BOVPN Virtual Interface with Dynamic Routing

One reason to use a BOVPN virtual interface is so that the XTM device can use dynamic routing to learn the routes to private networks on a peer XTM device through the VPN tunnel. When you use dynamic routing with a BOVPN virtual interface, the device at each end of the tunnel automatically learns the routes to networks advertised by the other gateway.

Example Scenario

This example shows the configuration settings for a BOVPN virtual interface and dynamic routing between two XTM devices at Site A and Site B. The two sites use OSPF to dynamically update routes through the BOVPN virtual interface.

Site A XTM Device (XTM 530)

For this example, the Site A XTM device is an XTM 530 with two external interfaces, one trusted network, and four optional networks.

Interface Type Name IP Address
0 External External 203.0.113.2/24
1 Trusted Trusted 10.0.1.1/24
2 Optional Optional-1 10.0.2.1/24
3 Optional Optional-2 10.0.3.1/24
4 Optional Optional-3 10.0.4.1/24
5 Optional Optional-4 10.0.5.1/24
6 External External-2 190.0.2.2/24

The administrator at Site A wants to propagate routes for the Trusted, Optional-1, and Optional-2 networks through the BOVPN tunnel, but does not want to propagate routes for the Optional-3 and Optional-4 networks.

Site B XTM Device (XTM 33)

For this example, the Site B XTM device is an XTM 33 with one external interface, one trusted network and three optional networks.

Interface Type Name IP Address
0 External External 198.51.100.2/24
1 Trusted Trusted 10.50.1.1/24
2 Optional Optional-1 10.50.2.1/24
3 Optional Optional-2 10.50.3.1/24
4 Optional Optional-3 10.50.4.1/24

The administrator at Site B wants to propagate routes for the Trusted and Optional-1 networks through the BOVPN tunnel, but does not want to propagate routes for the Optional-2 and Optional-3 networks.

BOVPN Virtual Interface Configuration

The BOVPN virtual interface on each XTM device must be configured to use the same settings. For this example, we assume that Site A and Site B agree to use a pre-shared key and to use these IP addresses for the BOVPN virtual interface:

Site A BOVPN virtual interface local IP address: 10.1.1.1

Site B BOVPN virtual interface local IP address: 10.2.2.2

All other BOVPN virtual interface settings remain at the default values.

Site A BOVPN Virtual Interface Configuration

The Gateway Settings tab of the BOVPN virtual interface configuration uses these settings:

Screen shot of the BOVPN Virtual Interfaces page, Gateway Settings tab

The VPN Routes tab of the BOVPN virtual interface configuration uses these settings:

Screen shot of the BOVPN Virtual Interfaces page, VPN Routes tab

The Site B XTM device must use the same interface IP addresses, except that the local and peer IP addresses are reversed.

Site B BOVPN Virtual Interface Configuration

The configuration at Site B is exactly the same as at Site A, except that the local and remote gateway IP addresses are reversed, and the local and peer IP addresses are reversed.

The Gateway Settings tab of the BOVPN virtual interface configuration uses these settings:

Screen shot of the BOVPN Virtual Interfaces page, Gateway Settings tab

The VPN Routes tab of the BOVPN virtual interface configuration uses these settings:

Screen shot of the BOVPN Virtual Interface page, VPN Routes tab

Dynamic Routing Configuration

After the BOVPN virtual interface IP addresses have been configured, you can use them in the dynamic routing configuration.

In the OSPF example configuration:

Site A OSPF configuration

The administrator at Site A uses dynamic routing to propagate routes for the Trusted, Optional-1, and Optional-2 networks through the BOVPN tunnel, but does not propagate routes for the Optional-3 and Optional-4 networks.

The OSPF configuration on the Site A XTM device uses these settings:

! filter the connected networks to propagate
access-list ospf_filter permit 10.0.1.0/24
access-list ospf_filter permit 10.0.2.0/24
access-list ospf_filter permit 10.0.3.0/24
access-list ospf_filter deny any
!
route-map ospf_redis permit 10
match ip address ospf_filter
!
interface bvpn1
! The interface name is bvpnX, where X is the BOVPN virtual interface number.
! This is the Device Name in the BOVPN Virtual Interface configuration
!
ip ospf mtu-ignore
! This statement avoids MTU issues when the remote device uses a different MTU size
!
router ospf
redistribute connected route-map ospf_redis
network 10.2.2.2/32 area 0.0.0.0
! The network command uses the BOVPN virtual interface
! peer IP address, because this is a P2P interface

Site B OSPF configuration

The administrator at Site B uses dynamic routing to propagate routes for the Trusted and Optional-1 networks, but does not propagate routes for the Optional-2 and Optional-3 networks.

The OSPF configuration on the Site B XTM device uses these settings:

! filter the connected networks to propagate
access-list ospf_filter permit 10.50.1.0/24
access-list ospf_filter permit 10.50.2.0/24
access-list ospf_filter deny any
!
route-map ospf_redis permit 10
match ip address ospf_filter
!
interface bvpn1
! The interface name is bvpnX, where X is the BOVPN virtual interface number.
! This is the Device Name in the BOVPN Virtual Interface configuration
!
ip ospf mtu-ignore
! This statement avoids MTU issues when the remote device uses a different MTU size
!
router ospf
redistribute connected route-map ospf_redis
network 10.1.1.1/32 area 0.0.0.0
! The network command uses the BOVPN virtual interface
! peer IP address, because this is a P2P interface

After the configuration files are saved to the devices at Site A and Site B, the BOVPN tunnel becomes active and dynamic routes are propagated through the tunnel.

If you want to each device to redistribute static routes, you can also use the redistribute static command. This is not necessary in this example, because all of the networks we want to propagate are directly connected to each XTM device.

See Dynamic Network Routes

After the BOVPN tunnel is established, each device uses OSPF to learn the routes to the connected networks propagated by the peer device.

The learned network routes appear in the route table for each XTM device. To see the routes, select System Status > Routes.

The interface name used for routes that use the BOVPN virtual interface is the Device Name that is automatically assigned when you create the BOVPN virtual interface. The name of the first BOVPN virtual interface is bvpn1.

For this example, the routes that use the bvpn1 interface at Site A are:

Destination Interface Gateway Description
10.2.2.2 bvpn1 0.0.0.0 The virtual BOVPN interface peer IP address
10.50.1.0 bvpn1 10.2.2.2 Route learned from Site B
10.50.2.0 bvpn1 10.2.2.2 Route learned from Site B

On the Site A device, the Routes table look like this:

Screen shot of the Routes page for the XTM device at Site A

For this example, the routes that use the bvpn1 interface at Site B are:

Destination Interface Gateway Description
10.1.1.1 bvpn1 0.0.0.0 The virtual BOVPN interface peer IP address
10.0.1.0 bvpn1 10.1.1.1 Route learned from Site A
10.0.2.0 bvpn1 10.1.1.1 Route learned from Site A
10.0.3.0 bvpn1 10.1.1.1 Route learned from Site A

On the Site B device, the Routes table looks like this:

Screen shot of the Routes page for the XTM device at Site B

See Also

Configure a BOVPN Virtual Interface

Configure IPv4 Routing with OSPF

BOVPN Virtual Interface Configuration Scenarios

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base