Route-Based BGP VPN Connection
Pureport recommends using Route-Based VPN with BGP for your site connection, when supported by your device. This makes future network growth and changes easier, as Pureport manages the BGP peering.
Before establishing a VPN connection to Pureport, you must first ensure your gateway device support IPSEC VPN connectivity, and then you must gather the following information:
- Speed of your Internet connection
- Primary public IP of your VPN gateway
- Secondary public IP of your VPN gateway (only applicable if you have two Internet connections and wish to support fail-over and load sharing between them)
- Private or public Autonomous System Number (ASN) of your site network
- IP Networks of your customer site (only required if using Cloud Grade NAT)
- Supported IPSEC settings of your VPN gateway (IKE version, encryption, integrity, and Diffe Hellman Group for Phase 1 and Phase 2 VPN negotiation)
- The knowledge base contains recommended configuration settings for many common platforms
- Finally, your firewall must support 4-byte (32-bit) Autonomous System Numbers to be able to establish BGP peering with Pureport. While 4-byte ASNs have been in widespread use on the public Internet for many years, and most modern BGP implementations natively support them, there are some older systems which do not, such as the Juniper Netscreen platform. For these platforms Pureport recommends using Route-Based VPNs with Static Routing.
Building the VPN Connection
Use this procedure to create a Route Based VPN site Connection (with BGP) with Pureport.
- Log into the Pureport Console.
- In the left navigation bar, select the Networks tab.
- The Networks page list the existing networks. Select your network
- On your network page, select Add Connection.
- In the New Connection window, for Type, select Site IPSec VPN from the drop-down menu.
- Select the Pureport Location you would like this connection to be created from the drop-down. You should select the site geographically closest to your physical location.
Select the Speed of the connection from the drop-down, then click Next. Do not exceed the maximum speed of your Internet connection.
- Enter the Primary IP Address and Secondary IP Address of your site routers. You will only need different customer router IP addresses if your site has multiple Internet connections with separate IP addresses. If your site has a single address, enter it in both the Primary and Secondary fields.
In the Routing Type field, select Route-Based BGP and click Next.
- On the BGP Settings page, enter either a registered public ASN or a private ASN, (64512 - 65534) or (4200000000 - 4294967294) in the Customer ASN field. Select Enable BGP Password to automatically generate BGP password.
Optionally, on the Customer Networks page, enter the network IP address and name for each network behind your firewall to have access to this connection, then click Next. You are only required to enter this information if you are planning to use Cloud Grade NAT on this connection (see the next step), or in order to facilitate building the Traffic Selectors related to your policy-based VPN, If you choose not to enter this information here you will need to enter the networks manually in the Traffic Selectors section of the VPN configuration.
- Use the Add Customer Networks button to add additional networks.
- Use the Delete button to remove a customer network
- On the NAT Configuration page, you may also enable and configure Cloud Grade NAT if desired, as detailed in the Cloud Grade NAT knowledge-base article. Then click Next.
- On the IKE Configuration page, select the IKE/ESP Encryption settings that meet your security requirements and are supported by your site's physical device. Then click Next.
- Enter a meaningful Name and Description, then click Add Connection.
The Console generates a default name, but you can enter a name that conforms to your organization's naming standards.
Review your selections and choose Add Connection to create your Policy Based Site VPN Connection.
- After saving the Connection, the system displays the following information:
- Site IPsec VPN settings
- Traffic Selectors
- Primary Gateway
- Secondary Gateway
Be sure to record this information, you will need this information later.
The Pureport Support Knowledge Base has guidance on configuring the most common VPN appliances to connect to your Site VPN Connection.