This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

MS Azure - IPSec Tunnel (S2S) with BGP Routing

Is there any documentation on getting BGP working through an Azure IPSEC VPN tunnel to an onprem Sophos XG 230?

I have an IPSEC tunnel established between onprem and Azure and would like to be able to route traffic from vnet peers and the Azure Point to site VPN back to onpremise resources.

Any guidance is helpful.

Thank you!



This thread was automatically locked due to age.
Parents
  • I do not what config you are using. But i was strugeling with tihs for a long time.  

    To get BGP to work with Azure there is an extra step you need to do from the CLI.

    Console – Option 3 – Option 1 – Option 3

     

    bgp> enable

    bgp# configure terminal

    bgp(config)# router bgp <local AS>

    bgp(config-router)# neighbor <Neighbors IP> remote-as <AS>

    bgp(config-router)# neighbor <Neighbors IP> ebgp-multihop <hops>

    bgp(config-router)# end

    bgp#  copy running-config startup-config

    restart bgp:  

    bgp# clear ip bgp *

    ebgp-multihop is a requrement for Azure, but now AWS.

    When i comes the the "hops" part i used 5 and it worked for me, but it depends on you configuration in Azure

    //Rickard

  • Thanks I tried this but it's not working.  Do you need two IPSEC tunnels in order for BPG to work with a BGP enabled Azure VPN Gateway?

  • Hi, no you do not need two tunnels, but the BGP IP in azure needs to match the IP on the VTi interface on the XG.

    And you also need to enable dynamic routing under device access for the VPN zone.

    //Rickard

  • Ok, yeah I realized that the two tunnel interface applies to AWS only so I was confused from the instructions posted.

    I have the IP address of the tunnel (169.254.0.1) on the VTi Interface

    I have also enabled dynamic routing under the device access.

    I have the remote ASN set to 65010 (the self assigned Azure ASN I created) and the local ASN as 65050 which I assigned.

    Did you use an Azure APIA private address on the Azure VPN Gateway?

    When I look at the BGP table in Azure, it is stuck on "Connecting".

  • Hi, we use a a "real" RCF 1918 address in Azure and On the xfrm Interface. 

    You can read more about it here. Since you need to use an additional APIA if you use APIA for your on prem enviroment

    About BGP with VPN Gateway - Azure VPN Gateway | Microsoft Docs

Reply Children
No Data