Checkpoint - Fortigate Site-to-Site VPN Example

Hi Fellas,

Checkpoint Subnet Range : 10.0.0.0/24
Fortigate Subnet Range : 172.23.54.0/24

Public IP address of Check Point : 192.168.1.111/24
Public IP address of Fortigate : 192.168.1.223/24

Nat is not configured for fortigate
Nat is only configured for internal side of checkpoint. (Also disabled into VPN > Advanced Settings > Advanced VPN properties by checking -disable NAT inside the VPN community.

For Checkpoint :

Star VPN connection is identified by defining Center is CP, Satellite is Fortigate

Also don't forget to create pre-shared key for fortigate on above vpn page (>Shared Secret)

For Fortigate:

Pre-shared key field is required to fill.

Autokey Keep Alive is checked

Auto Negotiate is checked

And of couse : you have to define the source / destination subnet fields for sites.

Above: Source is : 172.23.54.0/24  Destination is : 10.1.1.0/24

And..

IOS vs XE vs XR

Classical IOS is on the market for a long time, You will find this IOS on entry level routers like ISR or Enterprise switches like 6500 or 3750.

• IOS  Cisco ISR Series Routers (800,1900,2900,3900 series), Cisco 7200 and 7600 Series and all legacy routers and Catalysts 6500

IOS XE is pretty similar to classic IOS,  additional few debug commands and provide  rapid feature delivery ..

• IOS XE – ASR 1000 Series and Catalyst 4500E Series Switches

IOS XR 's core is different micro-kernel architecture, memory-protected and preemptive multitasking etc....

In my opinion, the command syntax is pretty similar with Junos..

every detailed unnecessary commands like "commit", "address-family ipv4 unicast" for Static Routing !!! etc...

• IOS XR – Cisco CRS-1 and CRS-3, Cisco ASR9000 and Cisco XR12000

OSPF- SHAM Link

Hi Fellas,

Think about 2 customers want you to merge their network over you MPLS network.
You use Layer 3 VPN but customer is informed you about they use methro-ethernet vs. for backup link for their remote sites (backdoor). You think the interface may remain shutdown, but when it is up, it may **** up everythink.

In this case, we will analyze the backdoor-link ;




CE1 ping CE2's loopback address (5.5.5.5) over MPLS network.
Backdoor link is not active !!!!!!

As you can see, 172.23.55.0 network ( PE2-CE2) is learned over 172.23.54.16 (CE1's next hop)
which is so correct.

O IA is , ospf inter area routes :  

Just in case as a reminder:

just O is in OSPF terminology : Intra Area Routes that; sharing routes in the same OSPF domain !

When we activate the backdoor link;

routing table is become like ;

for CE2;

172.23.54.0 (CE1) is learnt over backdoor link !

It by-passed the MPLS network because..........,

there is some "O" front of it !!!!

O is Intra-Area routes that sharing advertises in same OSPF domain,

that when sharing advertises for OSPF calculation,

OSPF always choose INTRA-AREA routes instead INTER-AREA routes.

So we need to throw out some config :)

PE1;

router ospf 2 vrf asd

 log-adjacency-changes

 area 0 sham-link 31.31.31.31 32.32.32.32

 redistribute bgp 1 subnets

 network 172.23.54.0 0.0.0.255 area 0

PE2;

router ospf 2 vrf asd

 log-adjacency-changes

 area 0 sham-link 32.32.32.32 31.31.31.31

 redistribute bgp 1 subnets

 network 172.23.55.0 0.0.0.255 area 0

Regards !

MPLS , TTL Propagate

I switch off the TTL values for between VPN connectivity sites. You need to apply all the MPLS Core routers by one by.

use  no mpls ip propagate-ttl !

Just only exists egress VPN label at PE2 customer toward interface ! 

EIGRP SOO (Site of Origin)

Hi Fellas,

I want to share something about Site of Origin Issue.

So Basicly What is Site of Origin ?? ;

It is used for more focused on loop prevention for  multihomed MPLS customers.
( we can use BGP Cost Community instead, I will share it later...)

CE Routers are connected to PE also they have a back-up link between of them that is we called multihomed in this case.

LOOP !!!!

For clarity, lets diagram this ;

PE advertise routes, and somehow ;

Routes reach CE-R10 towards R8 before going directly CE-R8. When R8 learns about R4's routes from CE-R10, it doesn't install the routes. Instead, from then on it; it prefers to go the " long way around" via PE-R6 and CE -R10

L

O

O

P

!

!

Example ;

CE1 send out the routes, somehow PE1 gets them first before CE2 through backup-link . PE1 at this point sets SOO 1:1 on the EIGRP route then it goes to PE3 > PE2  , PE2 accepts this route because SOO 1:1 different than SOO 2:2. 

Even CE2 is try to re-advertise routes to CE1 ( which is advertised by CE1 ), CE1 won't accept the routes because 1:1 won't let the same ID going in.

Note that;

PE2 does not re-write the tag from 1:1 to 2:2. Tags are only written if they are missing, they are never re-written.

I configure SOO 1:1 on Site A , SOO 2:2 on Site B ;

Routes leave site A will be tagged with 1:1 and routes leave site B will be tagged with 2:2

Site a will accept Site B2s routes and Site B will accept Site A's routes , but Site A won't accept it's own routes back in on the "border" routers. 

The network connection seems ok, CE1 can ping CE2's loopback address (Backdoor link is shutdown for testing purpose only that MPLS works)

And we see 5.5.5.0/24 prefix next hop address is 10.10.10.2 which uses through backdoor link !

PE1 

interface FastEthernet0/0

 ip address 172.23.54.15 255.255.255.0

 delay 100

 duplex auto

 speed auto

!

interface FastEthernet1/0

 bandwidth 100

 ip address 10.10.10.1 255.255.255.0

 delay 10000000

 duplex auto

 speed auto

!

I change default delay settings that CE1 prefixes (for 5.5.5.0/24 ) is forwarded to PE1 instead of backdoorlink.

And as I mentioned before, that could create loop for our  MPLS network grid. ! We will use SOO ;

PE 1

route-map SOOx permit 10

 set extcommunity soo 1:1

!

interface FastEthernet0/0

 ip vrf forwarding asd

 ip vrf sitemap SOOx

 ip address 172.23.54.16 255.255.255.0

 duplex auto

 speed auto

So0 is 1:1 now :) No worries for loop issue again :D

RIB-Faiure (17) in VPNV4

Hi Fellas,

You can face with RIB-Failure frequently when your advertised routes have better AD than BGP AD or MP-BGP AD




For this case;

When we quick look at VPNv4 routing table on R4 ;

172.23.54.0 network which next-hop is 2.2.2.2 so this case 

R2's customer towards interface (fastEthernet0/0) caused a RIB-Failure.

Because,

I believe that R2 fa 0/0 and R4 fa 1/0 is sharing both 172.23.54.x prefixes, when

I change R2 > fastEthernet0/0 ospf cost 400

Gratz !

Additionally , OSPF AD 110, IBGP 200, EBGP 20 

RIP into MPLS Redistribution

Hi Fellas,

I want to share with you some little small hint for this MPLS topology

ip vrf asd

 rd 1:100

 route-target export 1:100

 route-target import 1:100

!

!

!router ospf 1

 log-adjacency-changes

 network 0.0.0.0 255.255.255.255 area 0

!

router rip

 version 2

 !

 address-family ipv4 vrf asd

  redistribute bgp 1 metric transparent

  network 10.0.0.0

  no auto-summary

  version 2

 exit-address-family

!

router bgp 1

 no synchronization

 bgp log-neighbor-changes

 neighbor 4.4.4.4 remote-as 1

 neighbor 4.4.4.4 update-source Loopback0

 no auto-summary

 !

 address-family vpnv4

  neighbor 4.4.4.4 activate

  neighbor 4.4.4.4 send-community both

 exit-address-family

 !

 address-family ipv4 vrf asd

  redistribute rip

  no synchronization

 exit-address-family

without "transparent" word when we try to redistribute rip over bgp , advertised prefixes are not adverties properly.

Cisco says:

Make sure that a metric, whether a specific metric or the keyword transparent, is configured when redistributing MP-BGP routes into RIP. If one is not specified, the routes may not be redistributed.

Regards !