Border Gateway Protocol - Nokia IP40 User Manual

10
High Availability
The following figure depicts a simple dynamic VPN implementation.
To detect IPSec VPN connection failure, the Nokia IP40 Security Platform monitors the
reachability of the remote BGP peers associated with the VPN tunnel.On failure, the passive link
is activated to establish an alternative IPSec VPN connection to reach the associated BGP
remote peer.
Nokia IP40 continues to monitor the remote BGP peer reach ability on the preferred (primary)
connection to the headquarters. Nokia IP40 falls back to preferred VPN connection as soon as
the associated BGP remote peer becomes accessible.
A pair of loopback addresses (active and passive) are defined on Nokia IP40 Security Platform
with restricted BGP route advertisement of LAN and static NAT addresses. This scenario is
supported with Check Point SmartLSM. The VPN policy installed on Nokia IP40 includes the
topology of immediate protected network behind the central office gateway only. This enables
the traffic between these two networks tunneled, including the communication between BGP
peers. The central office BGP peer advertises the CO networks to the IP40 and BGP. The traffic
originating from the IP40 LAN destined to the central office network is tunneled and sent.

Border Gateway Protocol

Nokia IP40 Security Platform participates in Autonomous System (AS), and can establish a
neighbor relationship, and exchange routes with other non-adjacent routers.
An AS is a network or group of networks under common administration and with common
routing policies.
Nokia IP40 supports a limited set of BGP-4 features for route-based VPN and failover.
128 Nokia IP40 Security Platform User's Guide v1.1