BGP over IPsec Connection

BGP over IPsec external connection uses the IPsec tunneling protcol and Border Gateway Protocol (BGP) routing. This allows Aviatrix gateway to establish secure connection to an on-premises router or firewall and dynamically exchange routes.

In this document, Local Gateway refers to the Aviatrix gateway that you want to connect to a remote device.

Supported Gateways

  • Transit Gateway in all clouds

  • Spoke Gateway with BGP enabled in AWS and Azure

  • Edge Transit Gateway in all edge platforms

External Connection Settings

For information about the options that you can configure for a Site2Cloud (S2C) external connection, refer to About External Connection Settings.

Workflow

To set up a BGP over IPsec external connection:

  1. In Aviatrix CoPilot, go to Networking > Connectivity > External Connections (S2C) tab.

  2. From the + External Connection dropdown menu, select External Device.

  3. In Create External Connection to External Device, provide the following information:

    Field

    Description

    Name

    A name for the connection.

    Type

    Select BGP over IPsec.

    Local Gateway

    The Local Gateway on which you want to create an external connection to a remote device.

    Spoke Gateways only display in this list if BGP is enabled for the Spoke Gateway.

  4. In the IPsec Configuration section, provide the following information:

    Field Description

    Attach Over

    The underlying infrastructure of your network.

    • Private Network: Your underlying infrastructure is a private network, such as AWS Direct Connect and Azure ExpressRoute. When this option is selected, BGP over IPsec runs over private IP addresses.

    • Public Network: Your underlying infrastructure is a public network or the internet. When this option is selected, BGP over IPsec runs over public IP addresses.

    Jumbo Frame

    Jumbo Frame improves the performance throughput between the Local Gateway and the remote device.

    • You must first enable Jumbo Frame on the Local Gateway before creating the external connection.

    • Jumbo Frame is only supported on private connections that support Jumbo Frame.

    Algorithms

    The encryption algorithm and protocol to use for authenticating the communication between the Aviatrix gateway and the on-premises device.

    • Default: The default Aviatrix-supported encryption algorithms.

    • Custom: Allows you to modify the algorithm default values.

    Internet Key Exchange

    Internet Key Exchange (IKE) is the protocol used for authentication and encryption of packets between the Aviatrix gateway and the on-premises device.

    • IKEv1: Connects to the remote site using IKEv1 protocol.

      If you configure IKEv1 in a connection that uses certificate-based authentication and is connecting to another Aviatrix device, you must add the intermediate CAs in addition to the root CA. When an intermediate CA is renewed and re-authentication is attempted, the connection will go down until you add the new certificate.

    • IKEv2: Connects to the remote site using IKEv2 protocol. This is the recommended protocol.

  5. In the BGP Configuration section, provide the following information:

    Field

    Description

    Local ASN

    The BGP AS Number the Local Gateway will use to exchange routes with the remote device.

    ActiveMesh

    ActiveMesh enables full mesh peering to the remote devices from the primary and highly available (HA) Local Gateways.

    When ActiveMesh is Off, point-to-point tunnels are created instead of full mesh.

    BFD

    Use the BFD toggle to turn on Bidirectional Forwarding Detection (BFD) network protocol that enables rapid detection of a link or node failure between the Local gateway and the remote peer.

    Manual Learned CIDR Approval

    Use the Manual Learned CIDR Approval toggle to turn Learned CIDR approval process.

    When Learned CIDR approval is On, an email notification is sent to administrators to approve dynamically learned CIDRs before they are propagated to Spoke VPC and VNet route tables.

    When Learned CIDR approval is Off, all dynamically learned CIDRs are automatically propagated to the Spoke VPC and VNet route tables.

    Advertise BGP Communities

    The BGP communities to advertise to the BGP peer.

    BGP Multihop

    Use the BGP Multihop toggle to turn on BGP Multihop.

    BGP Multihop enables the Local Gateway to establish a BGP session with the remote device that is not directly connected.

    The BGP multihop setting on the external connection must match the multihop setting on the remote device to establish a BGP session.

  6. In the Tunnel Configuration section, provide the following information:

    Field Description

    Remote Device Tunnel Destination IP

    The remote device interface IP address.

    Remote ASN

    The BGP AS Number that the remote device will use to exchange routes with the Local Gateway.

    The Remote ASN should be the same for the primary and HA Local Gateways.

    BGP Local IP (Optional)

    The local tunnel inner CIDR range allowed to communicate over the VPN tunnel.

    BGP Neighbor IP (Optional)

    The remote tunnel inner CIDR range allowed to communicate over the VPN tunnel.

    Tunnel Source IP

    (Edge Transit Gateway only) An Edge Transit Gateway can have multiple WAN interfaces. Use Tunnel Source IP to specify which WAN interface to use for this connection.

    For Transit Gateway, this setting defaults to the eth0 IP address.

    Pre-Shared Key (Optional)

    The Pre-Shared Key configured on the external device. If a Pre-Shared Key is not specified, the system auto-generates a key.

    To connect the gateway to another remote device, click +Remote Device and enter the remote device’s IP address and ASN information.

  7. Click Save.

    The new BGP over IPsec external connection appears in the table.