EdgeRouter - Route-Based Site-to-Site VPN to Azure (BGP over IKEv2/IPsec)


Overview


Readers will learn how to configure a Route-Based Site-to-Site IPsec VPN between a Microsoft Azure VPN gateway and an EdgeRouter using static routing. The following VPN options are available when connecting to Azure:

Microsoft recommends to use Route-Based IKEv2 VPNs over Policy-Based IKEv1 VPNs as it offers additional rich connectivity features. These features include Point-to-Site VPNs, Active Routing Support (BGP), Support for multiple tunnels as well as ECMP with metric routing, Active-Active Azure Gateway configurations for redundancy, Transit Routing with Point-to-Site, DPD detection and Virtual Network Peering.

NOTES & REQUIREMENTS:
Applicable to EdgeOS firmware v1.10.0 and up on all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and advanced networking knowledge is required. Please see the Related Articles below for more information and see the attachments for the configuration used in this article.
 
More info about Azure VPNs and their requirements can be found here.
 
Devices used in this article:

Table of Contents


  1. Network Diagram
  2. Configuring a Route-Based VPN
  3. Setting up the Azure Gateway
  4. Testing and Verification
  5. Related Articles

Network Diagram


Back to Top

The network topology is shown below and the following interfaces are in use on the EdgeRouter and Azure:

ER-X (AS 65510)

  • eth0 (WAN) - 203.0.113.1
  • eth1 (LAN) - 192.168.1.1/24
  • vti0 - no address

Azure VGW (AS 65515)

  • Virtual Gateway - 192.0.2.1
  • Virtual Network - 172.16.0.0/22
  • Default Subnet - 172.16.1.0/24

The type of VPN that will be created is a VTI over IKEv2/IPsec tunnel. Static routing will be used to facilitate routing between the sites.

azure_bgp_topology_new.png


Configuring a Route-Based VPN


Back to Top

For the purpose of this article, it is assumed that the routing and interface configurations are already in place and that reachability has been tested.

CLI: Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Enter configuration mode.

configure

2. Enable the auto-firewall-nat-exclude feature which automatically creates the IPsec firewall/NAT policies in the iptables firewall.

set vpn ipsec auto-firewall-nat-exclude enable

3. Create the IKE / Phase 1 (P1) Security Associations (SAs) and set the key-exchange to IKEv2.

set vpn ipsec ike-group FOO0 key-exchange ikev2
set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 2
set vpn ipsec ike-group FOO0 proposal 1 encryption aes256
set vpn ipsec ike-group FOO0 proposal 1 hash sha1

4. Create the ESP / Phase 2 (P2) SAs and disable Perfect Forward Secrecy (PFS).

set vpn ipsec esp-group FOO0 lifetime 27000
set vpn ipsec esp-group FOO0 pfs disable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes256
set vpn ipsec esp-group FOO0 proposal 1 hash sha1
NOTE: Azure  also supports other encryption and hashing methods. For the full list of supported SAs please see the Microsoft article here.

5. Define the Azure VPN Gateway peering address and set the connection-type to respond.

set vpn ipsec site-to-site peer 192.0.2.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret <secret>
set vpn ipsec site-to-site peer 192.0.2.1 connection-type respond
set vpn ipsec site-to-site peer 192.0.2.1 description ipsec
set vpn ipsec site-to-site peer 192.0.2.1 local-address 203.0.113.1
ATTENTION: It is of vital importance that the connection-type is set to respond.

6. Link the SAs created above to the Azure peer and bind the VPN to a virtual tunnel interface (vti0).

set vpn ipsec site-to-site peer 192.0.2.1 ike-group FOO0
set vpn ipsec site-to-site peer 192.0.2.1 vti bind vti0
set vpn ipsec site-to-site peer 192.0.2.1 vti esp-group FOO0

7. Configure the virtual tunnel interface (vti0) without an IP address assigned to it.

set interfaces vti vti0

8. Lower the TCP Maximum Segment Size (MSS) on the vti interfaces to 1350.

set firewall options mss-clamp interface-type vti
set firewall options mss-clamp mss 1350

9. Create a static route for the remote BGP peering address.

set protocols static interface-route 172.16.0.254/32 next-hop-interface vti0
NOTE: You can the Azure BgpPeeringAddress address in step 8 in the Azure Gateway configuration below.

10. Create a prefix-list for BGP that will be used to filter advertised and received prefixes.

set policy prefix-list BGP rule 10 action deny
set policy prefix-list BGP rule 10 description deny-localgw
set policy prefix-list BGP rule 10 prefix 203.0.113.1/32

set policy prefix-list BGP rule 20 action deny
set policy prefix-list BGP rule 20 description deny-remotegw
set policy prefix-list BGP rule 20 prefix 192.0.2.1/32

set policy prefix-list BGP rule 30 action deny
set policy prefix-list BGP rule 30 description deny-localpeer
set policy prefix-list BGP rule 30 prefix 192.168.1.1/32

set policy prefix-list BGP rule 40 action deny
set policy prefix-list BGP rule 40 description deny-remotepeer
set policy prefix-list BGP rule 40 prefix 172.16.0.254/32

set policy prefix-list BGP rule 100 action permit
set policy prefix-list BGP rule 100 description permit-localsubnet
set policy prefix-list BGP rule 100 prefix 192.168.1.0/24

set policy prefix-list BGP rule 110 action permit
set policy prefix-list BGP rule 110 description permit-remotesubnet
set policy prefix-list BGP rule 110 prefix 172.16.0.0/22

11. Define the BGP neighbor and peering options.

set protocols bgp 65510 neighbor 172.16.0.254 ebgp-multihop 2
set protocols bgp 65510 neighbor 172.16.0.254 prefix-list export BGP
set protocols bgp 65510 neighbor 172.16.0.254 prefix-list import BGP
set protocols bgp 65510 neighbor 172.16.0.254 remote-as 65515
set protocols bgp 65510 neighbor 172.16.0.254 soft-reconfiguration inbound
set protocols bgp 65510 neighbor 172.16.0.254 update-source 192.168.1.1

set protocols bgp 65510 timers holdtime 180
set protocols bgp 65510 timers keepalive 60

12. Advertise the local subnet into BGP.

set protocols bgp 65510 network 192.168.1.0/24

13. Commit the changes and save the configuration.

commit ; save

Setting up the Azure Gateway


Back to Top

The Microsoft Azure side of the Site-to-Site VPN connection is based on this Microsoft Site-to-Site article and this PowerShell article.

GUI: Access the Azure Management Portal.

1. Create a Virtual Network.

Dashboard > New > Networking > Virtual Network

Name: ServerNetwork
Address Space: 172.16.0.0/22
Subnet name: default
Subnet Address Space: 172.16.1.0/24
Resource Group: ServerNetwork

2. Create a Gateway Subnet.

Dashboard > Virtual Networks > ServerNetwork > Subnets > + Gateway subnet

Name: GatewaySubnet (Required / cannot be changed)
Address Range: 172.16.0.0/24 (Cannot be the same as the default subnet address space)
NOTE: It is also possible to create the Virtual Network and Gateway Subnet via PowerShell.

create_virtual_network___add_subnet.png

PowerShell: Run Windows PowerShell (PS) as an administrator.

General info on how to use Windows PowerShell to manage Azure can be found in this Microsoft article.

1. Verify the presence of the PowerShellGet module.

Get-Module PowerShellGet -list | Select-Object Name,Version,Path
Name          Version Path
----          ------- ----
PowerShellGet 1.0.0.1 C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 
NOTE: Windows 10 includes the PowerShellGet module by default. Modules can be downloaded here.

2. Modify the PowerShell Execution Policy. 

Set-ExecutionPolicy -ExecutionPolicy Unrestricted

3. Install the AzureRM (Resource Manager) PowerShell module.

Install-Module AzureRM

4. Connect to your Azure Resource Manager Account and select your subscription.

Login-AzureRmAccount
Select-AzureRmSubscription -SubscriptionName "<subscription name>"

5. Verify the Virtual Network created in the Azure Portal above (only relevant output is shown).

Get-AzureRmVirtualNetwork -ResourceGroupName "ServerNetwork"
Name                   : ServerNetwork
ResourceGroupName      : ServerNetwork
Location               : eastus
ProvisioningState      : Succeeded
AddressSpace           : {
                          "AddressPrefixes": [
                            "172.16.0.0/22"
                          ]
                        }
Subnets                : [
                          {
                            "Name": "default",
                            "AddressPrefix": "172.16.1.0/24",
                            "ProvisioningState": "Succeeded"
                          },
                          {
                            "Name": "GatewaySubnet",
                            "AddressPrefix": "172.16.0.0/24",
                            "ProvisioningState": "Succeeded"
                          }
                        ]

6. Define aliases (variables) that will be used in the Virtual Network Gateway configuration.

  • $Resource The name of the Resource Group (ServerNetwork).
  • $Location The Azure location.
  • $vNet The Virtual Network created earlier (ServerNetwork).
  • $PublicIP The Virtual Gateway public IP generated by Azure (VirtualGateway).
  • $GatewaySubnet This is the Gateway Subnet created earlier (GatewaySubnet).
  • $GatewayIP The public IP that will be used by the Virtual Gateway (VirtualGateway).
$Resource = "ServerNetwork"
$Location = "East US"
$vNet = Get-AzureRmVirtualNetwork -Name "ServerNetwork" -ResourceGroupName $Resource
$PublicIP = New-AzureRmPublicIpAddress -Name VirtualGateway -ResourceGroupName $Resource -Location $Location -AllocationMethod Dynamic
$GateWaySubnet = Get-AzureRmVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vNet
$GatewayIP = New-AzureRmVirtualNetworkGatewayIpConfig -Name "VirtualGateway" -Subnet $GatewaySubnet -PublicIpAddress $PublicIP

7. Create the Virtual Network Gateway and define the BGP AS.

New-AzureRmVirtualNetworkGateway -Name "VirtualGateway" -ResourceGroupName $Resource -Location $Location -IpConfigurations $GatewayIP -GatewayType Vpn -VpnType RouteBased -GatewaySku VpnGw1 -Asn 65515
NOTE: The provisioning process for a new Virtual Gateway will take time. The VpnGw1 Stock-Keeping Unit (SKU) or higher is required for BGP support on the Virtual Network Gateway. More info about SKUs can be found in this Microsoft article.

8. Verify the Virtual Gateway settings (only relevant output is shown).

Get-AzureRmVirtualNetworkGateway -Name "VirtualGateway" -ResourceGroupName "ServerNetwork"
Name                   : VirtualGateway
ResourceGroupName      : ServerNetwork
Location               : eastus
ProvisioningState      : Succeeded
GatewayType            : Vpn
VpnType                : RouteBased
Sku                    : {
                          "Capacity": 10,
                          "Name": "VpnGw1",
                          "Tier": "VpnGw1"
                        }
BgpSettings            : {
                          "Asn": 65515,
                          "BgpPeeringAddress": "172.16.0.254",
                          "PeerWeight": 0
                        }

9. Create the Local Network Gateway and define the BGP AS.

  • GatewayIpAddress The public IP address of the EdgeRouter.
  • AddressPrefix The local subnet behind the ER.
  • BgpPeeringAddress The BGP neighbor IP address on the EdgeRouter.
  • Asn The Autonomous System Number.
New-AzureRmLocalNetworkGateway -Name "LocalGateway" -ResourceGroupName $Resource -Location $Location -GatewayIpAddress "203.0.113.1" -AddressPrefix "192.168.1.0/24" -Asn 65510 -BgpPeeringAddress "192.168.1.1"

10. Verify the Local Gateway settings (only relevant output is shown).

Get-AzureRmLocalNetworkGateway -Name "LocalGateway" -ResourceGroupName "ServerNetwork"
Name                     : LocalGateway
ResourceGroupName        : ServerNetwork
Location                 : eastus
ProvisioningState        : Succeeded
GatewayIpAddress         : 203.0.113.1
LocalNetworkAddressSpace : {
                            "AddressPrefixes": [
                              "192.168.1.0/24"
                            ]
                          }
BgpSettings              : {
                            "Asn": 65510,
                            "BgpPeeringAddress": "192.168.1.1",
                            "PeerWeight": 0
                          }

11. Define aliases (variables) for both the VirtualGateway and the LocalGateway.

$VirtualConnection = Get-AzureRmVirtualNetworkGateway -Name "VirtualGateway"  -ResourceGroupName $Resource
$LocalConnection  = Get-AzureRmLocalNetworkGateway -Name "LocalGateway" -ResourceGroupName $Resource

12. Create and initiate the Virtual Gateway Connection.

  • Name The locally significant name of the VPN connection.
  • VirtualNetworkGateway1 The Virtual Gateway created earlier (VirtualGateway).
  • LocalNetworkGateway2 The Local Gateway created earlier (LocalGateway).
  • SharedKey The pre-shared-secret between the sites (replace <secret> with your desired passphrase).
  • EnableBGP Needs to be set to true, otherwise BGP is not operational.
New-AzureRmVirtualNetworkGatewayConnection -Name "IPsecER" -ResourceGroupName $Resource -VirtualNetworkGateway1 $VirtualConnection -LocalNetworkGateway2 $LocalConnection -Location $Location -ConnectionType IPsec -SharedKey '<secret>' -EnableBGP $True

13. Verify the Virtual Gateway Connection (only relevant output is shown).

Get-AzureRmVirtualNetworkGatewayConnection -Name "IPsecER" -ResourceGroupName "ServerNetwork"
Name                    : IPsecER
ResourceGroupName       : ServerNetwork
Location                : eastus
ProvisioningState       : Succeeded
ConnectionStatus        : Connected
EgressBytesTransferred  : 3854
IngressBytesTransferred : 3104

servernetwork___virtualgateway.png

local_gateway___connection.png


Testing and Verification


Back to Top

1. Verify the IPsec Security Associations (SAs) and tunnel status.

show vpn ipsec sa
peer-192.0.2.1-tunnel-vti: #2, ESTABLISHED, IKEv2, ecdf3193545e701f:ee1b587910cc8b32
 local  '203.0.113.1' @ 203.0.113.1
 remote '192.0.2.1' @ 192.0.2.1
 AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
 established 787s ago, rekeying in 27228s
 peer-192.0.2.1-tunnel-vti: #1, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA1_96
   installed 787 ago, rekeying in 25448s, expires in 26213s
   in  c92b831a,   4180 bytes,    85 packets,     3s ago
   out 596eba1a,   3366 bytes,    62 packets,     3s ago
   local  0.0.0.0/0
   remote 0.0.0.0/0
NOTE: If there is no (or only partial) output, the tunnel is not established. Verify that the in and out traffic counters are increasing at the same time and that the remote and local subnets are listed as 0.0.0.0/0 in the output.

2. Verify the IPsec strongSwan configuration file.

sudo cat /etc/ipsec.conf
# generated by /opt/vyatta/sbin/vpn-config.pl

config setup

conn peer-192.0.2.1-tunnel-vti
       left=203.0.113.1
       right=192.0.2.1
       leftsubnet=0.0.0.0/0
       rightsubnet=0.0.0.0/0
       ike=aes256-sha1-modp1024!
       keyexchange=ikev2
       reauth=no
       ikelifetime=28800s
       esp=aes256-sha1!
       keylife=27000s
       rekeymargin=540s
       type=tunnel
       compress=no
       authby=secret
       mark=9437186
       auto=route
       keyingtries=1
#conn peer-192.0.2.1-tunnel-vti

3. Capture the IPsec traffic on the WAN interface.

sudo tcpdump -i eth0 -n udp dst port 500 or port 4500 or esp
IP 203.0.113.1.500 > 192.0.2.1.500: isakmp: phase 1 I ident
IP 192.0.2.1.500 > 203.0.113.1.500: isakmp: phase 1 R ident
IP 203.0.113.1.500 > 192.0.2.1.500: isakmp: phase 1 I ident[E]
IP 192.0.2.1.500 > 203.0.113.1.500: isakmp: phase 1 R ident[E]
IP 203.0.113.1.500 > 192.0.2.1.500: isakmp: phase 2/others I oakley-quick[E]
IP 192.0.2.1.500 > 203.0.113.1.500: isakmp: phase 2/others R oakley-quick[E]
NOTE: This is a live capture of IPsec traffic.

4. Capture and analyze the IPsec VPN log messages.

sudo swanctl --log
[KNL] creating acquire job for policy 192.168.1.10/32[icmp/8] === 172.16.1.10/32[icmp/8] with reqid {1}
[IKE] initiating Main Mode IKE_SA peer-192.0.2.1-tunnel-1[1] to 192.0.2.1
[ENC] generating ID_PROT request 0 [ SA V V V V ]
[NET] sending packet: from 203.0.113.1[500] to 192.0.2.1[500] (160 bytes)
[NET] received packet: from 192.0.2.1[500] to 203.0.113.1[500] (108 bytes)
[ENC] parsed ID_PROT response 0 [ SA V ]
[IKE] received NAT-T (RFC 3947) vendor ID
[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
[ENC] parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
[ENC] generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
[ENC] parsed ID_PROT response 0 [ ID HASH ]
[IKE] IKE_SA peer-192.0.2.1-tunnel-1[1] established between 203.0.113.1[203.0.113.1]...192.0.2.1[192.0.2.1]
[ENC] generating QUICK_MODE request 561157166 [ HASH SA No ID ID ]
[ENC] parsed QUICK_MODE response 561157166 [ HASH SA No ID ID N((24576)) ]
[IKE] <peer-192.0.2.1-tunnel-vti|1> CHILD_SA peer-192.0.2.1-tunnel-vti{1} established with SPIs and TS 0.0.0.0/0               
NOTE: This is a live capture of IPsec traffic.

5. Verify the BGP neighborship.

show ip bgp summary
BGP router identifier 203.0.113.1, local AS number 65510
BGP table version is 9
2 BGP AS-PATH entries
0 BGP community entries
Neighbor                 V   AS   MsgRcv    MsgSen TblVer   InQ   OutQ    Up/Down   State/PfxRcd
172.16.0.254             4 65515   46         41       9      0      0  00:38:32               2

show ip bgp neighbors 172.16.0.254
BGP neighbor is 172.16.0.254, remote AS 65515, local AS 65510, external link
 BGP version 4, remote router ID 172.16.0.254
 BGP state = Established, up for 00:39:26
 Last read 00:39:26, hold time is 180, keepalive interval is 60 seconds
 Configured hold time is 180, keepalive interval is 60 seconds
 Neighbor capabilities:
   Route refresh: advertised and received (new)
   4-Octet ASN Capability: advertised and received
   Address family IPv4 Unicast: advertised and received
   Address family IPv6 Unicast: received
 Received 47 messages, 0 notifications, 0 in queue
 Sent 43 messages, 0 notifications, 0 in queue
 Route refresh request: received 0, sent 0
 Minimum time between advertisement runs is 30 seconds
 Update source is 192.168.1.1
For address family: IPv4 Unicast
 BGP table version 10, neighbor version 9
 Index 1, Offset 0, Mask 0x2
   Graceful restart: received
 Inbound soft reconfiguration allowed
 Community attribute sent to this neighbor (both)
 Inbound path policy configured
 Outbound path policy configured
 Incoming update prefix filter list is *BGP
 Outgoing update prefix filter list is *BGP
 2 accepted prefixes
 1 announced prefixes
Connections established 1; dropped 0
 External BGP neighbor may be up to 2 hops away.
Local host: 192.168.1.1, Local port: 179
Foreign host: 172.16.0.254, Foreign port: 49328
Nexthop: 192.168.1.1
Nexthop global: fe80::46d9:e7ff:fe50:8bbf
Nexthop local: ::
BGP connection: non shared network

6. Verify the BGP route advertisement and reception.

show ip bgp
BGP table version is 9, local router ID is 203.0.113.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, l - labeled
             S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network          Next Hop            Metric    LocPrf       Weight Path
*>  192.168.1.0/24   0.0.0.0                       100          32768    i
*>  172.16.0.0/22    172.16.0.254         0                     0       65515 i

show ip bgp 192.168.1.0/24
BGP routing table entry for 192.168.1.0/24
Paths: (2 available, best #1, table Default-IP-Routing-Table)
 Advertised to non peer-group peers:
 172.16.0.254
 Local
   0.0.0.0 from 0.0.0.0 (203.0.113.1)
     Origin IGP, localpref 100, weight 32768, valid, sourced, local, best
     Last update: Tue Jul  4 20:35:08 2017
 65515
   172.16.0.254 from 172.16.0.254 (172.16.0.254)
     Origin IGP, metric 0, localpref 100, valid, external
     Last update: Tue Jul  4 20:39:21 2017

show ip bgp 172.16.0.0/22
BGP routing table entry for 172.16.0.0/22
Paths: (1 available, best #1, table Default-IP-Routing-Table)
 Not advertised to any peer
 65515
   172.16.0.254 from 172.16.0.254 (172.16.0.254)
     Origin IGP, metric 0, localpref 100, valid, external, best
     Last update: Tue Jul  4 20:39:21 2017

show ip bgp neighbors 172.16.0.254 received-routes
BGP table version is 10, local router ID is 203.0.113.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network          Next Hop            Metric    LocPrf       Weight Path
*>  192.168.1.0/24     172.16.0.254                               0       65515 i
*>  192.168.1.1/32     172.16.0.254                               0       65515 i
*>  172.16.0.0/22    172.16.0.254                               0       65515 i

show ip bgp neighbors 172.16.0.254 advertised-routes
BGP table version is 10, local router ID is 203.0.113.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network          Next Hop            Metric    LocPrf       Weight Path
*>  192.168.1.0/24     192.168.1.1                     100          32768   i

7. Verify the routing table.

show ip route
B    *> 172.16.0.0/22 [20/0] via 172.16.0.254 (recursive is directly connected, vti0) ), 00:22:56

8. Verify the Azure Virtual Gateway Connection (only relevant output is shown).

Get-AzureRmVirtualNetworkGatewayConnection -Name "IPsecER" -ResourceGroupName "ServerNetwork"

Name                    : IPsecER
ResourceGroupName       : ServerNetwork
Location                : eastus
ProvisioningState       : Succeeded
ConnectionStatus        : Connected
EgressBytesTransferred  : 3854
IngressBytesTransferred : 3104
NOTE: More info on how to use Windows PowerShell to manage Azure can be found in the this Microsoft article.

Related Articles


Back to Top