Is there any documentation on getting BGP working through an Azure IPSEC VPN tunnel to an onprem Sophos XG 230?
I have an IPSEC tunnel established between onprem and Azure and would like to be able to route traffic from vnet peers and the Azure Point to site VPN back to onpremise resources.
Any guidance is helpful.
You should do this with a Route based VPN Tunnel.
For the VPN Part, see: https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/126356/sophos-xg-firewall-v18-to-azure-vpn-gateway-ipsec-con…
For the VPN Part, see: https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/126356/sophos-xg-firewall-v18-to-azure-vpn-gateway-ipsec-connection
For the BGP Part, see the AWS: https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/125806/sophos-xg-firewall-set-up-ipsec-tunnel-between-aws-vpn-gateway-and-xg-v18-with-bgp
Thanks, this looks like a new (finally!) updated documentation connecting Azure to an onprem XG. I don't have a complex environment that changes or needs to be updated automatically, so if static routing works then great. I'll try this out.
I had the same trouble to get this working...
In the end we implemented a XG in Azure and configured two S2S VPN tunnels with BGP.
So my understanding is that in order to get BGP to work, you need to create two tunnels? If that is correct, where did you get the information on how to create the second tunnel? The BGP instructions on following are for AWS, and that has an option to create a 2nd tunnel, but Azure VPN Gateways do not have that option.
So I was able to create the IPSEC VPN using a tunnel interface instead of the site-to-site method by following the instructions you posted.
For the AWS portion, the instructions referring to creating two tunnels. I am confused about how to do this with Azure as I can only create one connection per Local gateway.
Do you have any other instructions or can tell me how to create two IPSEC tunnels within Azure so I can test out BGP?
I do not what config you are using. But i was strugeling with tihs for a long time.
To get BGP to work with Azure there is an extra step you need to do from the CLI.
Console – Option 3 – Option 1 – Option 3
bgp# configure terminal
bgp(config)# router bgp <local AS>
bgp(config-router)# neighbor <Neighbors IP> remote-as <AS>
bgp(config-router)# neighbor <Neighbors IP> ebgp-multihop <hops>
bgp# copy running-config startup-config
bgp# clear ip bgp *
ebgp-multihop is a requrement for Azure, but now AWS.
When i comes the the "hops" part i used 5 and it worked for me, but it depends on you configuration in Azure
Thanks I tried this but it's not working. Do you need two IPSEC tunnels in order for BPG to work with a BGP enabled Azure VPN Gateway?
Hi, no you do not need two tunnels, but the BGP IP in azure needs to match the IP on the VTi interface on the XG.
And you also need to enable dynamic routing under device access for the VPN zone.
Ok, yeah I realized that the two tunnel interface applies to AWS only so I was confused from the instructions posted.
I have the IP address of the tunnel (169.254.0.1) on the VTi Interface
I have also enabled dynamic routing under the device access.
I have the remote ASN set to 65010 (the self assigned Azure ASN I created) and the local ASN as 65050 which I assigned.
Did you use an Azure APIA private address on the Azure VPN Gateway?
When I look at the BGP table in Azure, it is stuck on "Connecting".
Hi, we use a a "real" RCF 1918 address in Azure and On the xfrm Interface.
You can read more about it here. Since you need to use an additional APIA if you use APIA for your on prem enviroment
About BGP with VPN Gateway - Azure VPN Gateway | Microsoft Docs