Is there any documentation on getting BGP working through an Azure IPSEC VPN tunnel to an onprem Sophos XG 230?
I have an IPSEC tunnel established between onprem and Azure and would like to be able to route traffic from vnet peers and the Azure Point to site VPN back to onpremise resources.
Any guidance is helpful.
You should do this with a Route based VPN Tunnel.
For the VPN Part, see: https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/126356/sophos-xg-firewall-v18-to-azure-vpn-gateway-ipsec-con…
I do not what config you are using. But i was strugeling with tihs for a long time.
To get BGP to work with Azure there is an extra step you need to do from the CLI.
Console – Option 3 – Option 1 – Option 3
bgp# configure terminal
bgp(config)# router bgp <local AS>
bgp(config-router)# neighbor <Neighbors IP> remote-as <AS>
bgp(config-router)# neighbor <Neighbors IP> ebgp-multihop <hops>
bgp# copy running-config startup-config
bgp# clear ip bgp *
ebgp-multihop is a requrement for Azure, but now AWS.
When i comes the the "hops" part i used 5 and it worked for me, but it depends on you configuration in Azure
Thanks I tried this but it's not working. Do you need two IPSEC tunnels in order for BPG to work with a BGP enabled Azure VPN Gateway?
Hi, no you do not need two tunnels, but the BGP IP in azure needs to match the IP on the VTi interface on the XG.
And you also need to enable dynamic routing under device access for the VPN zone.
Ok, yeah I realized that the two tunnel interface applies to AWS only so I was confused from the instructions posted.
I have the IP address of the tunnel (169.254.0.1) on the VTi Interface
I have also enabled dynamic routing under the device access.
I have the remote ASN set to 65010 (the self assigned Azure ASN I created) and the local ASN as 65050 which I assigned.
Did you use an Azure APIA private address on the Azure VPN Gateway?
When I look at the BGP table in Azure, it is stuck on "Connecting".
Hi, we use a a "real" RCF 1918 address in Azure and On the xfrm Interface.
You can read more about it here. Since you need to use an additional APIA if you use APIA for your on prem enviroment
About BGP with VPN Gateway - Azure VPN Gateway | Microsoft Docs