Tunnels VPN Hub‘n Spoke routés via BGP

Voici un exemple de routage dynamique BGP dans le cadre d’un réseau VPN en étoile de type Hub and Spoke.

Configuration des tunnels

Pour le paramétrage de la politique IPsec Hub‘n Spoke, consultez le HOW TO cité ci-dessous. Dans notre cas, les différences de paramétrage par rapport à cette procédure consistent à configurer les extrémités de trafic au moyen d’interfaces virtuelles, au lieu de réseaux distants dans la politique IPsec (voir paragraphe suivant).

Rendez-vous à l’adresse http://documentation.stormshield.eu/. Reportez-vous au HOW TO : VPN IPsec - Configuration Hub and Spoke, et consulter le cas n° 1 : trafic interne via les tunnels IPsec.

Site principal

TunnelA

Réseau local :	Interface ipsec1 (172.16.0.1)
Correspondant :	Site_SpokeA
Réseau distant :	Remote_tunnelA (172.16.0.2)

TunnelB

Réseau local :	Interface ipsec2 (172.16.0.5)
Correspondant :	Site_SpokeB
Réseau distant :	Remote_tunnelB (172.16.0.6)

Spoke A

Réseau local :	Interface ipsec1 (172.16.0.2)
Correspondant :	Site_FW_Hub
Réseau distant :	Remote_tunnelA (172.16.0.1)

Spoke B

Réseau local :	Interface ipsec1 (172.16.0.6)
Correspondant :	Site_FW_Hub
Réseau distant :	Remote_tunnelB (172.16.0.5)

Configuration BGP du site principal (Hub)

protocol direct {
}

protocol kernel {
	learn;	# Learn all alien routes from the kernel
	persist;	# Don't remove routes on bird shutdown
	scan time 20;	# Scan kernel routing table every 20 seconds
	import all;	# Default is import all
	export all;	# Default is export none
	preference 254;	# Protect existing routes
}

# This pseudo-protocol watches all interface up/down events.
protocol device {
	scan time 10;	# Scan interfaces every 10 seconds
}

filter f_import {
	if source = RTS_BGP then
	accept;
	else
	reject;
}

filter f_export {
	# local shared networks and BGP routes
	if( (net = 192.168.0.0/24) \|\| (source = RTS_BGP) ) then
	accept;
	else
	reject;
}

router id <ip_pub_hub>;

template bgp star {
	local as 65000;
	import filter f_import;
	export filter f_export;
	hold time 5;
	multihop;
	rr client;
	next hop self;
}

protocol	bgp router_spokeA from star {
	neighbor 172.16.0.2 as 65000;
	source address 172.16.0.1;
}

protocol bgp router_spokeB from star {
	neighbor 172.16.0.6 as 65000;
	source address 172.16.0.5;
}

Configuration BGP du site satellite Spoke A

protocol direct {
}

protocol kernel {
	learn;	# Learn all alien routes from the kernel
	persist;	# Don't remove routes on bird shutdown
	scan time 20;	# Scan kernel routing table every 20 seconds
	import all;	# Default is import all
	export all;	# Default is export none
	preference 254;	# Protect existing routes
}

protocol device {
	scan time 10;	# Scan interfaces every 10 seconds
}

filter filter_export_net {
	if(net = 192.168.1.0/24) then {
	accept;
	}
	else reject;
}

router id <ip_pub_spokeA>;

protocol bgp router_tunnel1 {
	local as 65000;
	neighbor 172.16.0.1 as 65000;
	hold time 5;
	multihop;
	import all;
	export filter filter_export_net;
	source address 172.16.0.2;
}

Configuration BGP du site satellite Spoke B

protocol direct {
}

protocol kernel {
	learn;	# Learn all alien routes from the kernel
	persist;	# Don't remove routes on bird shutdown
	scan time 20;	# Scan kernel routing table every 20 seconds
	import all;	# Default is import all
	export all;	# Default is export none
	preference 254;	# Protect existing routes
}

protocol device {
	scan time 10;	# Scan interfaces every 10 seconds
}

filter	filter_export_net {
	if(net = 192.168.2.0/24) then {
	accept;
	}
	else reject;
}
router id <ip_pub_spokeB>;

protocol bgp router_tunnel2 {
	local as 65000;
	neighbor 172.16.0.5 as 65000;
	hold time 5;
	multihop;
	import all;
	export filter filter_export_net;
	source address 172.16.0.6;
}

Vérification des tables de routage

Table de routage sur le site principal (Hub) :

bird> show route
0.0.0.0/0	via 10.60.0.254 on em0 [kernel1 10:16] * (254)
10.60.3.127/32	dev lo0 [kernel1 10:16] * (254)
192.168.0.0/24	dev em1 [direct1 10:16] * (240)
192.168.1.0/24	dev em2 [direct1 10:16] * (240)
192.168.1.0/24	via 172.16.0.2 on enc1 [router_tunnelA 10:22]*(100/0)[AS65001i]
192.168.2.0/24	via 172.16.0.6 on enc1 [router_tunnelB 10:21]*(100/0)[AS65002i]
192.168.0.254/32	dev lo0 [kernel1 10:16] * (254)
192.168.1.254/32	dev lo0 [kernel1 10:16] * (254)
172.16.0.0/30	dev lo1 [direct1 10:16] * (240)
10.60.0.0/16	dev em0 [direct1 10:16] * (240)
172.16.0.4/30	dev lo2 [direct1 10:16] * (240)

Table de routage sur spokeA :

bird> show route
0.0.0.0/0	via 10.60.0.254 on em0 [kernel1 13:32] * (254)
192.168.0.0/24	via 172.16.0.1 on enc1 [router_tunnelA 13:32] * (100/0) [i]
192.168.2.0/24	via 172.16.0.1 on enc1 [router_tunnelA 13:32] * (100/0) [i]
192.168.1.0/24	dev em1 [direct1 13:32] * (240)
172.16.0.0/30	dev lo1 [direct1 13:32] * (240)
10.60.3.128/32	dev lo0 [kernel1 13:32] * (254)
10.60.0.0/16	dev em0 [direct1 13:32] * (240)