Configure routing and AC policies for VTI

After you configure VTI interfaces and the VTI tunnel on both the devices, you must configure these parameters:

  • A routing policy to route VTI traffic between the devices over the VTI tunnel.

  • An access control rule to allow encrypted traffic.

Procedure

Step 1

Configure routing for VTI interfaces.

For the VTI interfaces, you can configure static route or routing protocols such AS BGP, EIGRP, OSPF/OSPFv3.

  1. Choose Devices > Device Management, and edit the Firewall Threat Defense device.

  2. Click Routing.

  3. Configure static route, or BGP, EIGRP, OSPF/OSPFv3.

Routing

Parameters

More Information

Static Route

  • Interface—Select the VTI interface. For a backup tunnel, select the backup VTI interface.

  • Selected Network—Remote peer's protected network.

  • Gateway—Remote peer's tunnel interface IP address. For a backup tunnel, select the remote peer's backup tunnel interface IP address.

  • Metric—For a backup tunnel, configure a different metric to handle the failover of the traffic flow over the backup tunnel.

Note

DVTI does not support static routes.

Add a Static Route

BGP

  • Under General Settings > BGP, enable BGP, provide the AS number of the local device, and add Router ID (if you choose Manual).

  • Under BGP, enable IPv4/IPv6 and click the Neighbor tab to configure the neighbors.

    • IP Address—Remote peer's VTI interface IP address. For a backup tunnel, add a neighbor with the remote peer's backup VTI interface IP address.

    • Remote AS—Remote peer's AS number.

  • Click the Redistribution tab, select the Source Protocol AS Connected to enable connected route redistribution.

 Configure BGP

EIGRP

  • Enable EIGRP, provide the AS number of the local device, and select the networks or hosts that participate in the EIGRP routing process.

  • Click the Neighbors tab and define the static neighbors for the EIGRP process.

  • To advertise summary addresses from a VTI interface, click the Summary Address tab, choose the VTI interface from the Interface drop-down. From the Network drop-down, choose the network to be summarized.

  • Click the Interfaces tab to configure the interface-specific EIGRP routing properties for the VTI interface.

    To enable EIGRP split-horizon on the interface, check the Split Horizon check box. You can also configure the Hold Time that is advertised by the device in the EIGRP hello packets.

OSPF

  • Check the Process 1 check box, and choose the OSPF role.

  • Click the Interface tab and choose a VTI interface.

 OSPFv2 configuration

OSPFv3

  • Check the Process 1 and Enable Process 1 check boxes, and choose the OSPFv3 role.

  • Click the Interface tab and choose a VTI interface.

 OSPFv3 configuration

Step 2

Add an access control rule to the access control policy on the device to allow encrypted traffic between the VTI tunnels with these settings:

  1. Create the rule with the Allow action.

  2. Select the VTI security zone of the local device AS the source zone and the VTI security zone of the remote peer AS the destination zone.

  3. Select the VTI security zone of the remote peer AS the source zone and the VTI security zone of the local device AS the destination zone.

For more information about configuring an access control rule, see Create and edit access control rules.