Dynamic Routing over IPSec VPN

RossPett · ‎11-29-2015

I am planning on switching from static routes for site to site VPNs to dynamic routing to make network more optimized with growing company. Was wondering if any other else has used dynamic routing for VPN tunnels and what they used. We are looking to use OSPF since this is just a hub and spoke setup. When we looked at BGP it was more complicated and had some limitations on the number of supported neighbors. We have over 700 remote offices needing to connect to two active data centers. There will be a primary and backup VPN tunnel using WAN1 and another tunnel using the usb-interface. Would all the remote offices be able to be in one area and if so what is the limitation on the number of devices in an area?

mnantel_FTNT · ‎12-15-2015

Hi Ross,

Generally speaking, a varying number of maximum values specified in the maximum values table (http://docs.fortinet.com/d/fortigate-fortios-5.2.5-maximum-values-table-1) are not necessarily aggressive performance wise, but simply table sizes that have been coded in software.

As for your request, if you are using dynamic peer groups (the neighbor-group and neighbor-range constructs), then those do not count towards the table size of _configured_ objects. Generally speaking, the max values table represents how many objects you can configure explicitely. Dynamic peer groups as you are using are not explicitely configured, and rather the FG will peer dynamically with routers matching the given prefix. While a Fortinet CSE could comment on the maximum peers thats been established on specific platforms, I have anectotal data as to solutions having been tested with over 5000 peers, which is the maximum value specified for our largest platforms (again, those neighbors were not configured, but part of a neighbor-range).

BGP is our protocol of choice for scaling large scale VPN when dynamic routing is a necessity or when using ADVPN (as opposed to using phase 2 source selectors on spokes and reverse injection on the hubs).

RIP is an alternative that can scale to a certain level, although RIP lacks a great deal of configurability and tends to scares the average network admin for one reason or another.

OSPF will generally not scale as the overhead becomes rapidly too big to handle, although no longer limited to historical 50-100 routers per area as was the case circa-1995/2000 (we use modern Intel CPUs, rather than ARM/Motorola as traditional routers have in the distant past, thus capable of computing a whole lot more SPF than the aforementioned routers).

Hope this helps!
Mat

--

Mathieu Nantel - NSE4, CCIE #24349

Principal System Engineer / Consultant Technique Senior, Office of the CTO

Fortinet

-- Mathieu Nantel Systems Engineer / Conseiller Technique - Fortinet Montreal, QC

View solution in original post

syu · ‎11-30-2015

I do not think OSPF is fit for this. Try ADVPN with BGP.

ccassidy_FTNT · ‎11-30-2015

BGP is a preferred protocol for large and growing networks (like the internet) in the service provider space and has been gaining acceptance over OSPF in the enterprise for some time now. OSPF may be familiar territory for enterprise admins, but BGP is technically superior for high scale networks. The Fortigate max values table shows up to 5000 neighbors for 1000 level and higher.

http://help.fortinet.com/fgt/handbook/52/5-2-4/max-values.html

Jon Torian provided an online recorded demo on BGP over IPSEC with configuration file examples etc. It is in this list of the Q1/Q2 SE Bi-Weekly Tech Call recorded demos:

https://fusecommunity.fortinet.com/p/bl/ar/blogaid=131

RossPett · ‎11-30-2015

We also have a palo alto firewall with all the VPN data center networks connected to it between the fortinet running as the VPN concentator. So the conentrator must be able to update the palo about routing changes when a vpn fails over. There is no plan to remove the Palo with a fortinet at this time. We are actually moving the VPN off the palo to the gates since palo only supports 2000 phase 2 tunnels and we have hit that limit already. Would ADVPN be abel to support the failover VPN tunnels? Some people have used OSPF for remote locations then aggergating the OSPF routes into BGP routes on the internal network. I would like to use 1 routing protocol on the network to keep stuff simpler. According to the max-value tables our model of fortigates only suppot 1000 BGP neighbors. Would using neighor groups fix the 1000 limit if we put half of the remote offices in 1 neighbor group and the other half in another groupor would that still count as 1 office equals 1 neighbor in the table? I worked with pro services to intial setup a POC using BGP over the VPN tunnels but after reading about the 1000 neighbor limit I just want to make sure BGP is the right choice. The link for the video from Jon Torian is not working is it on youtube by chance?

The future plan is to us DMNR on the cellular network to conect to verizon's private network then the VPN concentrator would connect to verizon with BGP to update routing tables. Fortinet needs to first get certified on the verizon private network for this to happen.

RossPett · ‎12-14-2015

We ended up moving forward with BGP as the routing protocol and have the setup working. We are using BGP neighbor groups for the remote offices. Does anyone have an expereicne with neighbor groups and the allowed number of neighbors? I know there is a max limit of 1000 but is the 1000 limited not recommended to be used and should only be set at maybe 500 for example?

mnantel_FTNT · ‎12-15-2015

Hi Ross,

Generally speaking, a varying number of maximum values specified in the maximum values table (http://docs.fortinet.com/d/fortigate-fortios-5.2.5-maximum-values-table-1) are not necessarily aggressive performance wise, but simply table sizes that have been coded in software.

As for your request, if you are using dynamic peer groups (the neighbor-group and neighbor-range constructs), then those do not count towards the table size of _configured_ objects. Generally speaking, the max values table represents how many objects you can configure explicitely. Dynamic peer groups as you are using are not explicitely configured, and rather the FG will peer dynamically with routers matching the given prefix. While a Fortinet CSE could comment on the maximum peers thats been established on specific platforms, I have anectotal data as to solutions having been tested with over 5000 peers, which is the maximum value specified for our largest platforms (again, those neighbors were not configured, but part of a neighbor-range).

BGP is our protocol of choice for scaling large scale VPN when dynamic routing is a necessity or when using ADVPN (as opposed to using phase 2 source selectors on spokes and reverse injection on the hubs).

RIP is an alternative that can scale to a certain level, although RIP lacks a great deal of configurability and tends to scares the average network admin for one reason or another.

OSPF will generally not scale as the overhead becomes rapidly too big to handle, although no longer limited to historical 50-100 routers per area as was the case circa-1995/2000 (we use modern Intel CPUs, rather than ARM/Motorola as traditional routers have in the distant past, thus capable of computing a whole lot more SPF than the aforementioned routers).

Hope this helps!
Mat

--

Mathieu Nantel - NSE4, CCIE #24349

Principal System Engineer / Consultant Technique Senior, Office of the CTO

Fortinet

-- Mathieu Nantel Systems Engineer / Conseiller Technique - Fortinet Montreal, QC

PatrBeav · ‎01-04-2016

Ive setup several networks via vpns with OSPF. For that many remotes I would not recommend using OSPF unless you redesign your ospf setup so that each area only had 25 nodes. I would really think that you would be much better of with BGP and two route reflectors setup.You could also just filter all with a summary route to help with memory overhead if the network design allows for it..