Jump to content


Photo

Route Based Site to Site VPN - Static Routes

vpn route static

Best Answer Markus Völkl, 09 February 2016 - 07:14 AM

We have had contact with Barracdua Support and they said that "Route Based VPN" with Static Routes is not possible on Cuda's. You can only use OSPF or BGP.

Therefore we have to buy a small Juniper Device espacially for this Government VPN Connection.

Go to the full post


  • Please log in to reply
8 replies to this topic

#1 Markus Völkl

Markus Völkl
  • Members
  • 21 posts

Posted 20 January 2016 - 05:09 AM

I need to establish an Route Based Site to Site VPN with an Government VPN Gateway. If already have tunnel up, but i dont know how to configure a static routing to the tunnel interface.

 

My Side:

Local Network:     10.120.10.0/24

Public IP:              my_public_ip

 

Gov Side:

Local Network:     10.131.208.0/24

Public IP:              gov_public_ip

 

Tunnel Config:

VPN Interface Index: 99

Next Hop Interface IP: 172.16.128.5/30   our side of the tunnel

VPN Next Hop Routing: 172.16.128.6      the gov side of the tunnel

 

They have published some examples for Cisco and Juniper Devices and they are working with route to tunnel interface. If i try to add a route for 10.131.208.0/24 to interface vpn99 it gives my an error.

 

How can i do that?

 

Markus



#2 Jens Hildenbeutel

Jens Hildenbeutel
  • Members
  • 53 posts
  • LocationKaiserslautern, Germany

Posted 20 January 2016 - 08:56 AM

Hi Markus,

 

normally, the NG F automatically adds routes for VPN-networks. Check Control -> Network and all tables if there is a route.

 

Jens



#3 Markus Völkl

Markus Völkl
  • Members
  • 21 posts

Posted 20 January 2016 - 09:11 AM

Hello Jenas,

 

that is correct for policy bsed vpn's, but not for route based, becasue the tunnel config does not know anything about the subnets behind. that is normally configured by static routes ( on juniper and cisco for example )

 

Markus



#4 Bartek Moczulski

Bartek Moczulski
  • Barracuda Team Members
  • 102 posts
  • LocationEMEA

Posted 21 January 2016 - 11:24 AM

According to your description you need to define

 - 172.16.128.5/30 as next hop interface on vpnr99 and 

 - standard gateway route in Network Routing to 10.131.208.0/24 via 172.16.128.6



#5 Markus Völkl

Markus Völkl
  • Members
  • 21 posts

Posted 26 January 2016 - 05:51 AM

Hello Bartlomiej,

 

i've tried that. The problem is that the route will not be activated because the 172.16.128.6 is not pingable.

The tunnel itself is up and running....

 

Markus



#6 Markus Völkl

Markus Völkl
  • Members
  • 21 posts

Posted 27 January 2016 - 12:45 AM

I've made more more tests by using the tcpdump on our cuda box with strange results:

- when i ping the 172.16.128.5 from the remote site, i get an packet per ping on the internet facing interface (with filter to remote public ip)

  no packtes at all on other interfaces or vpnr99

- when i ping my local network from the remote site, i get also an esp packet per ping on the inet interface

- when i ping 172.16.128.6 from the cuda box, there is no packet on the inet if, but i see the packets on vpnr99

 

That is why the route on the cuda is never up, because it gets never a successfull ping of 172.16.128.6

 

Has anyone setup Rpute-Based VPN with static routes?



#7 Bernhard Patsch

Bernhard Patsch
  • Barracuda Team Members
  • 113 posts

Posted 27 January 2016 - 06:22 AM

Hi Michael,

 

It's hard to diagnose the problem without having access to the config and boxes.

You could check the step-by-step instruction in the TechLib: https://techlib.barr...toSiteRoutedVPN

 

If you need further assistance, please feel free to reach out to our support team.

 

Regards,

Bernhard



#8 Markus Völkl

Markus Völkl
  • Members
  • 21 posts

Posted 09 February 2016 - 07:14 AM   Best Answer

We have had contact with Barracdua Support and they said that "Route Based VPN" with Static Routes is not possible on Cuda's. You can only use OSPF or BGP.

Therefore we have to buy a small Juniper Device espacially for this Government VPN Connection.



#9 Lars Lorenzen

Lars Lorenzen
  • Members
  • 4 posts

Posted 12 April 2016 - 04:11 AM

Hi Markus,

 

to allow a ping between 172.16.128.5 and 172.16.128.6 you'll have to make a Host Firewall Rule (Section Inbound-User) on both sides that allows the ICMP traffic.

 

Another thing that I found out is that you have to put in the IP including the netmask when you configure the "VPN Next Hop Interface Configuration" (e.g.172.16.128.5/30) under "VPN Settings"-"Server Settings"-"Advanced" Tab.

 

We tested it successfully with two NG Firewalls running firmware 6.0.5.

 

Next step for us it to get int running with a Barrcuda and a Fortinet Box...