Support Center > Search Results > SecureKnowledge Details
Configuring numbered VTIs
Solution

Numbered VTI (Virtual Tunnel Interface) is a route based VPN method to route VPN traffic.

(For additional information, refer to the "VPN Tunnel Interfaces" section in the Gaia R77 Versions Administration Guide.)

Route based VPN requires an empty group as the encryption domain. (This is because domain based VPN usually takes precedence over route based VPN).

  1. Configure an empty group.

    In SmartDashboard, right-click the 'Groups tab in the Network Objects pane > Groups > Simple Group...'. Fill in the Name and click "OK".

    Note: Assigning the empty group as the encryption domain of the Security Gateway will set route based VPN as the default choice.

  2. Assign the empty group as the encryption domain of the Security Gateways that will participate in the community:

    In SmartDashboard, in the 'Gateway object Topology tab > In the VPN Domain section > Manually defined', select the empty group that you created in step 1. NOTE: If same Gateway is participating in Domain based VPN then the empty goup should be added within the VPN Encyption Domain Group defined.

  3. If using WebUI:

    1. In the WebUI of the Security Gateways, select 'Network Management tab > Network Interfaces > Add > VPN Tunnel'.
    2. Assign a VPN Tunnel ID (Integer between 1 - 99 that must be identical in both of the peers' configurations).
    3. Write the remote Peer: name, exactly as it is written in the Gateway object in SmartDashboard.
    4. Choose "Numbered" as the VPN Tunnel Type.
    5. Enter the Local Address: and Remote Address: virtual IP addresses (It would be better to use public IP addresses).

  4. Now, after adding the virtual interface to the Security Gateway, you need to notify the Security Management:

    In SmartDashboard, in the 'Gateway object Topology tab > Get... > Interfaces with Topology > Install Policy'. Note: In a cluster environment, the changes need to be done on all the cluster members. After step 4 you will have to assign a VIP to the virtual interface added.

  5. Set the static route on the Security Gateways:

    1. In the WebUI, under 'Network Interfaces tab > IPv4 Static Routes >Add', specify the destination of the peer Security Gateway (For example - 192.168.1.0/24).
    2. In 'Add Gateway > IP Address', assign the virtual IP address you assigned in step 3 (For example: 20.20.20.20).

      Note: Take into consideration that you will have to follow these steps for all the Security Gateways that will participate in the route based VPN using numbered VTIs (All the tunnel IDs and virtual IP addresses have to match on each Security Gateway). 

  6. If using CLI:

    In Clish:

    HostName> add vpn tunnel <Tunnel ID> type numbered local <Local IP> remote <Remote IP> peer <Peer ID>

    • <Tunnel ID> - Unique tunnel name (integer from 1 to 99). Gaia automatically adds the prefix 'vpnt' to the tunnel name
    • type numbered - Defines a numbered VTI that uses a specified, static IPv4 addresses for local and remote connections.
    • local <Local IP> - Local peer IPv4 address (numbered VTI only) in dotted decimal format.
    • remote <Remote IP> - Remote peer IPv4 address (numbered VTI only) in dotted decimal format.
    • peer <Peer ID> - Remote peer name as defined in the VPN community.

  7. Now, after having added the virtual interface to the Security Gateway, you will have to notify the Security Management:

    In SmartDashboard, in the 'Gateway object Topology tab > Get... > Interfaces with Topology > Install Policy'.

  8. Set the static route on the Security Gateways:

    A-GW> set static-route 192.168.1.0/24 nexthop gateway address 20.20.20.20 on
    C-GW> set static-route 192.168.138.0/24 nexthop gateway address 10.10.10.10 on

 

Important: As per sk108958, numbered VTIs were not supported with CoreXL upto R80.10. Supported by default in R80.10 (due to integrated MultiCore VPN).

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment