Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Connecting RED's to XG when using BGP

Hello,

 

I am wondering if anyone has setup an XG using BGP and has RED's connected to it? Since there are no ACL's for the RED service ports, how can the XG accepts RED's from a BGP IP address that is not on a WAN port? There is no gateway address either so the XG does not have an interface in the BGP IP block. It only has point to point connections to each ISP using /30's.

 

This is a multi-hop BGP setup to 2 different ISP's, advertising a /22. Any info would be greatly appreciated.



This thread was automatically locked due to age.
  • There are only IPsec+WAF as a use case issue in this setup. 

    IPsec can only use a WAN Interface as SA. 

    So you cannot build up a Site to Site in this setup.

     

    RED should be open on all Ports (Port 3400 and 3410).

    SSLVPN can be activated on their own Zone (So no binding to WAN). 

     

    With V18, you can actually DNAT /NAT this traffic to another Port to get this up and running again. 

    __________________________________________________________________________________________________________________

  • There is no zone. The interface is a point to point link. Our block of IP's are NOT on any interface.

    DNAT does not work for SSLVPN. I have not tested the RED service yet.

  • You must have a Interface in any Case. How should this work otherwise? 

    eBGP relies on having any kind of Interface with any kind of IP. 

     

    Its most likely a DMZ Zone interface or a self created Zone. 

     

    Or which IP do you setup on your Interface? A point to Point link to the ISP is still a valid IP on your Interface. So you can actually use this IP on your SSLVPN configuration as overwrite hostname and you can still use this Zone on this Interface to setup SSLVPN. 

    __________________________________________________________________________________________________________________

  • Yes, there is a DMZ zone for the PTP link and each interface has an IP assigned by THAT carrier.

    The whole point of BGP is carrier redundancy. Why would I want to use a carriers IP for SSLVPN? The whole point is to use OUR IP block for all services. If I use carrier A's PTP IP, if they go down, our users can't connect. That is not a viable solution.

    It sounds like to me, XG does not handle BGP properly like other vendors routers and firewalls do.

  • Then use a DNS Record for SSLVPN.

    Do not forget, SSLVPN is a point to point connection.

    The Client needs a IP to connect to. 

    You could actually give the SSLVPN client a DNS record. 

    Do you have something in place to get DNS redundancy? 

     

     

    Redundancy is also being used by Services, and most likely its used by DNS. 

    Having said, i do not care, which IPs Google use, i simply connect to google.com. 

    So if they failover to another IP, uses other IPs, i simply dont care. I do not notice. 

    And you could use DNS for all causes like SSLVPN, like RED etc. 

     

    And you are not using the Carrier IP, you are using your IP, which you get by the carrier. 

    __________________________________________________________________________________________________________________

  • I appreciate you trying to help but I don’t think you understand how BGP works.

    If I use a DNS record, I’m going to point it to one of my IP addresses. The XG is not listening on those IP’s because they are not terminated to an interface.

    Using multiple IP’s on a DNS record is bad practice if the IP’s are not using BGP. You’re suggesting using the carrier’s IP’s which could go down. The clients will have that IP cached.

    Google uses multiple IP’s on a DNS record for load balancing. All of those IP’s are advertised via BGP for redundancy.

    The IP’s I want to use ARE NOT addresses we get from the carrier. They belong to us. We advertise them to the ISP’s.

  • Why should your IPs not using BGP?

    I am not talking about DNS with multiple IPs. I am talking about services in DNS, which provides health checks. 

    Use something like Route53 with keep alive tracking etc on your IPs, which you are pointing to ISP. 

     

    Lets wrap this up.

    You are advertising your IPs to the ISP. 

    It is generally speaking working for you in case of redudancy. 

    You need now a RED working. 

    A RED can basically connect to two different Hostnames (main and failover). Those Hostnames could be DNS. 

    Same for SSLVPN. You have a Overwrite FQDN. This is copied into the SSLVPN Configuration. 

     

    Using something like Route53, you could easily get your IPs replaced in nearly realtime, if one IP / uplink is down. 

     

     

    I am still not talking about the carrier IPs. 

    __________________________________________________________________________________________________________________

  • The whole point of BGP is to not use a 3rd party service like Route53.

  • Lets discuss, why XG is not acting properly in your scenario.

    How should XG react in case of Interface lose for RED? 

    __________________________________________________________________________________________________________________

  • The RED cannot connect to any of the IP addresses in our block.

    If it could, lets say 205.12.34.123, if the peering went down with one ISP, the other ISP would have the route to that address. It is the basics of BGP. I am not understanding why you can't understand how BGP works.

    I need the XG to respond to services on a BGP address block. It is as simple as that. I cannot use an address on the PTP link with either ISP.