Advanced LSVPN Configuration with iBGP

This use case illustrates how GlobalProtect LSVPN securely connects distributed office locations with primary and disaster recovery data centers that house critical applications for users and how internal border gateway protocol (iBGP) eases deployment and upkeep. Using this method, you can extend up to 500 satellite offices connecting to a single gateway.
BGP is a highly scalable, dynamic routing protocol that is ideal for hub-and-spoke deployments such as LSVPN. As a dynamic routing protocol, it eliminates much of the overhead associated with access routes (static routes) by making it relatively easy to deploy additional satellite firewalls. Due to its route filtering capabilities and features such as multiple tunable timers, route dampening, and route refresh, BGP scales to a much higher number of routing prefixes with greater stability than other routing protocols like RIP and OSPF. In the case of iBGP, a peer group, which includes all the satellites and gateways in the LSVPN deployment, establishes adjacencies over the tunnel endpoints. The protocol then implicitly takes control of route advertisements, updates, and convergence.
In this example configuration, an active/passive HA pair of PA-5050 firewalls is deployed in the primary (active) data center and acts as the portal and primary gateway. The disaster recovery data center also has two PA-5050s in an active/passive HA pair acting as the backup LSVPN gateway. The portal and gateways serve 500 PA-200s deployed as LSVPN satellites in branch offices.
Both data center sites advertise routes but with different metrics. As a result, the satellites prefer and install the active data center’s routes. However, the backup routes also exist in the local routing information base (RIB). If the active data center fails, the routes advertised by that data center are removed and replaced with routes from the disaster recovery data center’s routes. The failover time depends on selection of iBGP times and routing convergence associated with iBGP.
lsvpn-ibgp.png
The following workflow shows the steps for configuring this deployment:
  1. Portal and Primary gateway:
    • Zone
      : LSVPN-Untrust-Primary
    • Interface: ethernet1/21
    • IPv4: 172.16.22.1/24
    • Zone
      : L3-Trust
    • Interface
      : ethernet1/23
    • IPv4
      : 200.99.0.1/16
    Backup gateway:
    • Zone
      : LSVPN-Untrust-Primary
    • Interface
      : ethernet1/5
    • IPv4
      : 172.16.22.25/24
    • Zone
      : L3-Trust
    • Interface
      : ethernet1/6
    • IPv4
      : 200.99.0.1/16
    Satellite:
    • Zone
      : LSVPN-Sat-Untrust
    • Interface
      : ethernet1/1
    • IPv4
      : 172.16.13.1/22
    • Zone
      : L3-Trust
    • Interface
      : ethernet1/2.1
    • IPv4
      : 200.101.1.1/24
    Configure the zones, interfaces, and IP addresses on each satellite. The interface and local IP address will be different for each satellite. This interface is used for the VPN connection to the portal and gateway.
  2. Primary gateway
    :
    • Interface
      : tunnel.5
    • IPv4
      : 10.11.15.254/22
    • Zone
      : LSVPN-Tunnel-Primary
    Backup gateway
    :
    • Interface
      : tunnel.1
    • IPv4
      : 10.11.15.245/22
    • Zone
      : LSVPN-Tunnel-Backup
  3. The gateway uses the self-signed root certificate authority (CA) to issue certificates for the satellites in a GlobalProtect LSVPN. Because one firewall houses the portal and primary gateway, a single certificate is used for authenticating to the satellites. The same CA is used to generate a certificate for the backup gateway. The CA generates certificates that pushed to the satellites from the portal and then used by the satellites to authenticate to the gateways.
    You must also generate a certificate from the same CA for the backup gateway, allowing it to authenticate with the satellites.
    1. Create SSL/TLS service profiles for the GlobalProtect portal and gateways. Because the GlobalProtect portal and primary gateway are the same firewall interface, you can use the same server certificate for both components.
      • Root CA Certificate
        : CA-Cert
      • Certificate Name
        : LSVPN-Scale
    2. Repeat steps 2 through 5 on the backup gateway with the following settings:
      • Root CA Certificate
        : CA-cert
      • Certificate Name
        : LSVPN-back-GW-cert
    1. Select
      Network
      GlobalProtect
      Gateways
      and click
      Add
      .
    2. On the
      General
      tab, name the primary gateway
      LSVPN-Scale
      .
    3. Under
      Network Settings
      , select
      ethernet1/21
      as the primary gateway interface and enter
      172.16.22.1/24
      as the IP address.
    4. On the
      Authentication
      tab, select the LSVPN-Scale certificate created in 3.
    5. Select
      Satellite
      Tunnel Settings
      and select
      Tunnel Configuration
      . Set the
      Tunnel Interface
      to tunnel.5. All satellites in this use case connect to a single gateway, so a single satellite configuration is needed. Satellites are matched based on their serial numbers, so no satellites will need to authenticate as a user.
    6. On
      Satellite
      Network Settings
      , define the pool of IP address to assign to the tunnel interface on the satellite once the VPN connection is established. Because this use case uses dynamic routing, the Access Routes setting remains blank.
    7. Repeat steps 1 through 5 on the backup gateway with the following settings:
      • Name
        : LSVPN-backup
      • Gateway interface
        : ethernet1/5
      • Gateway IP
        : 172.16.22.25/24
      • Server cert
        : LSVPN-backup-GW-cert
      • Tunnel interface
        : tunnel.1
  4. Configure iBGP on the primary and backup gateways and add a redistribution profile to allow the satellites to inject local routes back to the gateways.
    Each satellite office manages its own network and firewall, so the redistribution profile called ToAllSat is configured to redistribute local routes back to the GlobalProtect gateway.
    1. Select
      Network
      Virtual Routers
      and
      Add
      a virtual router.
    2. On
      Router Settings
      , add the
      Name
      and
      Interface
      for the virtual router.
    3. On
      Redistribution Profile
      and select
      Add
      .
      1. Name the redistribution profile
        ToAllSat
        and set the
        Priority
        to 1.
      2. Set Redistribute to
        Redist
        .
      3. Add
        ethernet1/23
        from the Interface drop-down.
      4. Click
        OK
        .
    4. Select
      BGP
      on the Virtual Router to configure BGP.
      1. On
        BGP
        General
        , select
        Enable
        .
      2. Enter the gateway IP address as the
        Router ID
        (
        172.16.22.1
        ) and
        1000
        as the
        AS Number
        .
      3. In the Options section, select
        Install Route
        .
      4. On
        BGP
        Peer Group
        , click
        Add
        a peer group with all the satellites that will connect to the gateway.
      5. On
        BGP
        Redist Rules
        ,
        Add
        the
        ToAllSat
        redistribution profile you created previously.
    5. Click
      OK
      .
    6. Repeat steps 1 through 5 on the backup gateway using
      ethernet1/6
      for the redistribution profile.
  5. The configuration shown is a sample of a single satellite.
    Repeat this configuration each time you add a new satellite to the LSVPN deployment.
    1. Configure a tunnel interface as the tunnel endpoint for the VPN connection to the gateways.
    2. Set the IPSec tunnel type to GlobalProtect Satellite and enter the IP address of the GlobalProtect Portal.
    3. Select
      Network
      Virtual Routers
      and
      Add
      a virtual router.
    4. On
      Router Settings
      , add the
      Name
      and
      Interface
      for the virtual router.
    5. Select
      Virtual Router
      Redistribution Profile
      and
      Add
      a profile with the following settings.
      1. Name the redistribution profile
        ToLSVPNGW
        and set the
        Priority
        to 1.
      2. Add
        an
        Interface
        ethernet1/2.1
        .
      3. Click
        OK
        .
    6. Select
      BGP
      General
      ,
      Enable
      BGP and configure the protocol as follows:
      1. Enter the gateway IP address as the
        Router ID
        (
        172.16.22.1
        ) and
        1000
        as the
        AS Number
        .
      2. In the Options section, select
        Install Route
        .
      3. On
        BGP
        Peer Group
        ,
        Add
        a peer group containing all the satellites that will connect to the gateway.
      4. On
        BGP
        Redist Rules
        ,
        Add
        the
        ToLSVPNGW
        redistribution profile you created previously.
    7. Click
      OK
      .
  6. Both data centers advertise their routes but with different routing priorities to ensure that the active data center is the preferred gateway.
    1. Select
      Network
      GlobalProtect
      Portals
      and click
      Add
      .
    2. On
      General
      , enter
      LSVPN-Portal
      as the portal name.
    3. On
      Network Settings
      , select
      ethernet1/21
      as the
      Interface
      and select
      172.16.22.1/24
      as the
      IP Address
      .
    4. On the
      Authentication
      tab, select the previously created primary gateway SSL/TLS Profile
      LSVPN-Scale
      from the
      SSL/TLS Service Profile
      drop-down menu.
    5. On the
      Satellite
      tab,
      Add
      a satellite and
      Name
      it
      sat-config-1
      .
    6. Set the
      Configuration Refresh Interval
      to
      12
      .
    7. On
      GlobalProtect Satellite
      Devices
      , add the serial number and hostname of each satellite device in the LSVPN.
    8. On
      GlobalProtect Satellite
      Gateways
      , add the name and IP address of each gateway. Set the routing priority of the primary gateway to 1 and the backup gateway to 10 to ensure that the active data center is the preferred gateway.
  7. (
    Optional
    ) Add a new site to the LSVPN deployment.
    1. Select
      Network
      GlobalProtect
      Portals
      GlobalProtect Portal
      Satellite Configuration
      GlobalProtect Satellite
      Devices
      to add the serial number of the new satellite to the GlobalProtect portal.
    2. Configure the IPSec tunnel on the satellite with the GlobalProtect Portal IP address.
    3. Select
      Network
      Virtual Router
      BGP
      Peer Group
      to add the satellite to the BGP Peer Group configuration on each gateway.
    4. Select
      Network
      Virtual Router
      BGP
      Peer Group
      to add the gateways to the BGP Peer Group configuration on the new satellite.

Related Documentation