuts cannot be simultaneously established without configuring different network-id for each overlay tunnel.
- As long as Advpn1 shortcut is up, if Branch1 sends any traffic to Branch2 over Advpn2, it will go through a hub as no shortcut tunnels between both Branches will be established over Advpn2
Network_IDs configuration.
On Hub side:
config vpn ipsec phase1-interface
edit "advpn1"
set type dynamic
set interface "port1"
set ike-version 2
set network-overlay enable
set network-id 1
...
next
edit "advpn2"
set type dynamic
set interface "port2"
set ike-version 2
set network-overlay enable
set network-id 2
...
next
end
On Spokes:
config vpn ipsec phase1-interface
edit "advpn1"
set ike-version 2
set interface "port1"
set remote-gw x.x.x.x
set network-overlay enable
set network-id 1
...
next
edit "advpn2"
set ike-version 2
set interface "port1"
set remote-gw y.y.y.y
set network-overlay enable
set network-id 2
...
next
end
Notes:
- IKEv1 does not support Network_IDs.
- For IKEv1 Shortcut tunnels, dependency can be enabled so that once the parent tunnel goes down, the Shortcut tunnel over that parent tunnel will also go down.
|
