VPN and iBGP

= Problem =

A system configuration/administratration and consultaing company has multiple customers it needs access to networks of, for configuring servers and equipment etc. They want to have secure access and automated learning of routes to their networks.

Customer routers mostly run CentOS, company router runs Vyatta 6.1. Partial topology is shown at the following diagram: Ibgp vpn.png = Solution =

To have full control on peer connections, site-to-site OpenVPN was chosen (site-to-site IPsec can be used as well at the same time).

The following factors affected the choice of routing protocol:
 * Customer routers mustn't know the full topology.
 * Full control on routing updates is needed.
 * Protocol should be easy to pass through a firewall.

iBGP seemed to be the most suitable.

Company side configuration
On the company router we need the following:
 * It would be good to have possibility to change settings for all customer peers with minimal effort.
 * In our network we use only RFC1918 prefixes, so other prefixes mustn't be accepted or advertised.
 * We advertise to our peers only specific prefixes we want them to see.

So, we define the policy:

Routing policy
Prefix list matching RFC1918 subnets: rule 10 { action permit le 32 prefix 10.0.0.0/8 } rule 15 { action permit le 32 prefix 172.16.0.0/12 } rule 20 { action permit le 32 prefix 192.168.0.0/16 } Prefix list matching our networks: description "Prefixes allowed for redistribution into IGP" rule 1 { action permit prefix 10.91.19.0/24 } rule 2 { action permit prefix 10.85.12.0/24 } Route map for filtering outgoing updates: rule 10 { action permit match { ip { address { prefix-list IPv4-IGP-Allowed }        }     } } Route map for filtering incoming updates: description "Allow only RFC1918 prefixes" rule 1 { action permit match { ip { address { prefix-list RFC1918 }        }     } }
 * 1) show policy prefix-list RFC1918
 * 1) show policy prefix-list IPv4-IGP-Allowed
 * 1) show policy route-map IPv4-IGP-Out
 * 1) show policy route-map RFC1918-Only

BGP configuration
Now we can proceed with BGP: vyatta@reki# show protocols bgp 65534 {    neighbor 10.55.6.4 { description "Foobar llc., vtun10" peer-group CustomerVPN }    neighbor 10.55.6.6 { description "Example inc., vtun11" peer-group CustomerVPN }    /* Some other neighbors in the same manner */

/* Prefixes we want to advertise */ network 10.85.12.0/24 { }    network 10.91.19.0/24 { }

/* Group settings for our customers, must be configured before adding neighbors */ peer-group CustomerVPN { /* Accept no more than 2 prefixes from each neighbor */ maximum-prefix 2 /* Just a private AS number */ remote-as 65534 route-map { /* Prevent advertising of anything except allowed prefixes */ export IPv4-IGP-Out /* Prevent accepting anything except RFC1918 prefixes */ import RFC1918-Only }        soft-reconfiguration { inbound }    } } The most evident advantage of "soft-reconfiguration" is possibility to easily see what exactly does a neighbor advertise. [edit] Customer side configuration

This is much simpler: ! router bgp 65534 bgp router-id 10.55.6.4 ! Our networks network 192.168.0.0/24 network 192.168.71.0/24 ! Company side router as a neighbor neighbor 10.55.6.3 remote-as 65534 neighbor 10.55.6.3 soft-reconfiguration inbound ! Now customer router has routes to company network: Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, I - ISIS, B - BGP, > - selected route, * - FIB route
 * 1) show ip route bgp

B>* 10.85.12.0/24 [200/1] via 10.55.6.3, tun0, 1d12h02m B>* 10.91.19.0/24 [200/1] via 10.55.6.3, tun0, 1d12h02m and vice versa: BGP table version is 0, local router ID is 172.16.255.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, R Removed Origin codes: i - IGP, e - EGP, ? - incomplete
 * 1) run show ip bgp neighbors 10.55.6.4 received-routes

Network         Next Hop            Metric LocPrf Weight Path
 * > 192.168.0.0     10.55.6.4                0    100      0 i
 * > 192.168.71.0    10.55.6.4                0    100      0 i

Total number of prefixes 2