This use case describes how to enable the HQ and branch devices to dynamically learn each other's intranet routes by using the BGP over VPN technique.

Steps

Step 1.Create a VPN tunnel interface on the HQ device. Specifically, set the tunnel interface name to vpntun1, and specify the IP address of the tunnel interface. Make sure that the IP addresses of the VPN tunnel interfaces for the HQ and branch devices belong to the same network segment.

When OSPF or BGP is used, you need to specify the IP address of the tunnel interface.

Step 2.Create an IPsec VPN tunnel on the HQ device. Specifically, configure necessary parameters, click the Route Mode tab, and set Local Tunnel Interface to vpntun1, as shown in the following figure.

Step 3.Configure BGP on the HQ device. Specifically, select Enable, set AS Number to the autonomous system (AS) number of the branch device, and add the network segment of vpntun1, as shown in the following figure.

Step 4.Repeat Steps 1 to 3 on the branch device.

Step 5.Add a neighbor on the HQ device. Specifically, set Neighbor IP to the IP address of vpntun1 created on the branch device, and enable Next-Hop-Self. Then, configure route redistribution settings, and select the route to be redistributed.

When the AS number of the HQ device is associated with multiple BGP branch devices, Next-Hop-Self must be enabled. Otherwise, the next-hop address learned by the branch devices is not the IP address of vpntun1 created on the HQ device. Consequently, the branch devices may fail to communicate with each other.

Step 6.Add a neighbor on the branch device. Specifically, set Neighbor IP to the IP address of vpntun1 created on the HQ device. Then, configure route redistribution settings, and select the route type.

Step 7.Verify the result. The result shows that the IPsec VPN tunnel is successfully established.

The BGP neighbor adjacency is successfully established, and route learning is correct.

Business access is normal.