Advanced LSVPN Configuration with Dynamic Routing

In larger LSVPN deployments with multiple gateways and many satellites, investing a little more time in the initial configuration to set up dynamic routing will simplify the maintenance of gateway configurations because access routes will update dynamically. The following example configuration shows how to extend the basic LSVPN configuration to configure OSPF as the dynamic routing protocol.
Setting up an LSVPN to use OSPF for dynamic routing requires the following additional steps on the gateways and the satellites:
  • Manual assignment of IP addresses to tunnel interfaces on all gateways and satellites.
  • Configuration of OSPF point-to-multipoint (P2MP) on the virtual router on all gateways and satellites. In addition, as part of the OSPF configuration on each gateway, you must manually define the tunnel IP address of each satellite as an OSPF neighbor. Similarly, on each satellite, you must manually define the tunnel IP address of each gateway as an OSPF neighbor.
Although dynamic routing requires additional setup during the initial configuration of the LSVPN, it reduces the maintenance tasks associated with keeping routes up to date as topology changes occur on your network.
The following figure shows an LSVPN dynamic routing configuration. This example shows how to configure OSPF as the dynamic routing protocol for the VPN.
lsvpn-dynamic-config.png
For a basic setup of a LSVPN, follow the steps in Basic LSVPN Configuration with Static Routing. You can then complete the steps in the following workflow to extend the configuration to use dynamic routing rather than static routing.
  1. Add an IP address to the tunnel interface configuration on each gateway and each satellite.
    Complete the following steps on each gateway and each satellite:
    1. Select
      Network
      Interfaces
      Tunnel
      and select the tunnel configuration you created for the LSVPN to open the Tunnel Interface dialog.
      If you have not yet created the tunnel interface, see Step 2 in Create Interfaces and Zones for the LSVPN.
    2. On the
      IPv4
      tab, click
      Add
      and then enter an IP address and subnet mask. For example, to add an IP address for the gateway tunnel interface you would enter 2.2.2.100/24.
    3. Click
      OK
      to save the configuration.
  2. Configure the dynamic routing protocol on the gateway.
    To configure OSPF on the gateway:
    1. Select
      Network
      Virtual Routers
      and select the virtual router associated with your VPN interfaces.
    2. On the
      Areas
      tab, click
      Add
      to create the backbone area, or, if it is already configured, click on the area ID to edit it.
    3. If you are creating a new area, enter an
      Area ID
      on the
      Type
      tab.
    4. On the
      Interface
      tab, click
      Add
      and select the tunnel
      Interface
      you created for the LSVPN.
    5. Select
      p2mp
      as the
      Link Type
      .
    6. Click
      Add
      in the Neighbors section and enter the IP address of the tunnel interface of each satellite, for example 2.2.2.111.
    7. Click
      OK
      twice to save the virtual router configuration and then
      Commit
      the changes on the gateway.
    8. Repeat this step each time you add a new satellite to the LSVPN.
  3. Configure the dynamic routing protocol on the satellite.
    To configure OSPF on the satellite:
    1. Select
      Network
      Virtual Routers
      and select the virtual router associated with your VPN interfaces.
    2. On the
      Areas
      tab, click
      Add
      to create the backbone area, or, if it is already configured, click on the area ID to edit it.
    3. If you are creating a new area, enter an
      Area ID
      on the
      Type
      tab.
    4. On the
      Interface
      tab, click
      Add
      and select the tunnel
      Interface
      you created for the LSVPN.
    5. Select
      p2mp
      as the
      Link Type
      .
    6. Click
      Add
      in the Neighbors section and enter the IP address of the tunnel interface of each GlobalProtect gateway, for example 2.2.2.100.
    7. Click
      OK
      twice to save the virtual router configuration and then
      Commit
      the changes on the gateway.
    8. Repeat this step each time you add a new gateway.
  4. Verify that the gateways and satellites are able to form router adjacencies.
    • On each satellite and each gateway, confirm that peer adjacencies have formed and that routing table entries have been created for the peers (that is, the satellites have routes to the gateways and the gateways have routes to the satellites). Select
      Network
      Virtual Router
      and click the
      More Runtime Stats
      link for the virtual router you are using for the LSVPN. On the Routing tab, verify that the LSVPN peer has a route.
    • On the
      OSPF
      Interface
      tab, verify that the
      Type
      is
      p2mp
      .
    • On the
      OSPF
      Neighbor
      tab, verify that the firewalls hosting your gateways have established router adjacencies with the firewalls hosting your satellites and vice versa. Also verify that the
      Status
      is
      Full
      , indicating that full adjacencies have been established.

Related Documentation