BGP over IPsec Connection
BGP over IPsec external connection uses the IPsec tunneling protcol and Border Gateway Protocol (BGP) routing. This allows Aviatrix gateway to establish secure connection to an on-premises router or firewall and dynamically exchange routes.
In this document, Local Gateway refers to the Aviatrix gateway that you want to connect to a remote device.
Supported Gateways
-
Transit Gateway in all clouds
-
Spoke Gateway with BGP enabled in AWS and Azure
-
Edge Transit Gateway in all edge platforms
External Connection Settings
For information about the options that you can configure for a Site2Cloud (S2C) external connection, refer to About External Connection Settings.
Workflow
To set up a BGP over IPsec external connection:
-
In Aviatrix CoPilot, go to Networking > Connectivity > External Connections (S2C) tab.
-
From the + External Connection dropdown menu, select External Device.
-
In Create External Connection to External Device, provide the following information:
Field
Description
Name
A name for the connection.
Type
Select BGP over IPsec.
Local Gateway
The Local Gateway on which you want to create an external connection to a remote device.
Spoke Gateways only display in this list if BGP is enabled for the Spoke Gateway.
-
In the IPsec Configuration section, provide the following information:
Field Description Attach Over
The underlying infrastructure of your network.
-
Private Network: Your underlying infrastructure is a private network, such as AWS Direct Connect and Azure ExpressRoute. When this option is selected, BGP over IPsec runs over private IP addresses.
-
Public Network: Your underlying infrastructure is a public network or the internet. When this option is selected, BGP over IPsec runs over public IP addresses.
Jumbo Frame
Jumbo Frame improves the performance throughput between the Local Gateway and the remote device.
-
You must first enable Jumbo Frame on the Local Gateway before creating the external connection.
-
Jumbo Frame is only supported on private connections that support Jumbo Frame.
Algorithms
The encryption algorithm and protocol to use for authenticating the communication between the Aviatrix gateway and the on-premises device.
-
Default: The default Aviatrix-supported encryption algorithms.
-
Custom: Allows you to modify the algorithm default values.
Internet Key Exchange
Internet Key Exchange (IKE) is the protocol used for authentication and encryption of packets between the Aviatrix gateway and the on-premises device.
-
IKEv1: Connects to the remote site using IKEv1 protocol.
If you configure IKEv1 in a connection that uses certificate-based authentication and is connecting to another Aviatrix device, you must add the intermediate CAs in addition to the root CA. When an intermediate CA is renewed and re-authentication is attempted, the connection will go down until you add the new certificate.
-
IKEv2: Connects to the remote site using IKEv2 protocol. This is the recommended protocol.
-
-
In the BGP Configuration section, provide the following information:
Field
Description
Local ASN
The BGP AS Number the Local Gateway will use to exchange routes with the remote device.
ActiveMesh
ActiveMesh enables full mesh peering to the remote devices from the primary and highly available (HA) Local Gateways.
When ActiveMesh is Off, point-to-point tunnels are created instead of full mesh.
BFD
Use the BFD toggle to turn on Bidirectional Forwarding Detection (BFD) network protocol that enables rapid detection of a link or node failure between the Local gateway and the remote peer.
Manual Learned CIDR Approval
Use the Manual Learned CIDR Approval toggle to turn Learned CIDR approval process.
When Learned CIDR approval is On, an email notification is sent to administrators to approve dynamically learned CIDRs before they are propagated to Spoke VPC and VNet route tables.
When Learned CIDR approval is Off, all dynamically learned CIDRs are automatically propagated to the Spoke VPC and VNet route tables.
Advertise BGP Communities
The BGP communities to advertise to the BGP peer.
BGP Multihop
Use the BGP Multihop toggle to turn on BGP Multihop.
BGP Multihop enables the Local Gateway to establish a BGP session with the remote device that is not directly connected.
The BGP multihop setting on the external connection must match the multihop setting on the remote device to establish a BGP session. -
In the Tunnel Configuration section, provide the following information:
Field Description Remote Device Tunnel Destination IP
The remote device interface IP address.
Remote ASN
The BGP AS Number that the remote device will use to exchange routes with the Local Gateway.
The Remote ASN should be the same for the primary and HA Local Gateways.
BGP Local IP (Optional)
The local tunnel inner CIDR range allowed to communicate over the VPN tunnel.
BGP Neighbor IP (Optional)
The remote tunnel inner CIDR range allowed to communicate over the VPN tunnel.
Tunnel Source IP
(Edge Transit Gateway only) An Edge Transit Gateway can have multiple WAN interfaces. Use Tunnel Source IP to specify which WAN interface to use for this connection.
For Transit Gateway, this setting defaults to the eth0 IP address.
Pre-Shared Key (Optional)
The Pre-Shared Key configured on the external device. If a Pre-Shared Key is not specified, the system auto-generates a key.
To connect the gateway to another remote device, click +Remote Device and enter the remote device’s IP address and ASN information.
-
Click Save.
The new BGP over IPsec external connection appears in the table.