EdgeRouter - Route-Based Site-to-Site VPN to Azure (BGP over IKEv2/IPsec)
Overview
Readers will learn how to configure a Route-Based Site-to-Site IPsec VPN between a Microsoft Azure VPN gateway and an EdgeRouter using BGP routing. The other VPN options that are available when connecting to Azure are:
Microsoft recommends to use Route-Based IKEv2 VPNs over Policy-Based IKEv1 VPNs as it offers additional rich connectivity features. These features include Point-to-Site VPNs, Active Routing Support (BGP), Support for multiple tunnels as well as ECMP with metric routing, Active-Active Azure Gateway configurations for redundancy, Transit Routing with Point-to-Site, DPD detection and Virtual Network Peering.
Table of Contents
Network Diagram
The network topology is shown below and the following interfaces are in use on the EdgeRouter and Azure:
ER-4 (AS 65510)
- eth0 (WAN) - 203.0.113.1
- eth1 (LAN) - 192.168.1.1/24
- vti0 - no address
Azure VGW (AS 65515)
- Virtual Gateway - 192.0.2.1
- Virtual Network - 172.16.0.0/22
- Default Subnet - 172.16.1.0/24
The type of VPN that will be created is a Route-Based over IKEv2/IPsec tunnel over which a BGP session is established.
Configuring a Route-Based VPN
Follow the steps below to configure the Route-Based Site-to-Site IPsec VPN on the EdgeRouter:
1. Enter configuration mode.
configure
2. Enable the auto-firewall-nat-exclude feature which automatically creates the IPsec firewall/NAT policies in the iptables
firewall.
set vpn ipsec auto-firewall-nat-exclude enable
3. Create the IKE / Phase 1 (P1) Security Associations (SAs) and set the Key Exchange to IKEv2.
set vpn ipsec ike-group FOO0 key-exchange ikev2
set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 2
set vpn ipsec ike-group FOO0 proposal 1 encryption aes256
set vpn ipsec ike-group FOO0 proposal 1 hash sha1
4. Create the ESP / Phase 2 (P2) SAs and disable Perfect Forward Secrecy (PFS).
set vpn ipsec esp-group FOO0 lifetime 27000
set vpn ipsec esp-group FOO0 pfs disable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes256
set vpn ipsec esp-group FOO0 proposal 1 hash sha1
5. Define the remote peering address and set the connection-type to respond
.
set vpn ipsec site-to-site peer 192.0.2.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret <secret>
set vpn ipsec site-to-site peer 192.0.2.1 connection-type respond
set vpn ipsec site-to-site peer 192.0.2.1 description ipsec
set vpn ipsec site-to-site peer 192.0.2.1 local-address 203.0.113.1
respond
.6. Link the SAs created above to the remote peer and bind the VPN to a virtual tunnel interface (vti0).
set vpn ipsec site-to-site peer 192.0.2.1 ike-group FOO0
set vpn ipsec site-to-site peer 192.0.2.1 vti bind vti0
set vpn ipsec site-to-site peer 192.0.2.1 vti esp-group FOO0
7. Configure the virtual tunnel interface (vti0) without an IP address assigned to it.
set interfaces vti vti0
8. Lower the TCP Maximum Segment Size (MSS) on the vti interfaces to 1350.
set firewall options mss-clamp interface-type vti
set firewall options mss-clamp mss 1350
9. Create a static route for the remote BGP peering address.
set protocols static interface-route 172.16.0.254/32 next-hop-interface vti0
10. Create a prefix-list for BGP that will be used to filter advertised and received prefixes.
set policy prefix-list BGP rule 10 action deny
set policy prefix-list BGP rule 10 description deny-localgw
set policy prefix-list BGP rule 10 prefix 203.0.113.1/32
set policy prefix-list BGP rule 20 action deny
set policy prefix-list BGP rule 20 description deny-remotegw
set policy prefix-list BGP rule 20 prefix 192.0.2.1/32
set policy prefix-list BGP rule 30 action deny
set policy prefix-list BGP rule 30 description deny-localpeer
set policy prefix-list BGP rule 30 prefix 192.168.1.1/32
set policy prefix-list BGP rule 40 action deny
set policy prefix-list BGP rule 40 description deny-remotepeer
set policy prefix-list BGP rule 40 prefix 172.16.0.254/32
set policy prefix-list BGP rule 100 action permit
set policy prefix-list BGP rule 100 description permit-localsubnet
set policy prefix-list BGP rule 100 prefix 192.168.1.0/24
set policy prefix-list BGP rule 110 action permit
set policy prefix-list BGP rule 110 description permit-remotesubnet
set policy prefix-list BGP rule 110 prefix 172.16.0.0/22
11. Define the BGP neighbor and peering options.
set protocols bgp 65510 neighbor 172.16.0.254 ebgp-multihop 2
set protocols bgp 65510 neighbor 172.16.0.254 prefix-list export BGP
set protocols bgp 65510 neighbor 172.16.0.254 prefix-list import BGP
set protocols bgp 65510 neighbor 172.16.0.254 remote-as 65515
set protocols bgp 65510 neighbor 172.16.0.254 soft-reconfiguration inbound
set protocols bgp 65510 neighbor 172.16.0.254 update-source 192.168.1.1
set protocols bgp 65510 timers holdtime 180
set protocols bgp 65510 timers keepalive 60
12. Advertise the local subnet into BGP.
set protocols bgp 65510 network 192.168.1.0/24
13. Commit the changes and save the configuration.
commit ; save
Setting up the Azure Gateway
The Microsoft Azure side of the Site-to-Site VPN connection is based on this Microsoft Site-to-Site article and this PowerShell article.
1. Create a Virtual Network.
Dashboard > New > Networking > Virtual Network
Name: ServerNetwork
Address Space: 172.16.0.0/22
Subnet name: default
Subnet Address Space: 172.16.1.0/24
Resource Group: ServerNetwork
2. Create a Gateway Subnet.
Dashboard > Virtual Networks > ServerNetwork > Subnets > + Gateway subnet
Name: GatewaySubnet (Required / cannot be changed)
Address Range: 172.16.0.0/24 (Cannot be the same as the default subnet address space)
General info on how to use Windows PowerShell to manage Azure can be found in this Microsoft article.
1. Verify the presence of the PowerShellGet module.
Get-Module PowerShellGet -list | Select-Object Name,Version,Path
Name Version Path
---- ------- ----
PowerShellGet 1.0.0.1 C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1
2. Modify the PowerShell Execution Policy.
Set-ExecutionPolicy -ExecutionPolicy Unrestricted
3. Install the AzureRM (Resource Manager) PowerShell module.
Install-Module AzureRM
4. Connect to your Azure Resource Manager Account and select your subscription.
Login-AzureRmAccount
Select-AzureRmSubscription -SubscriptionName "<subscription name>"
5. Verify the Virtual Network created in the Azure Portal above (only relevant output is shown).
Get-AzureRmVirtualNetwork -ResourceGroupName "ServerNetwork"
Name : ServerNetwork
ResourceGroupName : ServerNetwork
Location : eastus
ProvisioningState : Succeeded
AddressSpace : {
"AddressPrefixes": [
"172.16.0.0/22"
]
}
Subnets : [
{
"Name": "default",
"AddressPrefix": "172.16.1.0/24",
"ProvisioningState": "Succeeded"
},
{
"Name": "GatewaySubnet",
"AddressPrefix": "172.16.0.0/24",
"ProvisioningState": "Succeeded"
}
]
6. Define aliases (variables) that will be used in the Virtual Network Gateway configuration.
-
$Resource
The name of the Resource Group (ServerNetwork). -
$Location
The Azure location. -
$vNet
The Virtual Network created earlier (ServerNetwork). -
$PublicIP
The Virtual Gateway public IP generated by Azure (VirtualGateway). -
$GatewaySubnet
This is the Gateway Subnet created earlier (GatewaySubnet). -
$GatewayIP
The public IP that will be used by the Virtual Gateway (VirtualGateway).
$Resource = "ServerNetwork"
$Location = "East US"
$vNet = Get-AzureRmVirtualNetwork -Name "ServerNetwork" -ResourceGroupName $Resource
$PublicIP = New-AzureRmPublicIpAddress -Name VirtualGateway -ResourceGroupName $Resource -Location $Location -AllocationMethod Dynamic
$GateWaySubnet = Get-AzureRmVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vNet
$GatewayIP = New-AzureRmVirtualNetworkGatewayIpConfig -Name "VirtualGateway" -Subnet $GatewaySubnet -PublicIpAddress $PublicIP
7. Create the Virtual Network Gateway and define the BGP AS.
New-AzureRmVirtualNetworkGateway -Name "VirtualGateway" -ResourceGroupName $Resource -Location $Location -IpConfigurations $GatewayIP -GatewayType Vpn -VpnType RouteBased -GatewaySku VpnGw1 -Asn 65515
8. Verify the Virtual Gateway settings (only relevant output is shown).
Get-AzureRmVirtualNetworkGateway -Name "VirtualGateway" -ResourceGroupName "ServerNetwork"
Name : VirtualGateway
ResourceGroupName : ServerNetwork
Location : eastus
ProvisioningState : Succeeded
GatewayType : Vpn
VpnType : RouteBased
Sku : {
"Capacity": 10,
"Name": "VpnGw1",
"Tier": "VpnGw1"
}
BgpSettings : {
"Asn": 65515,
"BgpPeeringAddress": "172.16.0.254",
"PeerWeight": 0
}
9. Create the Local Network Gateway and define the BGP AS.
-
GatewayIpAddress
The public IP address of the EdgeRouter. -
AddressPrefix
The local subnet behind the ER. -
BgpPeeringAddress
The BGP neighbor IP address on the EdgeRouter. -
Asn
The Autonomous System Number.
New-AzureRmLocalNetworkGateway -Name "LocalGateway" -ResourceGroupName $Resource -Location $Location -GatewayIpAddress "203.0.113.1" -AddressPrefix "192.168.1.0/24" -Asn 65510 -BgpPeeringAddress "192.168.1.1"
10. Verify the Local Gateway settings (only relevant output is shown).
Get-AzureRmLocalNetworkGateway -Name "LocalGateway" -ResourceGroupName "ServerNetwork"
Name : LocalGateway
ResourceGroupName : ServerNetwork
Location : eastus
ProvisioningState : Succeeded
GatewayIpAddress : 203.0.113.1
LocalNetworkAddressSpace : {
"AddressPrefixes": [
"192.168.1.0/24"
]
}
BgpSettings : {
"Asn": 65510,
"BgpPeeringAddress": "192.168.1.1",
"PeerWeight": 0
}
11. Define aliases (variables) for both the VirtualGateway and the LocalGateway.
$VirtualConnection = Get-AzureRmVirtualNetworkGateway -Name "VirtualGateway" -ResourceGroupName $Resource
$LocalConnection = Get-AzureRmLocalNetworkGateway -Name "LocalGateway" -ResourceGroupName $Resource
12. Create and initiate the Virtual Gateway Connection.
-
Name
The locally significant name of the VPN connection. -
VirtualNetworkGateway1
The Virtual Gateway created earlier (VirtualGateway). -
LocalNetworkGateway2
The Local Gateway created earlier (LocalGateway). -
SharedKey
The pre-shared-secret between the sites (replace <secret> with your desired passphrase). -
EnableBGP
Needs to be set to true, otherwise BGP is not operational.
New-AzureRmVirtualNetworkGatewayConnection -Name "IPsecER" -ResourceGroupName $Resource -VirtualNetworkGateway1 $VirtualConnection -LocalNetworkGateway2 $LocalConnection -Location $Location -ConnectionType IPsec -SharedKey '<secret>' -EnableBGP $True
13. Verify the Virtual Gateway Connection (only relevant output is shown).
Get-AzureRmVirtualNetworkGatewayConnection -Name "IPsecER" -ResourceGroupName "ServerNetwork"
Name : IPsecER
ResourceGroupName : ServerNetwork
Location : eastus
ProvisioningState : Succeeded
ConnectionStatus : Connected
EgressBytesTransferred : 3854
IngressBytesTransferred : 3104
Related Articles
EdgeRouter - Policy-Based Site-to-Site VPN to Azure (IKEv1/IPsec)
EdgeRouter - Route-Based Site-to-Site VPN to Azure (VTI over IKEv2/IPsec)
Intro to Networking - How to Establish a Connection Using SSH