summaryrefslogtreecommitdiff
path: root/docs/appendix/examples/azure-vpn-dual-bgp.rst
blob: 4cbcde3b096fee221b4949fb902d108f7645bf8f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
.. _examples-azure-vpn-dual-bgp:

Route-Based Redundant Site-to-Site VPN to Azure (BGP over IKEv2/IPsec)
----------------------------------------------------------------------

This guide shows an example of a redundant (active-active) route-based IKEv2
site-to-site VPN to Azure using VTI
and BGP for dynamic routing updates.

Prerequisites
^^^^^^^^^^^^^

- A pair of Azure VNet Gateways deployed in active-passive
  configuration with BGP enabled.

- A local network gateway deployed in Azure representing
  the Vyos device, matching the below Vyos settings except for
  address space, which only requires the Vyos private IP, in
  this example 10.10.0.5/32

- A connection resource deployed in Azure linking the
  Azure VNet gateway and the local network gateway representing
  the Vyos device.

Example
^^^^^^^

+---------------------------------------+---------------------+
| WAN Interface                         | eth0                |
+---------------------------------------+---------------------+
| On-premises address space             | 10.10.0.0/16        |
+---------------------------------------+---------------------+
| Azure address space                   |  10.0.0.0/16        |
+---------------------------------------+---------------------+
| Vyos public IP                        | 198.51.100.3        |
+---------------------------------------+---------------------+
| Vyos private IP                       | 10.10.0.5           |
+---------------------------------------+---------------------+
| Azure VNet Gateway 1 public IP        |  203.0.113.2        |
+---------------------------------------+---------------------+
| Azure VNet Gateway 2 public IP        |  203.0.113.3        |
+---------------------------------------+---------------------+
| Azure VNet Gateway BGP IP             |  10.0.0.4,10.0.0.5  |
+---------------------------------------+---------------------+
| Pre-shared key                        | ch00s3-4-s3cur3-psk |
+---------------------------------------+---------------------+
| Vyos ASN                              | 64499               |
+---------------------------------------+---------------------+
| Azure ASN                             | 65540               |
+---------------------------------------+---------------------+

Vyos configuration
^^^^^^^^^^^^^^^^^^

- Configure the IKE and ESP settings to match a subset
  of those supported by Azure:

.. code-block:: sh

  set vpn ipsec esp-group AZURE compression 'disable'
  set vpn ipsec esp-group AZURE lifetime '3600'
  set vpn ipsec esp-group AZURE mode 'tunnel'
  set vpn ipsec esp-group AZURE pfs 'dh-group2'
  set vpn ipsec esp-group AZURE proposal 1 encryption 'aes256'
  set vpn ipsec esp-group AZURE proposal 1 hash 'sha1'

  set vpn ipsec ike-group AZURE dead-peer-detection action 'restart'
  set vpn ipsec ike-group AZURE dead-peer-detection interval '15'
  set vpn ipsec ike-group AZURE dead-peer-detection timeout '30'
  set vpn ipsec ike-group AZURE ikev2-reauth 'yes'
  set vpn ipsec ike-group AZURE key-exchange 'ikev2'
  set vpn ipsec ike-group AZURE lifetime '28800'
  set vpn ipsec ike-group AZURE proposal 1 dh-group '2'
  set vpn ipsec ike-group AZURE proposal 1 encryption 'aes256'
  set vpn ipsec ike-group AZURE proposal 1 hash 'sha1'

- Enable IPsec on eth0

.. code-block:: sh

  set vpn ipsec ipsec-interfaces interface 'eth0'

- Configure two VTIs with a dummy IP address each

.. code-block:: sh

  set interfaces vti vti1 address '10.10.1.5/32'
  set interfaces vti vti1 description 'Azure Primary Tunnel'

  set interfaces vti vti2 address '10.10.1.6/32'
  set interfaces vti vti2 description 'Azure Secondary Tunnel'

- Clamp the VTI's MSS to 1350 to avoid PMTU blackholes.

.. code-block:: sh

  set firewall options interface vti1 adjust-mss 1350
  set firewall options interface vti2 adjust-mss 1350

- Configure the VPN tunnels

.. code-block:: sh

  set vpn ipsec site-to-site peer 203.0.113.2 authentication id '198.51.100.3'
  set vpn ipsec site-to-site peer 203.0.113.2 authentication mode 'pre-shared-secret'
  set vpn ipsec site-to-site peer 203.0.113.2 authentication pre-shared-secret 'ch00s3-4-s3cur3-psk'
  set vpn ipsec site-to-site peer 203.0.113.2 authentication remote-id '203.0.113.2'
  set vpn ipsec site-to-site peer 203.0.113.2 connection-type 'respond'
  set vpn ipsec site-to-site peer 203.0.113.2 description 'AZURE PRIMARY TUNNEL'
  set vpn ipsec site-to-site peer 203.0.113.2 ike-group 'AZURE'
  set vpn ipsec site-to-site peer 203.0.113.2 ikev2-reauth 'inherit'
  set vpn ipsec site-to-site peer 203.0.113.2 local-address '10.10.0.5'
  set vpn ipsec site-to-site peer 203.0.113.2 vti bind 'vti1'
  set vpn ipsec site-to-site peer 203.0.113.2 vti esp-group 'AZURE'

  set vpn ipsec site-to-site peer 203.0.113.3 authentication id '198.51.100.3'
  set vpn ipsec site-to-site peer 203.0.113.3 authentication mode 'pre-shared-secret'
  set vpn ipsec site-to-site peer 203.0.113.3 authentication pre-shared-secret 'ch00s3-4-s3cur3-psk'
  set vpn ipsec site-to-site peer 203.0.113.3 authentication remote-id '203.0.113.3'
  set vpn ipsec site-to-site peer 203.0.113.3 connection-type 'respond'
  set vpn ipsec site-to-site peer 203.0.113.3 description 'AZURE SECONDARY TUNNEL'
  set vpn ipsec site-to-site peer 203.0.113.3 ike-group 'AZURE'
  set vpn ipsec site-to-site peer 203.0.113.3 ikev2-reauth 'inherit'
  set vpn ipsec site-to-site peer 203.0.113.3 local-address '10.10.0.5'
  set vpn ipsec site-to-site peer 203.0.113.3 vti bind 'vti2'
  set vpn ipsec site-to-site peer 203.0.113.3 vti esp-group 'AZURE'

- **Important**: Add an interface route to reach both Azure's BGP listeners

.. code-block:: sh

  set protocols static interface-route 10.0.0.4/32 next-hop-interface vti1
  set protocols static interface-route 10.0.0.5/32 next-hop-interface vti2

- Configure your BGP settings

.. code-block:: sh

  set protocols bgp 64499 neighbor 10.0.0.4 remote-as '65540'
  set protocols bgp 64499 neighbor 10.0.0.4 address-family ipv4-unicast soft-reconfiguration 'inbound'
  set protocols bgp 64499 neighbor 10.0.0.4 timers holdtime '30'
  set protocols bgp 64499 neighbor 10.0.0.4 timers keepalive '10'

  set protocols bgp 64499 neighbor 10.0.0.5 remote-as '65540'
  set protocols bgp 64499 neighbor 10.0.0.5 address-family ipv4-unicast soft-reconfiguration 'inbound'
  set protocols bgp 64499 neighbor 10.0.0.5 timers holdtime '30'
  set protocols bgp 64499 neighbor 10.0.0.5 timers keepalive '10'

- **Important**: Disable connected check, otherwise the routes learned
  from Azure will not be imported into the routing table.

.. code-block:: sh

  set protocols bgp 64499 neighbor 10.0.0.4 disable-connected-check
  set protocols bgp 64499 neighbor 10.0.0.5 disable-connected-check