SD-WAN and Route-Based VPN

For information about Route-Based VPN and VPN Tunnel Interfaces (VTI), see the Site to Site VPN Administration Guide for your version > Chapter "Route-Based VPN".

SD-WAN Rules and VTI Routing

The routes on the Security Gateway control whether to encrypt traffic or not, and to what VPN peer:

A route on the Security Gateway can be one of these:

  • Static route

  • Dynamic route

  • Policy-Based route (PBR)

  • SD-WAN "Local Breakout"

If the traffic is routed through a VTI, then the Security Gateway encrypts the packet.

If the traffic is routed through a non-VTI interface, then the Security Gateway does not encrypt the packet (sends it as clear text), unless Domain-Based VPN decides otherwise.

For encrypted packets, SD-WAN "Overlay - VPN" selects the best path (VPN Transport / VPN Tunnel) to reach the pre-selected VPN peer:

For a connection that was not encrypted, SD-WAN "Overlay - VPN" does not affect the traffic (if matched).

In case of ECMP (Equal-Cost Multi-Path) routes configured towards two or more VTIs (VPN Peers):

  1. The Security Gateway decides on the VTI (VPN Peer) based on the Operating System routes.

  2. SD-WAN "Overlay - VPN" selects the best path to reach the selected VPN peer.

Roadmap - Support for SD-WAN "Overlay - VPN" to select the best VPN Peer based on SLA is on the roadmap.

SD-WAN Policy Considerations for Route-Based VPN

With dynamic routing, networks that send traffic that should be encrypted, can change frequently.

  • Make sure to include all your overlay networks in the "Overlay - VPN" rules:

    • When only Private networks (as described in RFC 1918) are used for overlay network, you can use the Zone object My VPN Domain & Peer VPN Domain.

    • If you have subnets with Public IP addresses in your overlay network, make sure to include them in your "Overlay - VPN" rules.

    • Make sure to also include all IP addresses of the Security Gateway VTIs in your "Overlay - VPN" rules to get resiliency for BGP peering with the VPN peers.

    Roadmap - Including all networks learned through VTIs with the Dynamic Objects "My VPN Domain" and "Peer VPN Domain" is on the roadmap. For more information about these Dynamic Objects, see Dynamic Objects in SD-WAN Policy.

  • Avoid matching traffic that should be encrypted with SD-WAN "Local Breakout" rules:

    Such traffic will be sent to the ISP in clear text, ignoring the Operating System routes to VTI.

    Note - "Local Breakout" routes take precedence over Static routes / Dynamic routes.

    Roadmap - Excluding all networks learned through VTIs (or other next hops during the operating system routing) with the Dynamic Object "SD-WAN Internet" is on the roadmap. For more information about these Dynamic Objects, see Dynamic Objects in SD-WAN Policy.

SD-WAN "Backhaul" and Route-Based VPN

For information about the SD-WAN Routing Preference "Backhaul Only", see Routing Preference "Backhaul Only".

In SmartConsole, in the applicable Star VPN Community object > on the VPN Routing page, do not select the option "To center or through the center to other satellites, to Internet and other VPN targets". This option overrides all the operating system routing decisions (whether to VTI or not) and it tries to encrypt all traffic to the Center Gateway. Therefore, this option cannot be used with Route-Based VPN.

If you use a Star VPN Community, then on the Satellite SD-WAN Security Gateways, configure the default route to the Center Gateway VTI.

You can use a Static default route or a Dynamic default route to the Center Gateway VTI.

  • If the default route to the Center Gateway VTI is a Dynamic route (while the default route for each ISP is a Static route):

    • The SD-WAN "Backhaul" mechanism would act as a backup only (by default).

      You can use it with the SD-WAN Routing Preference "Prioritize Local Breakout" (see Routing Preference "Prioritize Local Breakout"), because static routes have a lower Administrative Distance (AD=1) than dynamic routing protocols.

      The lower the Administrative Distance, the higher the routing preference.

    • You can configure a routemap (see the Gaia Advanced Routing Administration Guide for your version) if it is necessary to change the Administrative Distance of the specific Dynamic "VTI Default" route" to be lower than the Administrative Distance of Static routes.

  • If the default route to the Center Gateway VTI is a Static route:

    • You can configure this operating system static route with the highest preference (active / kernel route) by configuring it with the lowest priority.

      You can use such a static route with the SD-WAN Routing Preference "Backhaul Only" or with the SD-WAN Routing Preference "Prioritize Local Breakout".

      If you use the SD-WAN Routing Preference "Prioritize Local Breakout", then it will override the operating system VTI route, as long as ISP Links are in the "Up" state.

    • You can configure this operating system static route with the lowest preference by configuring it with the highest priority.

      This configures a backup mechanism at the operating system level (if ISP Links are in the "Down" state, the traffic should be encrypted over the Private link (such as MPLS)).

      You can use such a static route only with the SD-WAN Routing Preference "Prioritize Local Breakout".

Considerations when the active default route is configured to the Center Gateway VTI

  1. The Security Gateway will not be reachable from the Internet, or from outside the Site to Site VPN tunnel.

    Roadmap - Support for connections to the Security Gateway itself in the Symmetric Packet Return feature is on the roadmap. See SD-WAN Symmetric Packet Return.

  2. In the SD-WAN Policy, avoid matching the Steering Behavior of "Local Breakout Only" or "Prioritize Local Breakout" to traffic that the Security Gateway initiates while the active default route is set towards VTI.

    Roadmap - Support for local connections (initiated by the Security Gateway) is on the roadmap.

  3. Configure the operating system-level probing for this default route to make sure that it is active only when the VPN tunnel is "Up" and there is a connectivity through the VPN tunnel.

    Configuring such a route without probing can leave the Security Gateway without Internet.

    As a result, the Security Gateway will not get SD-WAN Policy, and will not be able to fetch CRL from its Management Server (if connection to the Management Server goes over the Internet).

  4. Consider using Policy Based Routing (PBR) to match this default route only for local networks, to avoid affecting the Security Gateway itself.

    On a Security Gateway that runs the Gaia operating system, you can override a PBR rule priority higher than 100 with a "Local Breakout" rule in the SD-WAN Policy.

    Roadmap - Support for an override of a PBR rule priority higher than 100 with a "Local Breakout" rule in the SD-WAN Policy on a Quantum Spark Gateway is on the roadmap.

  5. On a DAIP Security Gateway (see SD-WAN Configuration for DAIP Security Gateways), when the default route is assigned by a DHCP server on one of the ISP interfaces:

    • On a Security Gateway that runs the Gaia operating system, it is not supported to configure a manual default route (through a VTI) to have a higher precedence than the kernel route (see sk151632).

    • On a Quantum Spark Gateway, you can configure a lower route priority through the Internet connection, such that the manual route will take precedence.