Hi all,
I promised a while back that I'd get an EdgeRouter config together for a route-based (dynamic routing) VPN tunnel to Azure along with BGP. I'm currently on EdgeRouter Litev1.9.0, for reference.
Prerequisites / things to think of ahead of time:
You'll need an AS number for Azure's gateway and your Ubiquiti EdgeRouter. The Azure gateway defaults to 65515, and you don't really need to change this side. For your local side, you can technically choose any number from 1-65535, but it's best choose a number around the top end for simplicity's sake. I used 65501 for my ubnt side - this is the value $VNet1ASN in the documentation listed below.
Key:
1.1.1.1: My local WAN IP
2.2.2.2: Azure gateway Public IP
10.0.1.1: My EdgeRouter internal IP
65515: Azure ASN
65501: Local ASN
10.0.1.0/24: local address space
10.1.0.0/16: Azure address space
mykey: Preshared Key for IPSec Tunnel
eth0: My WAN interface
vti0: My Virtual Tunnel Interface for the VPN tunnel
10.0.0.1/30: My vti0 address space - this can be anything, really, it just can't be a physical address.
10.1.255.254: my Azure BGP Peer address
Azure Config:
Configure Azure's VPN gateway using this documentation. Take note of your BGP Peer address (mine is 10.1.255.254). Also note that your "local address space" in the Azure local network gateway is your router's IP address (mine is 10.0.1.1).
UBNT configs:
IPSec VPN:
ryanb@ubnt# show interfaces vti
vti vti0 {
address 10.0.0.1/30
description "Azure S2S VPN Tunnel"
mtu 1436
}
ryanb@ubnt# show vpn ipsec
auto-firewall-nat-exclude disable
disable-uniqreqids
esp-group esp-azure {
compression disable
lifetime 3600
mode tunnel
pfs disable
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group ike-azure {
ikev2-reauth no
key-exchange ikev2
lifetime 28800
proposal 1 {
dh-group 2
encryption aes256
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
nat-traversal enable
site-to-site {
peer 2.2.2.2 {
authentication {
mode pre-shared-secret
pre-shared-secret mykey
}
connection-type initiate
default-esp-group esp-azure
description "Azure S2S VPN"
ike-group ike-azure
ikev2-reauth inherit
local-address 1.1.1.1
vti {
bind vti0
esp-group esp-azure
}
}
}BGP config:
ryanb@ubnt# show protocols bgp
bgp 65501 {
neighbor 10.1.255.254 {
ebgp-multihop 4
remote-as 65515
soft-reconfiguration {
inbound
}
update-source 10.0.1.1
}
parameters {
no-fast-external-failover
router-id 10.0.1.1
}
redistribute {
connected {
}
}
timers {
holdtime 180
keepalive 60
}
}Static route to get traffic over the vti0 interface:
ryanb@ubnt# show protocols static interface-route
interface-route 10.1.255.254/32 {
next-hop-interface vti0 {
}
}
}
Summary:
Let me know if there are any questions! Results are below:
ryanb@ubnt:~$ show vpn ipsec sa
peer-2.2.2.2-tunnel-vti: #1, ESTABLISHED, IKEv2, 57d6746270f297a6:5a726f90836713ed
local '1.1.1.1' @ 1.1.1.1
remote '2.2.2.2' @ 2.2.2.2
AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
established 95s ago, rekeying in 28030s
peer-2.2.2.2-tunnel-vti: #1, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA1_96
installed 95 ago, rekeying in 2445s, expires in 3505s
in cae6c90f, 3243 bytes, 48 packets, 26s ago
out 81a66e8a, 5269 bytes, 52 packets, 26s ago
local 0.0.0.0/0
remote 0.0.0.0/0
ryanb@ubnt:~$ show ip bgp summary
BGP router identifier 10.0.1.1, local AS number 65501
BGP table version is 6
2 BGP AS-PATH entries
0 BGP community entries
Neighbor V AS MsgRcv MsgSen TblVer InQ OutQ Up/Down State/PfxRcd
10.1.255.254 4 65515 878 768 6 0 0 00:00:25 4
Total number of neighbors 1
Total number of Established sessions 1