MS Azure - IPSec Tunnel (S2S) with BGP Routing

Is there any documentation on getting BGP working through an Azure IPSEC VPN tunnel to an onprem Sophos XG 230?

I have an IPSEC tunnel established between onprem and Azure and would like to be able to route traffic from vnet peers and the Azure Point to site VPN back to onpremise resources.

Any guidance is helpful.

Thank you!



Added TAGs
[edited by: emmosophos at 11:47 PM (GMT -7) on 29 Apr 2021]
Parents
  • I do not what config you are using. But i was strugeling with tihs for a long time.  

    To get BGP to work with Azure there is an extra step you need to do from the CLI.

    Console – Option 3 – Option 1 – Option 3

     

    bgp> enable

    bgp# configure terminal

    bgp(config)# router bgp <local AS>

    bgp(config-router)# neighbor <Neighbors IP> remote-as <AS>

    bgp(config-router)# neighbor <Neighbors IP> ebgp-multihop <hops>

    bgp(config-router)# end

    bgp#  copy running-config startup-config

    restart bgp:  

    bgp# clear ip bgp *

    ebgp-multihop is a requrement for Azure, but now AWS.

    When i comes the the "hops" part i used 5 and it worked for me, but it depends on you configuration in Azure

    //Rickard

  • Thanks I tried this but it's not working.  Do you need two IPSEC tunnels in order for BPG to work with a BGP enabled Azure VPN Gateway?

  • Hi, no you do not need two tunnels, but the BGP IP in azure needs to match the IP on the VTi interface on the XG.

    And you also need to enable dynamic routing under device access for the VPN zone.

    //Rickard

  • Ok, yeah I realized that the two tunnel interface applies to AWS only so I was confused from the instructions posted.

    I have the IP address of the tunnel (169.254.0.1) on the VTi Interface

    I have also enabled dynamic routing under the device access.

    I have the remote ASN set to 65010 (the self assigned Azure ASN I created) and the local ASN as 65050 which I assigned.

    Did you use an Azure APIA private address on the Azure VPN Gateway?

    When I look at the BGP table in Azure, it is stuck on "Connecting".

Reply
  • Ok, yeah I realized that the two tunnel interface applies to AWS only so I was confused from the instructions posted.

    I have the IP address of the tunnel (169.254.0.1) on the VTi Interface

    I have also enabled dynamic routing under the device access.

    I have the remote ASN set to 65010 (the self assigned Azure ASN I created) and the local ASN as 65050 which I assigned.

    Did you use an Azure APIA private address on the Azure VPN Gateway?

    When I look at the BGP table in Azure, it is stuck on "Connecting".

Children