Tunnels VPN Hub‘n Spoke routés via BGP

Voici un exemple de routage dynamique BGP dans le cadre d’un réseau VPN en étoile de type Hub and Spoke.

Configuration des tunnels

Pour le paramétrage de la politique IPsec Hub‘n Spoke, consultez le HOW TO cité ci-dessous. Dans notre cas, les différences de paramétrage par rapport à cette procédure consistent à configurer les extrémités de trafic au moyen d’interfaces virtuelles, au lieu de réseaux distants dans la politique IPsec (voir paragraphe suivant).

Rendez-vous à l’adresse http://documentation.stormshield.eu/. Reportez-vous au HOW TO : VPN IPSec - Configuration Hub and Spoke, et consulter le cas n° 1 : trafic interne via les tunnels IPSec.

Site principal

TunnelA
Réseau local : Interface ipsec1 (172.16.0.1)
Correspondant :

Site_SpokeA

Réseau distant : Remote_tunnelA (172.16.0.2)
TunnelB
Réseau local : Interface ipsec2 (172.16.0.5)
Correspondant :

Site_SpokeB

Réseau distant : Remote_tunnelB (172.16.0.6)

Spoke A

Réseau local : Interface ipsec1 (172.16.0.2)
Correspondant :

Site_FW_Hub

Réseau distant : Remote_tunnelA (172.16.0.1)

Spoke B

Réseau local : Interface ipsec1 (172.16.0.6)
Correspondant :

Site_FW_Hub

Réseau distant : Remote_tunnelB (172.16.0.5)

Configuration BGP du site principal (Hub)


protocol direct {
}
 
protocol kernel {
  learn; # Learn all alien routes from the kernel
  persist; # Don't remove routes on bird shutdown
  scan time 20; # Scan kernel routing table every 20 seconds
  import all; # Default is import all
  export all; # Default is export none
  preference 254; # Protect existing routes
}
 
# This pseudo-protocol watches all interface up/down events.
protocol device {
  scan time 10; # Scan interfaces every 10 seconds
}
 
filter f_import {
 

if source = RTS_BGP then

 

accept;

  else
 

reject;

}
 
filter f_export {
  # local shared networks and BGP routes
 

if( (net = 192.168.0.0/24) || (source = RTS_BGP) ) then

 

accept;

 

else

 

reject;

}
 
router id <ip_pub_hub>;
 
template bgp star {
 

local as 65000;

 

import filter f_import;

 

export filter f_export;

 

hold time 5;

 

multihop;

 

rr client;

 

next hop self;

}
 
protocol bgp router_spokeA from star {
  neighbor 172.16.0.2 as 65000;
 

source address 172.16.0.1;

}
 
protocol bgp router_spokeB from star {
 

neighbor 172.16.0.6 as 65000;

 

source address 172.16.0.5;

}
 

Configuration BGP du site satellite Spoke A


protocol direct {
}
 
protocol kernel {
  learn;

# Learn all alien routes from the kernel

  persist; # Don't remove routes on bird shutdown
  scan time 20; # Scan kernel routing table every 20 seconds
  import all; # Default is import all
  export all; # Default is export none
  preference 254; # Protect existing routes
}
 
protocol device {
  scan time 10;

# Scan interfaces every 10 seconds

}
 
filter filter_export_net {
 

if(net = 192.168.1.0/24) then {

 

accept;

  }
 

else reject;

}

 
router id <ip_pub_spokeA>;
 
  protocol bgp router_tunnel1 {
 

local as 65000;

 

neighbor 172.16.0.1 as 65000;

 

hold time 5;

 

multihop;

 

import all;

 

export filter filter_export_net;

 

source address 172.16.0.2;

}
 

Configuration BGP du site satellite Spoke B


protocol direct {

}

 
protocol kernel {
  learn;

# Learn all alien routes from the kernel

  persist;

# Don't remove routes on bird shutdown

  scan time 20;

# Scan kernel routing table every 20 seconds

  import all;

# Default is import all

  export all;

# Default is export none

  preference 254;

# Protect existing routes

}
 
protocol device {
  scan time 10;

# Scan interfaces every 10 seconds

}

 
filter

filter_export_net {

 

if(net = 192.168.2.0/24) then {

 

accept;

  }
 

else reject;

}

router id <ip_pub_spokeB>;
 
protocol bgp router_tunnel2 {
 

local as 65000;

 

neighbor 172.16.0.5 as 65000;

 

hold time 5;

 

multihop;

 

import all;

 

export filter filter_export_net;

 

source address 172.16.0.6;

}

 

Vérification des tables de routage

Table de routage sur le site principal (Hub) :


bird> show route
 
0.0.0.0/0 via 10.60.0.254 on em0 [kernel1 10:16] * (254)
10.60.3.127/32 dev lo0 [kernel1 10:16] * (254)
192.168.0.0/24 dev em1 [direct1 10:16] * (240)
192.168.1.0/24 dev em2 [direct1 10:16] * (240)
192.168.1.0/24 via 172.16.0.2 on enc1 [router_tunnelA 10:22]*(100/0)[AS65001i]
192.168.2.0/24 via 172.16.0.6 on enc1 [router_tunnelB 10:21]*(100/0)[AS65002i]
192.168.0.254/32 dev lo0 [kernel1 10:16] * (254)
192.168.1.254/32 dev lo0 [kernel1 10:16] * (254)
172.16.0.0/30 dev lo1 [direct1 10:16] * (240)
10.60.0.0/16 dev em0 [direct1 10:16] * (240)
172.16.0.4/30 dev lo2 [direct1 10:16] * (240)
 

Table de routage sur spokeA :


bird> show route
0.0.0.0/0 via 10.60.0.254 on em0 [kernel1 13:32] * (254)
192.168.0.0/24 via 172.16.0.1 on enc1 [router_tunnelA 13:32] * (100/0) [i]
192.168.2.0/24

via 172.16.0.1 on enc1 [router_tunnelA 13:32] * (100/0) [i]

192.168.1.0/24 dev em1 [direct1 13:32] * (240)
172.16.0.0/30 dev lo1 [direct1 13:32] * (240)
10.60.3.128/32 dev lo0 [kernel1 13:32] * (254)
10.60.0.0/16 dev em0 [direct1 13:32] * (240)