Help Center Help Articles Professional Support Community RMA & Warranty Downloads Tech Specs

EdgeRouter - Route-Based Site-to-Site VPN to Azure (BGP over IKEv2/IPsec)

Overview

Readers will learn how to configure a Route-Based Site-to-Site IPsec VPN between a Microsoft Azure VPN gateway and an EdgeRouter using BGP routing. The other VPN options that are available when connecting to Azure are:

Microsoft recommends to use Route-Based IKEv2 VPNs over Policy-Based IKEv1 VPNs as it offers additional rich connectivity features. These features include Point-to-Site VPNs, Active Routing Support (BGP), Support for multiple tunnels as well as ECMP with metric routing, Active-Active Azure Gateway configurations for redundancy, Transit Routing with Point-to-Site, DPD detection and Virtual Network Peering.

NOTES & REQUIREMENTS:
Applicable to EdgeOS firmware v1.10.0 and higher on all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and advanced networking knowledge is required. Please see the Related Articles below for more information.
More info about Azure VPN options and their requirements can be found here.
 
Devices used in this article:

Table of Contents

  1. Network Diagram
  2. Configuring a Route-Based VPN
  3. Setting up the Azure Gateway
  4. Related Articles

Network Diagram

Back to Top

The network topology is shown below and the following interfaces are in use on the EdgeRouter and Azure:

ER-4 (AS 65510)

  • eth0 (WAN) - 203.0.113.1
  • eth1 (LAN) - 192.168.1.1/24
  • vti0 - no address

Azure VGW (AS 65515)

  • Virtual Gateway - 192.0.2.1
  • Virtual Network - 172.16.0.0/22
  • Default Subnet - 172.16.1.0/24

topology.png

The type of VPN that will be created is a Route-Based over IKEv2/IPsec tunnel over which a BGP session is established.

Configuring a Route-Based VPN

Back to Top

Follow the steps below to configure the Route-Based Site-to-Site IPsec VPN on the EdgeRouter:

CLI: Access the Command Line Interface.You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Enter configuration mode.

configure

2. Enable the auto-firewall-nat-exclude feature which automatically creates the IPsec firewall/NAT policies in the iptables firewall.

set vpn ipsec auto-firewall-nat-exclude enable

3. Create the IKE / Phase 1 (P1) Security Associations (SAs) and set the Key Exchange to IKEv2.

set vpn ipsec ike-group FOO0 key-exchange ikev2
set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 2
set vpn ipsec ike-group FOO0 proposal 1 encryption aes256
set vpn ipsec ike-group FOO0 proposal 1 hash sha1

4. Create the ESP / Phase 2 (P2) SAs and disable Perfect Forward Secrecy (PFS).

set vpn ipsec esp-group FOO0 lifetime 27000
set vpn ipsec esp-group FOO0 pfs disable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes256
set vpn ipsec esp-group FOO0 proposal 1 hash sha1
NOTE:Azure also supports other encryption and hashing methods. For the full list of supported SAs please see the Microsoft article here.

5. Define the remote peering address and set the connection-type to respond.

set vpn ipsec site-to-site peer 192.0.2.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret <secret>
set vpn ipsec site-to-site peer 192.0.2.1 connection-type respond
set vpn ipsec site-to-site peer 192.0.2.1 description ipsec
set vpn ipsec site-to-site peer 192.0.2.1 local-address 203.0.113.1
ATTENTION: It is of vital importance that theconnection-type is set to respond.

6. Link the SAs created above to the remote peer and bind the VPN to a virtual tunnel interface (vti0).

set vpn ipsec site-to-site peer 192.0.2.1 ike-group FOO0
set vpn ipsec site-to-site peer 192.0.2.1 vti bind vti0
set vpn ipsec site-to-site peer 192.0.2.1 vti esp-group FOO0

7. Configure the virtual tunnel interface (vti0) without an IP address assigned to it.

set interfaces vti vti0

8. Lower the TCP Maximum Segment Size (MSS) on the vti interfaces to 1350.

set firewall options mss-clamp interface-type vti
set firewall options mss-clamp mss 1350

9. Create a static route for the remote BGP peering address.

set protocols static interface-route 172.16.0.254/32 next-hop-interface vti0
NOTE: You can see the Azure BGP peering address in step 8 in the Azure Gateway configuration below.

10. Create a prefix-list for BGP that will be used to filter advertised and received prefixes.

set policy prefix-list BGP rule 10 action deny
set policy prefix-list BGP rule 10 description deny-localgw
set policy prefix-list BGP rule 10 prefix 203.0.113.1/32

set policy prefix-list BGP rule 20 action deny
set policy prefix-list BGP rule 20 description deny-remotegw
set policy prefix-list BGP rule 20 prefix 192.0.2.1/32

set policy prefix-list BGP rule 30 action deny
set policy prefix-list BGP rule 30 description deny-localpeer
set policy prefix-list BGP rule 30 prefix 192.168.1.1/32

set policy prefix-list BGP rule 40 action deny
set policy prefix-list BGP rule 40 description deny-remotepeer
set policy prefix-list BGP rule 40 prefix 172.16.0.254/32

set policy prefix-list BGP rule 100 action permit
set policy prefix-list BGP rule 100 description permit-localsubnet
set policy prefix-list BGP rule 100 prefix 192.168.1.0/24

set policy prefix-list BGP rule 110 action permit
set policy prefix-list BGP rule 110 description permit-remotesubnet
set policy prefix-list BGP rule 110 prefix 172.16.0.0/22

11. Define the BGP neighbor and peering options.

set protocols bgp 65510 neighbor 172.16.0.254 ebgp-multihop 2
set protocols bgp 65510 neighbor 172.16.0.254 prefix-list export BGP
set protocols bgp 65510 neighbor 172.16.0.254 prefix-list import BGP
set protocols bgp 65510 neighbor 172.16.0.254 remote-as 65515
set protocols bgp 65510 neighbor 172.16.0.254 soft-reconfiguration inbound
set protocols bgp 65510 neighbor 172.16.0.254 update-source 192.168.1.1

set protocols bgp 65510 timers holdtime 180
set protocols bgp 65510 timers keepalive 60

12. Advertise the local subnet into BGP.

set protocols bgp 65510 network 192.168.1.0/24

13. Commit the changes and save the configuration.

commit ; save

Setting up the Azure Gateway

Back to Top

The Microsoft Azure side of the Site-to-Site VPN connection is based on this Microsoft Site-to-Site article and this PowerShell article.

GUI: Access the Azure Management Portal.

1. Create a Virtual Network.

Dashboard > New > Networking > Virtual Network

Name: ServerNetwork
Address Space: 172.16.0.0/22
Subnet name: default
Subnet Address Space: 172.16.1.0/24
Resource Group: ServerNetwork

2. Create a Gateway Subnet.

Dashboard > Virtual Networks > ServerNetwork > Subnets > + Gateway subnet

Name: GatewaySubnet (Required / cannot be changed)
Address Range: 172.16.0.0/24 (Cannot be the same as the default subnet address space)
NOTE:It is also possible to create the Virtual Network and Gateway Subnet using PowerShell.

network.png

CLI: Run Windows PowerShell (PS) as an administrator.

General info on how to use Windows PowerShell to manage Azure can be found in this Microsoft article.

1. Verify the presence of the PowerShellGet module.

Get-Module PowerShellGet -list | Select-Object Name,Version,Path
Name          Version Path
----          ------- ----
PowerShellGet 1.0.0.1 C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 
NOTE: Windows 10 includes the PowerShellGet module by default. Modules can be downloaded here.

2. Modify the PowerShell Execution Policy. 

Set-ExecutionPolicy -ExecutionPolicy Unrestricted

3. Install the AzureRM (Resource Manager) PowerShell module.

Install-Module AzureRM

4. Connect to your Azure Resource Manager Account and select your subscription.

Login-AzureRmAccount
Select-AzureRmSubscription -SubscriptionName "<subscription name>"

5. Verify the Virtual Network created in the Azure Portal above (only relevant output is shown).

Get-AzureRmVirtualNetwork -ResourceGroupName "ServerNetwork"
Name                   : ServerNetwork
ResourceGroupName      : ServerNetwork
Location               : eastus
ProvisioningState      : Succeeded
AddressSpace           : {
                          "AddressPrefixes": [
                            "172.16.0.0/22"
                          ]
                        }
Subnets                : [
                          {
                            "Name": "default",
                            "AddressPrefix": "172.16.1.0/24",
                            "ProvisioningState": "Succeeded"
                          },
                          {
                            "Name": "GatewaySubnet",
                            "AddressPrefix": "172.16.0.0/24",
                            "ProvisioningState": "Succeeded"
                          }
                        ]

6. Define aliases (variables) that will be used in the Virtual Network Gateway configuration.

  • $Resource The name of the Resource Group (ServerNetwork).
  • $Location The Azure location.
  • $vNet The Virtual Network created earlier (ServerNetwork).
  • $PublicIP The Virtual Gateway public IP generated by Azure (VirtualGateway).
  • $GatewaySubnet This is the Gateway Subnet created earlier (GatewaySubnet).
  • $GatewayIP The public IP that will be used by the Virtual Gateway (VirtualGateway).
$Resource = "ServerNetwork"
$Location = "East US"
$vNet = Get-AzureRmVirtualNetwork -Name "ServerNetwork" -ResourceGroupName $Resource
$PublicIP = New-AzureRmPublicIpAddress -Name VirtualGateway -ResourceGroupName $Resource -Location $Location -AllocationMethod Dynamic
$GateWaySubnet = Get-AzureRmVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vNet
$GatewayIP = New-AzureRmVirtualNetworkGatewayIpConfig -Name "VirtualGateway" -Subnet $GatewaySubnet -PublicIpAddress $PublicIP

7. Create the Virtual Network Gateway and define the BGP AS.

New-AzureRmVirtualNetworkGateway -Name "VirtualGateway" -ResourceGroupName $Resource -Location $Location -IpConfigurations $GatewayIP -GatewayType Vpn -VpnType RouteBased -GatewaySku VpnGw1 -Asn 65515
NOTE: The provisioning process for a new Virtual Gateway will take time. The VpnGw1 Stock-Keeping Unit (SKU) or higher is required for BGP support on the Virtual Network Gateway. More info about SKUs can be found in this Microsoft article.

8. Verify the Virtual Gateway settings (only relevant output is shown).

Get-AzureRmVirtualNetworkGateway -Name "VirtualGateway" -ResourceGroupName "ServerNetwork"
Name                   : VirtualGateway
ResourceGroupName      : ServerNetwork
Location               : eastus
ProvisioningState      : Succeeded
GatewayType            : Vpn
VpnType                : RouteBased
Sku                    : {
                          "Capacity": 10,
                          "Name": "VpnGw1",
                          "Tier": "VpnGw1"
                        }
BgpSettings            : {
                          "Asn": 65515,
                          "BgpPeeringAddress": "172.16.0.254",
                          "PeerWeight": 0
                        }

9. Create the Local Network Gateway and define the BGP AS.

  • GatewayIpAddress The public IP address of the EdgeRouter.
  • AddressPrefix The local subnet behind the ER.
  • BgpPeeringAddress The BGP neighbor IP address on the EdgeRouter.
  • Asn The Autonomous System Number.
New-AzureRmLocalNetworkGateway -Name "LocalGateway" -ResourceGroupName $Resource -Location $Location -GatewayIpAddress "203.0.113.1" -AddressPrefix "192.168.1.0/24" -Asn 65510 -BgpPeeringAddress "192.168.1.1"

10. Verify the Local Gateway settings (only relevant output is shown).

Get-AzureRmLocalNetworkGateway -Name "LocalGateway" -ResourceGroupName "ServerNetwork"
Name                     : LocalGateway
ResourceGroupName        : ServerNetwork
Location                 : eastus
ProvisioningState        : Succeeded
GatewayIpAddress         : 203.0.113.1
LocalNetworkAddressSpace : {
                            "AddressPrefixes": [
                              "192.168.1.0/24"
                            ]
                          }
BgpSettings              : {
                            "Asn": 65510,
                            "BgpPeeringAddress": "192.168.1.1",
                            "PeerWeight": 0
                          }

11. Define aliases (variables) for both the VirtualGateway and the LocalGateway.

$VirtualConnection = Get-AzureRmVirtualNetworkGateway -Name "VirtualGateway"  -ResourceGroupName $Resource
$LocalConnection  = Get-AzureRmLocalNetworkGateway -Name "LocalGateway" -ResourceGroupName $Resource

12. Create and initiate the Virtual Gateway Connection.

  • Name The locally significant name of the VPN connection.
  • VirtualNetworkGateway1 The Virtual Gateway created earlier (VirtualGateway).
  • LocalNetworkGateway2 The Local Gateway created earlier (LocalGateway).
  • SharedKey The pre-shared-secret between the sites (replace <secret> with your desired passphrase).
  • EnableBGP Needs to be set to true, otherwise BGP is not operational.
New-AzureRmVirtualNetworkGatewayConnection -Name "IPsecER" -ResourceGroupName $Resource -VirtualNetworkGateway1 $VirtualConnection -LocalNetworkGateway2 $LocalConnection -Location $Location -ConnectionType IPsec -SharedKey '<secret>' -EnableBGP $True

13. Verify the Virtual Gateway Connection (only relevant output is shown).

Get-AzureRmVirtualNetworkGatewayConnection -Name "IPsecER" -ResourceGroupName "ServerNetwork"
Name                    : IPsecER
ResourceGroupName       : ServerNetwork
Location                : eastus
ProvisioningState       : Succeeded
ConnectionStatus        : Connected
EgressBytesTransferred  : 3854
IngressBytesTransferred : 3104

verifylocal.png

verifyremote.png

NOTE: More info on how to use Windows PowerShell to manage Azure can be found in the this Microsoft article.

Related Articles

Back to Top

EdgeRouter - Policy-Based Site-to-Site VPN to Azure (IKEv1/IPsec)

EdgeRouter - Route-Based Site-to-Site VPN to Azure (VTI over IKEv2/IPsec)

Intro to Networking - How to Establish a Connection Using SSH

Was this article helpful?