Hello,
I'm trying to prevent my boss from buying an ASA 5585-X to use an OpenBSD box
instead. NAT on ASA is such a pain...
The use would be a WAN firewall, routing for sites with potentially identical
IP ranges. Overlapping IP ranges are translated by the firewall so that from
the point of view of the main site every IP is different.
Actually, this is done using ASA contexts and static routing. I'd like to do
the same with openBSD plus BGP routing.
So I started to set up a PF box with VRFs (one BSD VRF <-> one ASA context),
this works like a charm.
Problems start when I try to do BGP routing : basically what I need is one BGP
daemon running in each VRF.
I tried to launch BGP with route -T <VRF number> exec bgpd -f
/etc/bgpd.conf.<VRF number>, it learns route from the WAN, but doesn't injects
them in the rdomain <VRF number>.
I dealt with the problem of nexhop qualifying on rdomain 0 using nexthop
qualify via default.
I have messages like these in my logs :
neighbor 10.200.18.209 (ADH200_EXT): state change OpenConfirm -> Established,
reason: KEEPALIVE message received
nexthop 10.200.18.209 now valid: via 10.194.126.254
send_rtmsg: action 1, prefix 10.199.13.112/28: Network is unreachable
send_rtmsg: action 1, prefix 10.199.12.112/28: Network is unreachable
My bgpd.conf :
# grep -v "^#" bgpd.adh200
peer_adh200_int="10.200.6.57"
peer_adh200_ext="10.200.18.209"
pool_adh200="10.199.12.112/28"
AS 65040
router-id 10.194.126.241
listen on 10.200.18.214
listen on 10.200.6.62
rtable 200
nexthop qualify via default
neighbor $peer_adh200_int {
descr "ADH200_INT"
remote-as 65040
}
neighbor $peer_adh200_ext {
descr "ADH200_EXT"
remote-as 65041
}
Some bgpctl show :
# bgpctl sh nex
Flags: * = nexthop valid
Nexthop Route Prio Gateway Iface
* 10.200.18.209 0.0.0.0/0 8 10.194.126.254 vlan3080 (UP, active)
# bgpctl sh rib
flags: * = Valid, > = Selected, I = via IBGP, A = Announced, S = Stale
origin: i = IGP, e = EGP, ? = Incomplete
flags destination gateway lpref med aspath origin
*> 10.199.12.112/28 10.200.18.209 100 0 65041 i
*> 10.199.13.112/28 10.200.18.209 100 0 65041 i
# route -T 200 show
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
default 10.200.18.209 UGS 0 0 - 8 carp450
10/8 sw-t-wan-adh200 UGS 0 0 - 8 carp2200
10.200.6.56/29 link#10 UC 1 0 - 4 carp2200
10.200.6.56/29 link#10 UC 1 0 - 4 carp2200
sw-t-wan-adh200 00:08:e3:ff:fc:08 UHLc 3 38 - 4 carp2200
10.200.6.62 00:00:5e:00:01:01 UHLc 0 1 - 4 lo0
10.200.14.56/29 link#11 UC 0 0 - 4 carp2450
10.200.14.56/29 link#11 UC 0 0 - 4 carp2450
10.200.18.208/29 link#12 UC 0 0 - 4 carp450
10.200.18.208/29 link#12 UC 0 0 - 4 carp450
10.200.18.208/29 link#12 UC 0 0 - 4 carp450
10.200.18.208/29 link#12 UC 1 0 - 4 carp450
10.200.18.209 00:1e:c9:49:17:d8 UHLc 2 234 - 4 carp450
172.16/12 sw-t-wan-adh200 UGS 0 0 - 8 carp2200
192.168/16 sw-t-wan-adh200 UGS 0 0 - 8 carp2200
Any idea of why those routes are not injected ?
Thanks
--
Cordialement,
Pierre BARDOU
Ingénieur réseau - P2I Infrastructure
05 67 69 71 84
MiPih
12, rue Michel Labrousse - BP93668
31036 TOULOUSE Cedex 1
www.mipih.fr
Avant d'imprimer cet e-mail, pensons à l'environnement
