VPN Tunnel Interfaces

Virtual Tunnel Interface (VTI) is a virtual interface that is used for establishing a Route-Based VPN tunnel. Each peer Security Gateway has one VTI that connects to the VPN tunnel.

The VPN tunnel and its properties are configured by the VPN community that contains the two Security Gateways.

You must configure the VPN community and its member Security Gateways before you can create a VTI.

To learn more about Route Based VPN, see the R82 Site to Site VPN Administration Guide > Chapter Route Based VPN.

Note - The name of a VPN Tunnel interface in Gaia is "vpnt<VPN Tunnel ID>". For example, the name of a VPN Tunnel interface with a VPN Tunnel ID of 5 is "vpnt5".

Procedure:

Create and configure the Security Gateways.
Enable the IPsec VPN Software Blade in the objects of the applicable Security Gateways.

Configure the VPN community in SmartConsole that includes the two peer Security Gateways.

Configuring VPN community

You must configure the VPN Community and add the member Security Gateways to it before you configure a VPN Tunnel Interface. This section includes the basic procedure for defining a Site-to-Site VPN Community. To learn more about VPN communities and their definition procedures, see the R82 Site to Site VPN Administration Guide.

Step	Instructions
1	Connect with SmartConsole to the Management Server.
2	From the left navigation panel, click Security Policies.
3	In the Access Tools section, click VPN Communities.
4	From the top toolbar, click the New () > select Star Community or Meshed Community..
5	Configure the VPN community: Enter the VPN community name. From the left tree, click Gateways. Select the applicable Security Gateways. From the left tree, click Encrypted Traffic. Select Accept all encrypted traffic. This automatically adds a rule to encrypt all traffic between Security Gateways in a VPN community. Configure other settings as necessary.
6	Publish the SmartConsole session.

Make Route Based VPN the default option.

Do this procedure one time for each.

Configuring Route Based VPN

When Domain Based VPN and Route Based VPN are configured for a Security Gateway, Domain Based VPN is active by default. You must do two short procedures to make sure that Route Based VPN is always active.

The first procedure configures an empty encryption domain group for your VPN peer Security Gateways. You do this step one time for each Security Management Server. The second step is to make Route Based VPN the default option for all Security Gateways.

Configuring an empty group

Step	Instructions
1	In the SmartConsole, click Objects menu > More object types > Network Object > Group > New Network Group.
2	Enter a group name.
3	Do not add members to this group.
4	Click OK.

Configuring the Route Based VPN as the default choice

Do these steps for each Security Gateway.

Step	Instructions
1	From the left navigation panel, click Gateways & Servers.
2	Double-click the applicable Security Gateway object.
3	From the left tree, click Network Management > VPN Domain.
4	Select Manually define and then select the empty Group object you created earlier.
5	Install the Access Control Policy.

Configure the VTI.

You can configure the VPN Tunnel Interfaces (VTI) in Gaia Portal or Gaia Clish.

Configuring VTI in Gaia Portal

Important - On Scalable Platforms (ElasticXL, Maestro, and Chassis), you must connect to the Gaia Portal of the applicable Security Group.

Step	Instructions
1	In the Gaia Portal, select Network Management > Network Interfaces.
2	Click Add > VPN Tunnel. To configure an existing VTI interface, select the VTI interface and click Edit.
3	In the Add/Edit window, configure these parameters: VPN Tunnel ID - Unique tunnel name (integer from 1 to 99). Gaia automatically adds the prefix "`vpnt`" to the Tunnel ID (example: `vnpt10`). Remote Peer Name - Alphanumeric character string as configured for the Remote Peer Name in the VPN community. You must configure the two peers in the VPN community before you can configure the VTI. VPN Tunnel Type - Select the applicable type: Numbered - Uses a specified, static IPv4 addresses for local and remote connections. Unnumbered - Uses the interface and the remote peer name to get IPv4 addresses. Local Address - Configures the local peer IPv4 address. Applies to the Numbered VTI only. Remote Address - Configures the remote peer IPv4 address. Applies to the Numbered VTI only. Physical Device - Local peer interface name. Applies to the Unnumbered VTI only.

Step

Instructions

In the Gaia Portal, select Network Management > Network Interfaces.

Click Add > VPN Tunnel.

To configure an existing VTI interface, select the VTI interface and click Edit.

In the Add/Edit window, configure these parameters:

VPN Tunnel ID - Unique tunnel name (integer from 1 to 99).

Gaia automatically adds the prefix "vpnt" to the Tunnel ID (example: vnpt10).
Remote Peer Name - Alphanumeric character string as configured for the Remote Peer Name in the VPN community.

You must configure the two peers in the VPN community before you can configure the VTI.
VPN Tunnel Type - Select the applicable type:
- Numbered - Uses a specified, static IPv4 addresses for local and remote connections.
- Unnumbered - Uses the interface and the remote peer name to get IPv4 addresses.
Local Address - Configures the local peer IPv4 address. Applies to the Numbered VTI only.
Remote Address - Configures the remote peer IPv4 address. Applies to the Numbered VTI only.
Physical Device - Local peer interface name. Applies to the Unnumbered VTI only.

Configuring VTI in Gaia Clish

Important - On Scalable Platforms (ElasticXL, Maestro, and Chassis), you must run the applicable commands in Gaia gClish of the applicable Security Group.

Syntax

To add a VPN Tunnel Interface (VTI):

add vpn tunnel <Tunnel ID>

      type

            numbered local <Local IP address> remote <Remote IP address> peer <Peer Name>

            unnumbered peer <Peer Name> dev <Name of Local Interface>

To see the configuration of the specific VPN Tunnel Interface (VTI):

show vpn tunnel <Tunnel ID>

To see all configured VPN Tunnel Interfaces (VTIs):

show vpn tunnels

To delete a VPN Tunnel Interface (VTI):

delete vpn tunnel <Tunnel ID>

Important - After you add, configure, or delete features, run the "save config" command to save the settings permanently. Scalable Platforms save the changes automatically.

CLI Parameters

Parameter	Description
`<Tunnel ID>`	Configures the unique Tunnel ID (integer from 1 to 99). Gaia automatically adds the prefix '`vpnt`' to the Tunnel ID. Example: `vnpt10`
`type numbered`	Configures a numbered VTI that uses static IPv4 addresses for local and remote connections.
`type unnumbered`	Configures an unnumbered VTI that uses the interface and the remote peer name to get IPv4 addresses.
`local <Local IP address>`	Configures the VPN Tunnel IPv4 address in dotted decimal format on this Security Gateway or Cluster Member. Applies to the Numbered VTI only.
`remote <Remote IP address>`	Configures the VPN Tunnel IPv4 address in dotted decimal format on the VPN peer. Applies to the Numbered VTI only.
`peer <Peer Name`	Specifies the name of the remote peer object as configured in the VPN community in SmartConsole.
`dev <Name of Local Interface>`	Specifies the name of the local interface on this Security Gateway or Cluster Member. The new VTI is bound to this local interface. Applies to the Unnumbered VTI only.

Example

gaia> add vpn tunnel 20 type numbered local 10.10.10.1 remote 20.20.20.1 peer MyPeer1

gaia>

gaia> add vpn tunnel 10 type unnumbered peer MyPeer2 dev eth1

gaia>

gaia> show vpn tunnels

Interface: vpnt20

Local IP: 10.10.10.1

Peer Name: MyPeer1

Remote IP: 20.20.20.1

Interface type: numbered

Interface: vpnt10

Physical device: eth1

Peer Name: MyPeer2

Interface type: unnumbered

gaia>

gaia> show vpn tunnel 20

Interface: vpnt20

Local IP: 10.10.10.1

Peer Name: MyPeer1

Remote IP: 20.20.20.1

Interface type: numbered

gaia>

gaia> delete vpn tunnel 20

Configure Route Based VPN Rules.

Configuring Route Based VPN Rules

To make sure that your security rules work correctly with Route Based VPN traffic, you must add directional matching conditions and allow OSPF traffic.

(A) Defining Directional Matching VPN Rules

This section contains the procedure for defining directional matching rules.

Directional matching is necessary for Route Based VPN when a VPN community is included in the VPN column in the rule.

This is because without bi-directional matching, the rule only applies to connections between a community and an encryption domain (Domain Based Routing).

Name	Source	Destination	VPN	Service	Action
VPN Tunnel	`Any`	`Any`	`MyIntranet`	`Any`	`Accept`

The directional rule must contain these directional matching conditions:

Community > Community
Community > Internal_Clear
Internal_Clear > Community

Name	Source	Destination	VPN	Service	Action
VPN Tunnel	`Any`	`Any`	`MyIntranet > MyIntranet` `MyIntranet > Internal_Clear` `Internal_Clear > MyIntranet`	`Any`	`Accept`

Name

Source

Destination

VPN

Service

Action

VPN Tunnel

Any

MyIntranet > MyIntranet

MyIntranet > Internal_Clear

Internal_Clear > MyIntranet

Any

Accept

Notes:

MyIntranet is the name of a VPN Community.
Internal_Clear refers to all traffic from IP addresses to and from the specified VPN community.
It is not necessary to configure bidirectional matching rules if the VPN column contains the value Any.

Enabling the VPN directional matching

Step	Instructions
1	In SmartConsole, click Menu > Global properties> expand VPN > click Advanced.
2	Select the Enable VPN Directional Match in VPN Column option and click OK.
3	From the left navigation panel, click Gateways & Servers.
4	For each VPN member gateway: Double-click the Security Gateway object. From the left tree, click Network Management. Click Get Interfaces > Get Interfaces with Topology. This updates the topology to include the newly configured VTIs. Click Accept. Click OK.

Configuring a VPN directional matching rule

Step	Instructions
1	From the left navigation panel, click Security Policies.
2	Click Access Control > Policy.
3	Right-click the VPN cell in the applicable rule and select Directional Match Condition.
4	In the New Directional Match Condition window, select the source (Traffic reaching from) and destination (Traffic leaving to).
5	Click OK.
6	Repeat Step 3-5 for each set of matching conditions.
7	Publish the SmartConsole session.

(B) Defining Rules to Allow OSPF Traffic

One advantage of Route Based VPN is the fact that you can use dynamic routing protocols to distribute routing information between Security Gateways.

The OSPF (Open Shortest Path First) protocol is commonly used with VTIs.

To learn about configuring OSPF, see the R82 Gaia Advanced Routing Administration Guide.

Step

Instructions

In the Gaia Portal or Gaia Clish, add the applicable VPN Tunnel Interfaces to the OSPF configuration page.

In SmartConsole, add an Access Control rule that allows traffic to the VPN community (or all communities) that uses the OSPF service:

Name	Source	Destination	VPN	Service	Action
Allow OSPF for a VPN Community	`Any`	`Any`	`MyIntranet`	`ospf`	`Accept`

Install the policy and test.

Instructions

You must save your configuration to the database and install policies to the Security Gateways before the VPN can be fully functional.

Step	Instructions
1	Publish the SmartConsole session.
2	Install the Access Control policy on the Security Gateways.
3	Make sure traffic passes over the VTI tunnel correctly.