Route Injection Mechanism
Overview of Route Injection
Route Injection Mechanism (RIM) enables a Security Gateway to use dynamic routing protocols to propagate the encryption domain of a VPN peer Security Gateway to the internal network and then initiate back connections. When a VPN tunnel is created, RIM updates the local routing table of the Security Gateway to include the encryption domain of the VPN peer.
|
Note - Route Injection is not currently supported for IPv6.
|
RIM can only be enabled when permanent tunnels are configured for the community. Permanent tunnels are kept alive by tunnel test packets. When a Security Gateway fails to reply, the tunnel will be considered 'down.' As a result, RIM will delete the route to the failed link from the local routing table, which triggers neighboring dynamic routing enabled devices to update their routing information accordingly. This will result in a redirection of all traffic destined to travel across the VPN tunnel, to a pre-defined alternative path.
There are two possible methods to configure RIM:
- Automatic RIM - RIM automatically injects the route to the encryption domain of the peer Security Gateways.
- Custom Script - Specify tasks for RIM to perform according to specific needs.
Route injection can be integrated with MEP functionality (which route return packets back through the same MEP Security Gateway). For more information on MEP, see Multiple Entry Point VPNs.
Automatic RIM
Automatic RIM can be enabled using the GUI when the operating system on the Security Gateway is SecurePlatform, IPSO or Linux. Although a custom script can be used on these systems, no custom-written scripts are required.
In this scenario:
- Security Gateways 1 and 2 are both RIM and have a dynamic routing protocol enabled.
- R1 and R4 are enabled routers.
- When a VPN tunnel is created, RIM updates the local routing tables of Security Gateway 1 and gateway 2 to include the encryption domain of the other Security Gateway.
- Should the VPN tunnel become unavailable, traffic is redirected to the leased line.
The routing tables for the Security Gateways and routers read as follows. Entries in bold represent routes injected into the Security Gateways local routing tables by RIM:
For Security Gateway 1:
Destination
|
Netmask
|
Security Gateway
|
Metric
|
0.0.0.0
|
0.0.0.0
|
172.16.10.2
|
1
|
192.168.21.0
|
255.255.255.0
|
172.16.10.2
|
1
|
192.168.11.0
|
255.255.255.0
|
192.168.10.1
|
1
|
Security Gateway 2:
Destination
|
Netmask
|
Security Gateway
|
Metric
|
0.0.0.0
|
0.0.0.0
|
172.16.20.2
|
1
|
192.168.11.0
|
255.255.255.0
|
172.16.20.2
|
1
|
192.168.21.0
|
255.255.255.0
|
192.168.20.1
|
1
|
R1 (behind Security Gateway 1):
Destination
|
Netmask
|
Security Gateway
|
Metric
|
0.0.0.0
|
0.0.0.0
|
192.168.10.2
|
1
|
192.168.21.0
|
255.255.255.0
|
192.168.10.2
|
1
|
192.168.21.0
|
255.255.255.0
|
10.10.10.2
|
2
|
R4 (behind Security Gateway 2):
Destination
|
Netmask
|
Security Gateway
|
Metric
|
0.0.0.0
|
0.0.0.0
|
192.168.20.2
|
1
|
192.168.11.0
|
255.255.255.0
|
192.168.20.2
|
1
|
192.168.11.0
|
255.255.255.0
|
10.10.10.1
|
2
|
Custom Scripts
Custom scripts can be run on any Security Gateway in the community. These scripts are executed whenever a tunnel changes its state, i.e. goes "up" or "down." Such an event, for example, can be the trigger that initiates a dial-up connection.
A script template custom_rim (with a .sh or .bat extension depending on the operating system) is provided in the $FWDIR/Scripts directory. The basic script (for SecurePlatform, IPSO, or Linux only):
Sample customized script for SecurePlatform, IPSO, or Linux
#!/bin/sh
# This script is invoked each time a tunnel is configured with the RIM option
# and the tunnel changed state.
#
# You may add your custom commands to be invoked here.
# Parameters read from command line.
RIM_PEER_Security Gateway=$1
RIM_NEW_STATE=$2
RIM_HA_STATE=$3
RIM_FIRST_TIME=$4
RIM_PEER_ENC_NET=$5
case "${RIM_NEW_STATE}" in
up)
# Place your action for tunnels that came up
;;
down)
# Place your action for tunnel that went down
;;
esac
|
For Windows platforms, the script takes the form of a batch file:
Sample customized script for Windows
@echo off
rem . This script is invoked each time a tunnel is configured with the RIM option
rem . and the tunnel changed state.
rem .
rem . You may add your custom commands to be invoked here.
rem . Parameters read from command line.
set RIM_PEER_Security Gateway=%1
set RIM_NEW_STATE=%2
set RIM_HA_STATE=%3
set RIM_FIRST_TIME=%4
set RIM_PEER_ENC_NET=%5
goto RIM_%RIM_NEW_STATE%
:RIM_up
rem . Place your action for tunnels that came up
goto end
:RIM_down
rem . Place your action for tunnel that went down
goto end
:end
|
Where:
- RIM_PEER_Security Gateway: Peer Security Gateway
- RIM_NEW_STATE: Change in the state of the Security Gateway, i.e. up or down.
- RIM_HA_STATE: State of a single Security Gateway in a cluster (i.e., standby or active).
- RIM_FIRST_TIME: The script is executed separately for each network within the peer's encryption domain. Although the script might be executed multiple times on a peer, this parameter will only be transferred to the script with the value of '1' the first time the script runs on the peer. The value '1' indicates that this is the first time this script is being executed. The next time the script is executed, it is transferred with the value of '0' and the parameter is disregarded. For example, you may send an email alert to the system administrator the moment a tunnel goes down.
- RIM_PEER_ENC_NET: VPN domain of the VPN peer.
Injecting Peer Security Gateway Interfaces
The RIM_inject_peer_interfaces flag is used to inject into the routing tables the IP addresses of the peer Security Gateway in addition to the networks behind the Security Gateway.
For example, after a VPN tunnel is created, RIM injects into the local routing tables of both Security Gateways, the encryption domain of the peer Security Gateway. However, when RIM enabled Security Gateways communicate with a Security Gateway that has Hide NAT enabled, the peer's interfaces need to be injected as well.
In this scenario:
- Security Gateways A and B are both RIM enabled and Security Gateway C has Hide NAT enabled on the external interface ("hiding" all the IP addresses behind it).
- Host 1, behind Security Gateway C, initiates a VPN tunnel with Host 2, through Security Gateway A.
- Router 3 holds routes to all the hosts behind Security Gateway C. Router 3 however, does not have the Hide NAT IP address of Security Gateway C and as a result, cannot properly route packets back to host 1.
This solution for routing the packets back properly is twofold:
- Select the flag RIM_inject_peer_interfaces in the Global Properties page. This flag will inject router 3 with all of the IP addresses of Security Gateway C including the Hide NAT address.
- Configure the router not to propagate the information injected to other Security Gateways. If the router is not configured properly, using the previous example, could result in Security Gateway B routing traffic to Security Gateway C through Security Gateway A.
Configuring RIM
Configuring RIM in a Star Community:
- Open the Star Community properties > Tunnel Management page.
- In the Permanent Tunnels section, select Set Permanent Tunnels. The following Permanent Tunnel modes are then made available:
- On all tunnels in the community
- On all tunnels of specific Security Gateways
- On specific tunnels in the community
For more information on these options, see Permanent Tunnels.
When choosing tunnels, keep in mind that RIM can only be enabled on tunnels that have been configured to be permanent. On all tunnels in the community must be selected if MEP is enabled on the community. To configure permanent tunnels, see Configuring Tunnel Features.
- Select Enable Route Injection Mechanism (RIM).
- Click Settings...
The Route Injection Mechanism Settings window opens
Decide if:
- RIM should run automatically on the central or satellite Security Gateways (SecurePlatform, IPSO or Linux only).
- A customized script should be run on central or satellite Security Gateways whenever a tunnel changes its states (goes up or down).
For tracking options, see Tracking Options.
- If a customized script is run, edit custom_rim (.sh or .bat) script in the $FWDIR/Scripts directory on each of the Security Gateways.
Configuring RIM in a Meshed Community:
- Open the Meshed Community properties > Tunnel Management page.
- In the Permanent Tunnels section, select Set Permanent Tunnels. The following Permanent Tunnel modes are then made available:
- On all tunnels in the community
- On all tunnels of specific Security Gateways
- On specific tunnels in the community
For more information on these options, see Permanent Tunnels.
When choosing tunnels, keep in mind that RIM can only be enabled on tunnels that have been configured to be permanent. To configure permanent tunnels, see Configuring Tunnel Features.
- Select Enable Route Injection Mechanism (RIM).
- Click Settings...
The Route Injection Mechanism Settings window open
Decide if:
- RIM should run automatically on the Security Gateways (SecurePlatform, IPSO or Linux only).
- A customized script should be run on the Security Gateway whenever a tunnel changes its state (goes up or down).
For tracking options, see Tracking Options.
- If a customized script is run, edit custom_rim (.sh or .bat) script in the $FWDIR/Scripts directory on each of the Security Gateways.
Enabling the RIM_inject_peer_interfaces flag
To enable the RIM_inject_peer_interfaces flag:
- In SmartDashboard, click Policy > Global Properties.
- Go to SmartDashboard Customization > Configure > VPN Advanced Properties > Tunnel Management.
- Select RIM_inject_peer_interfaces.
- Click OK.
Tracking Options
Several types of alerts can be configured to keep administrators up to date on the status of Security Gateways. The Tracking settings can be configured on the Route Injection Mechanism Settings page. The different options are Log, Popup Alert, Mail Alert, SNMP Trap Alert, and User Defined Alert.
Configuring RIM on Gaia
In Gaia, the Route Injection Mechanism adds routes directly to the kernel. For the routes to remain in the Kernel, you must configure this option.
To set kernel routes using the CLI:
- Run:
set kernel-routes on . - Run:
save config .
To set kernel routes using the WebUI:
- In the tree view, click .
- In the area, select the option.
- Click .
Gaia Gateways in a Star VPN Community
For RIM to work, the Gaia gateways in a star VPN community must publish the routes of the satellite networks to the router. For Gaia gateways to publish routes, run these CLI commands on all gateways at the center of the community:
set routemap <Routemap Name> id <ID Number>
For example:
set routemap RIM id 5
set routemap <Routemap Name> id <ID Number> match protocol kernel
For example:
set routemap RIM id 5 match protocol kernel
Set ospf export-routemap <Routemap Name> preference 1 on
For example:
set ospf export-routemap RIM preference 1 on
set routemap <Routemap Name> id <ID Number> allow
For example:
set routemap RIM id 5 allow
set routemap <Routemap Name> id <ID Number> on
For example:
set routemap RIM2 id 10 on
set routemap <Routemap Name> id <ID Number> match nexthop <IP of OSPF Interface of the other RIM GW> on
For example:
set routemap RIM2 id 10 match nexthop <10.16.50.3> on
set routemap <Routemap Name> id <ID Number> restrict
For example:
set routemap RIM2 id 10 restrict
set ospf import-routemap <Routemap Name> preference 1 on
For example:
set ospf import-routemap RIM2 preference 1 on
save config
|