Print Download PDF Send Feedback

Previous

Next

Route Injection Mechanism

In This Section:

Overview of Route Injection

Automatic RIM

Custom Scripts

Injecting Peer Security Gateway Interfaces

Configuring RIM

Configuring RIM on Gaia

Overview of Route Injection

Route Injection Mechanism (RIM) enables a Security Gateway to use dynamic routing protocols to propagate the encryption domain of a VPN peer Security Gateway to the internal network and then initiate back connections. When a VPN tunnel is created, RIM updates the local routing table of the Security Gateway to include the encryption domain of the VPN peer.

Note - Route Injection is not currently supported for IPv6.

RIM can only be enabled when permanent tunnels are configured for the community. Permanent tunnels are kept alive by tunnel test packets. When a Security Gateway fails to reply, the tunnel will be considered 'down.' As a result, RIM will delete the route to the failed link from the local routing table, which triggers neighboring dynamic routing enabled devices to update their routing information accordingly. This will result in a redirection of all traffic destined to travel across the VPN tunnel, to a pre-defined alternative path.

There are two possible methods to configure RIM:

Route injection can be integrated with MEP functionality (which route return packets back through the same MEP Security Gateway). For more information on MEP, see Multiple Entry Point VPNs.

Automatic RIM

Automatic RIM can be enabled in the Gaia Portal. Although you can use a custom script, no custom-written scripts are required.

In this scenario:

The routing tables for the Security Gateways and routers read as follows. Entries in bold represent routes injected into the Security Gateways local routing tables by RIM:

For Security Gateway 1:

Destination

Netmask

Security Gateway

Metric

0.0.0.0

0.0.0.0

172.16.10.2

1

192.168.21.0

255.255.255.0

172.16.10.2

1

192.168.11.0

255.255.255.0

192.168.10.1

1

Security Gateway 2:

Destination

Netmask

Security Gateway

Metric

0.0.0.0

0.0.0.0

172.16.20.2

1

192.168.11.0

255.255.255.0

172.16.20.2

1

192.168.21.0

255.255.255.0

192.168.20.1

1

R1 (behind Security Gateway 1):

Destination

Netmask

Security Gateway

Metric

0.0.0.0

0.0.0.0

192.168.10.2

1

192.168.21.0

255.255.255.0

192.168.10.2

1

192.168.21.0

255.255.255.0

10.10.10.2

2

R4 (behind Security Gateway 2):

Destination

Netmask

Security Gateway

Metric

0.0.0.0

0.0.0.0

192.168.20.2

1

192.168.11.0

255.255.255.0

192.168.20.2

1

192.168.11.0

255.255.255.0

10.10.10.1

2

Custom Scripts

Custom scripts can be run on any Security Gateway in the community. These scripts are executed whenever a tunnel changes its state, i.e. goes "up" or "down." Such an event, for example, can be the trigger that initiates a dial-up connection.

A script template custom_rim (with a .sh or .bat extension depending on the operating system) is provided in the $FWDIR/Scripts directory.

Sample customized script:

#!/bin/sh

 

# This script is invoked each time a tunnel is configured with the RIM option

# and the tunnel changed state.

#

# You may add your custom commands to be invoked here.

 

# Parameters read from command line.

RIM_PEER_Security Gateway=$1

RIM_NEW_STATE=$2

RIM_HA_STATE=$3

RIM_FIRST_TIME=$4

RIM_PEER_ENC_NET=$5

 

case "${RIM_NEW_STATE}" in

up)

# Place your action for tunnels that came up

;;

down)

# Place your action for tunnel that went down

;;

esac

Where:

Injecting Peer Security Gateway Interfaces

You can inject the IP addresses of the peer Security Gateway into the routing tables, in addition to the networks behind the Security Gateway.

For example, after a VPN tunnel is created, RIM injects into the local routing tables of both Security Gateways, the encryption domain of the peer Security Gateway. However, when RIM enabled Security Gateways communicate with a Security Gateway that has Hide NAT enabled, the peer's interfaces need to be injected as well.

In this scenario:

This solution for routing the packets back properly is two-fold:

  1. In SmartConsole:
    1. Click Menu > Global properties.
    2. Click VPN Advanced Properties > Tunnel Management.
    3. Select RIM_inject_peer_interfaces. This injects router 3 with all of the IP addresses of Security Gateway C including the Hide NAT address.
    4. Click OK.
    5. Install the Access Control Policy.
  2. Configure the router not to propagate the information injected to other Security Gateways. If the router is not configured properly, using the previous example, could result in Security Gateway B routing traffic to Security Gateway C through Security Gateway A.

Configuring RIM

Configuring RIM in a Star Community

  1. In SmartConsole, click Objects menu > Object Explorer (or press Ctrl E).
  2. From the left tree, select VPN Communities.
  3. Open the applicable Star Community object.
  4. From the left tree, click Tunnel Management.
  5. In the Permanent Tunnels section, select Set Permanent Tunnels.

    The following Permanent Tunnel modes are then made available:

    • On all tunnels in the community
    • On all tunnels of specific Security Gateways
    • On specific tunnels in the community

    Note - When choosing tunnels, keep in mind that RIM can only be enabled on tunnels that have been configured to be permanent. You must select On all tunnels in the community, if MEP is enabled on the community.

  6. Select Enable Route Injection Mechanism (RIM).
  7. Click Settings.

    The Star Community Settings window opens.

    In the Community section:

    • Enable automatic Route Injection Mechanism - RIM runs automatically on the central or satellite Security Gateways.
    • Enable customer editable script execution - A customized script runs on central or satellite Security Gateways whenever a tunnel changes its states (goes up or down).

    In the Tracking section:

    • Configure the applicable tracking options:

      Log, Popup Alert, Mail Alert, SNMP Trap Alert, User Defined Alert

  8. Click OK to close all configuration windows.
  9. Close the Object Explorer.
  10. Install the Access Control Policy.
  11. If you selected Enable customer editable script execution, then you must edit the $FWDIR/scripts/custom_rim.sh script on each of the Security Gateways.

Configuring RIM in a Meshed Community

  1. In SmartConsole, click Objects menu > Object Explorer (or press Ctrl E).
  2. From the left tree, select VPN Communities.
  3. Open the applicable Meshed Community object.
  4. From the left tree, click Tunnel Management.
  5. In the Permanent Tunnels section, select Set Permanent Tunnels.

    The following Permanent Tunnel modes are then made available:

    • On all tunnels in the community
    • On all tunnels of specific Security Gateways
    • On specific tunnels in the community

    Note - When choosing tunnels, keep in mind that RIM can only be enabled on tunnels that have been configured to be permanent. You must select On all tunnels in the community, if MEP is enabled on the community.

  6. Select Enable Route Injection Mechanism (RIM).
  7. Click Settings.

    The Meshed Community Settings window opens.

    In the Community section:

    • Enable automatic Route Injection Mechanism - RIM runs automatically on the central or satellite Security Gateways.
    • Enable customer editable script execution - A customized script runs on central or satellite Security Gateways whenever a tunnel changes its states (goes up or down).

    In the Tracking section:

    • Configure the applicable tracking options:

      Log, Popup Alert, Mail Alert, SNMP Trap Alert, User Defined Alert

  8. Click OK to close all configuration windows.
  9. Close the Object Explorer.
  10. Install the Access Control Policy.
  11. If you selected Enable customer editable script execution, then you must edit the $FWDIR/scripts/custom_rim.sh script on each of the Security Gateways.

Enabling the RIM_inject_peer_interfaces flag

To enable the RIM_inject_peer_interfaces flag:

  1. In SmartConsole, click Menu > Global properties.
  2. Click Advanced > Configure.
  3. Click VPN Advanced Properties > Tunnel Management.
  4. Select RIM_inject_peer_interfaces.
  5. Click OK.
  6. Install the Access Control Policy.

Configuring RIM on Gaia

In Gaia, the Route Injection Mechanism adds routes directly to the kernel. For the routes to remain in the Kernel, you must configure this option.

To set kernel routes using the CLI:

  1. Run: set kernel-routes on.
  2. Run: save config.

To set kernel routes using the Gaia Portal:

  1. In the tree view, click Advanced Routing > Routing Options.
  2. In the Kernel Options area, select the Kernel Routes option.
  3. Click Apply.

Gaia Gateways in a Star VPN Community

For RIM to work, the Gaia gateways in a star VPN community must publish the routes of the satellite networks to the router.

For Gaia gateways to publish routes, run these CLI commands on all gateways at the center of the community.

For more information, see the R80.20 Gaia Advanced Routing Administration Guide.

  1. set routemap <Routemap Name> id <ID Number>

    For example:

    set routemap RIM id 5

  2. set routemap <Routemap Name> id <ID Number> match protocol kernel

    For example:

    set routemap RIM id 5 match protocol kernel

  3. Set ospf export-routemap <Routemap Name> preference 1 on

    For example:

    set ospf export-routemap RIM preference 1 on

  4. set routemap <Routemap Name> id <ID Number> allow

    For example:

    set routemap RIM id 5 allow

  5. set routemap <Routemap Name> id <ID Number> on

    For example:

    set routemap RIM2 id 10 on

  6. set routemap <Routemap Name> id <ID Number> match nexthop <IP of OSPF Interface of the other RIM GW> on

    For example:

    set routemap RIM2 id 10 match nexthop <10.16.50.3> on

  7. set routemap <Routemap Name> id <ID Number> restrict

    For example:

    set routemap RIM2 id 10 restrict

  8. set ospf import-routemap <Routemap Name> preference 1 on

    For example:

    set ospf import-routemap RIM2 preference 1 on

  9. save config