Virtual Router/ Firewall/ VPN

Reply
Frequent Visitor
Posts: 1
Registered: ‎03-12-2014

BGP route is not installed (IPSec + BGP)

[ Edited ]

Hello,

I'm configuring BGP over IPSec VPN.

On my side: Brocade Vyatta 5410 vRouter 6.6 R2

On the other side: Amazon VPN Gateway

 

I was able to establish VPN and BPG connection. Routes are propagated in both directions. But I don't see any routes installed in routing table. It seems that something prevents route to be added to it.

 

Did anyone configure vRouter this way? Does anyone has any suggestions?

 

vyatta@VyattaAMI:~$ show ip bgp neighbors 169.254.255.1 received-routes

BGP table version is 12, local router ID is 169.254.255.6
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.127.61.128/25 169.254.255.1                          0 7224 i

Total number of prefixes 1

 vyatta@VyattaAMI:~$ show ip route

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       > - selected route, * - FIB route, p - stale info

Gateway of last resort is 10.127.10.129 to network 0.0.0.0

S    *> 0.0.0.0/0 [1/0] via 10.127.10.129, eth0
S    *> 10.127.10.128/25 [1/0] via 10.127.10.129, eth0
C    *> 10.127.10.128/27 is directly connected, eth0
C    *> 127.0.0.0/8 is directly connected, lo
C    *> 169.254.255.0/30 is directly connected, vti1
C    *> 169.254.255.4/30 is directly connected, vti0

 vyatta@VyattaAMI:~$ show configuration

interfaces {
    ethernet eth0 {
        address 10.127.10.133/27
        duplex auto
        hw-id 02:2a:86:48:02:7d
        smp_affinity auto
        speed auto
    }
    loopback lo {
    }
    vti vti0 {
        address 169.254.255.6/30
        description "VPC tunnel 1"
        mtu 1436
    }
    vti vti1 {
        address 169.254.255.2/30
        description "VPC tunnel 2"
        mtu 1436
    }
}
protocols {
    bgp 64989 {
        neighbor 169.254.255.1 {
            nexthop-self
            remote-as 7224
            soft-reconfiguration {
                inbound
            }
            timers {
                holdtime 30
                keepalive 30
            }
            update-source 169.254.255.2
        }
        neighbor 169.254.255.5 {
            nexthop-self
            remote-as 7224
            soft-reconfiguration {
                inbound
            }
            timers {
                holdtime 30
                keepalive 30
            }
            update-source 169.254.255.6
        }
        network 10.127.10.128/25 {
        }
    }
    static {
        route 0.0.0.0/0 {
            next-hop 10.127.10.129 {
            }
        }
        route 10.127.10.128/25 {
            next-hop 10.127.10.129 {
            }
        }
     }
}
service {
    ... this section is ommited ...
}
system {
    ... this section is ommited ...
}
vpn {
    ipsec {
        esp-group AWS {
            compression disable
            lifetime 3600
            mode tunnel
            pfs enable
            proposal 1 {
                encryption aes128
                hash sha1
            }
        }
        ike-group AWS {
            dead-peer-detection {
                action restart
                interval 15
                timeout 30
            }
            lifetime 28800
            proposal 1 {
                dh-group 2
                encryption aes128
                hash sha1
            }
        }
        ipsec-interfaces {
            interface eth0
        }
        site-to-site {
            peer <VPNGatewayIP#1) {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret ****************
                }
                description "VPC tunnel 1"
                ike-group AWS
                local-address 10.127.10.133
                vti {
                    bind vti0
                    esp-group AWS
                }
            }
            peer <VPNGatewayIP#2> {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret ****************
                }
                description "VPC tunnel 2"
                ike-group AWS
                local-address 10.127.10.133
                vti {
                    bind vti1
                    esp-group AWS
                }
            }
        }
    }
}

 

New Contributor
Posts: 2
Registered: ‎11-19-2015

Re: BGP route is not installed (IPSec + BGP)

I'm having the same issue here. Routes are shown as received, best, selected, but not in the routing table.

 

The same BGP peer advertises correctly to other routers, including Vyatta.

New Contributor
Posts: 2
Registered: ‎11-19-2015

Re: BGP route is not installed (IPSec + BGP)

a-ha!

 

The same configuration works when I change the ASs to make it iBGP. Only eBGP shows this behavior. What do I miss on the eBGP?

Brocadian
Posts: 1
Registered: ‎06-08-2016

Re: BGP route is not installed (IPSec + BGP)

add ebgp multihop on the v-router side for the peer and reset bgp. 

Occasional Contributor
Posts: 8
Registered: ‎06-13-2016

Re: BGP route is not installed (IPSec + BGP)

Thanks Damyion.

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.