Site to Site VPN (BGP)

Ajay Chauhan 41

Hello,

While creating site to site over routed VPN I see this configuration which actually works fine.

! Tunnel interface (VTI) configuration

! - Create/configure a tunnel interface

! - Configure an APIPA (169.254.x.x) address that does NOT overlap with any

!   other address on this device. This is not visible from the Azure gateway.

! * REPLACE: Tunnel interface numbers and APIPA IP addresses below

! * Default tunnel interface 11 (169.254.0.1) and 12 (169.254.0.2)

int tunnel 11

  ip address 169.254.0.1 255.255.255.255

My question, what would be Azure end IP address, even Ok if you can not see on gateway ?

what IP address will be used to run BGP on top of this configuration ?

Any step by step example would be apricated, I am using cisco router on remote.

GitaraniSharma-MSFT 49,616 Reputation points Microsoft Employee

2023-03-27T02:22:53.93+00:00

Hello @Ajay Chauhan ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

Could you please provide some more details about your requirement?

Based on my understanding, you would like to know which IP should be configured on Azure VPN gateway end for APIPA BGP IP address. Is that correct?

As you can see from the Azure VPN BGP document, if you are enabling BGP on Azure VPN gateway, you get optional field for Azure APIPA BGP IP address.

If your on-premises VPN devices use APIPA address for BGP, you must select an address from the Azure-reserved APIPA address range for VPN, which is from 169.254.21.0 to 169.254.22.255.

If you're creating an active-active VPN gateway, the BGP section will show an additional Second Custom Azure APIPA BGP IP address. Each address you select must be unique and be in the allowed APIPA range (169.254.21.0 to 169.254.22.255). Active-active gateways also support multiple addresses for both Azure APIPA BGP IP address and Second Custom Azure APIPA BGP IP address. Additional inputs will only appear after you enter your first APIPA BGP IP address.

NOTE: By default, Azure assigns a private IP address from the GatewaySubnet prefix range automatically as the Azure BGP IP address on the VPN gateway. The custom Azure APIPA BGP address is needed when your on premises VPN devices use an APIPA address (169.254.0.1 to 169.254.255.254) as the BGP IP. VPN Gateway will choose the custom APIPA address if the corresponding local network gateway resource (on-premises network) has an APIPA address as the BGP peer IP. If the local network gateway uses a regular IP address (not APIPA), VPN Gateway will revert to the private IP address from the GatewaySubnet range.

Regards,

Gita

Ajay Chauhan 41

Thanks Gita,

I have this configuration running on router which works with static route to reach azure resources.

int tunnel 11
  ip address 169.254.0.1 255.255.255.255

Now I want to enable BGP, while active active is disabled . Does that mean I need to configure 169.254.21.x IP on VPN gateway and run BGP between 
169.254.0.1 & 169.254.21.x ?

GitaraniSharma-MSFT 49,616 Reputation points Microsoft Employee

2023-03-29T12:37:09.04+00:00

@Ajay Chauhan , Just checking in to see if you had a chance to see the below answer. To help the community find the right answers, please do mark the post which was helpful by clicking on Accept Answer.

And, if you have any further questions do let us know.
GitaraniSharma-MSFT 49,616 Reputation points Microsoft Employee

2023-04-03T13:49:03.5266667+00:00

@Ajay Chauhan , could you please provide an update on this post? Kindly let us know if the below helps or you need further assistance on this issue.
Benjamin Nguyen 0 Reputation points

2024-01-25T20:11:55.74+00:00

Hi @GitaraniSharma-MSFT , Can you explain the behavior if a VPN GW already has an IP assigned from the gateway subnet and APIPA addressing is then enabled? My understanding is any existing BGP peers not using the 169.254.0.0/16 space would not need to be updated to point to the 169.254.21.x or 169.254.22.x IP. So the VPN GW will use both addresses for peering, it just depends on the remote end. Thanks!

2 answers

GitaraniSharma-MSFT 49,616 Reputation points Microsoft Employee

2023-03-28T09:17:06.2266667+00:00

Hello @Ajay Chauhan ,

I understand you have created a site-to-site VPN connection with route-based VPN between Azure and your on-prem Cisco VPN device which is working fine with static routes, and you are able to reach Azure resources. Now you would like to enable BGP on your below existing configuration with active-active disabled and would like to know which IP should be configured on Azure VPN gateway for BGP.

int tunnel 11

ip address 169.254.0.1 255.255.255.255

I'm not sure what your complete Cisco side configuration is, but it looks like you've not enabled BGP on Cisco VPN device yet.

Could you please let me know what does the 169.254.0.1 address specifies in your configuration? The config you shared says int tunnel 11, and I believe this is just the inner address of your tunnel and has nothing to do with BGP.

Only if your on-premises VPN devices use APIPA address for BGP, you must select an address from the Azure-reserved APIPA address range for VPN, which is from 169.254.21.0 to 169.254.22.255.

Refer: https://zcusa.951200.xyz/en-us/azure/vpn-gateway/bgp-howto#2-create-testvnet1-gateway-with-bgp

Your on-premises BGP peer address must not be the same as the public IP address of your VPN device or from the virtual network address space of the VPN gateway. You can use a different IP address on the VPN device for your BGP peer IP. It can be an address assigned to the loopback interface on the device (either a regular IP address or an APIPA address).

Refer: https://zcusa.951200.xyz/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq#what-are-the-requirements-for-the-bgp-peer-ip-addresses-on-my-vpn-device

So, if you use a regular IP address as your BGP IP on Cisco device, then you don't have to use APIPA BGP IP addresses on your Azure VPN gateway and by default, Azure will assign a private IP address from the GatewaySubnet prefix range automatically as the Azure BGP IP address on the VPN gateway.

But if you use an APIPA address as your BGP IP on Cisco device, then you must use Azure-reserved APIPA address range for VPN gateway (169.254.21.0 to 169.254.22.255).

If you need help with Cisco side configuration script, you can download a configuration script for your VPN device from Azure portal with the corresponding values of your Azure VPN gateway, virtual network, and on-premises network address prefixes, and VPN connection properties, etc. already filled in.

Refer: https://zcusa.951200.xyz/en-us/azure/vpn-gateway/vpn-gateway-download-vpndevicescript

You can go to the site-to-site connection of your VPN gateway in Azure portal and on Overview pane, select Download configuration and then select the device vendor, device family & firmware version to download the configuration script for the required device. You can choose Cisco ASA VTI with BGP or some other option depending upon your requirement.

Kindly let us know if the above helps or you need further assistance on this issue.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.
Carlos T 5 Reputation points

2023-12-05T17:21:36.7366667+00:00

Hi @GitaraniSharma-MSFT

Im having the same requirement posted by Ajay. I need to replace static routing with BGP on the IPSEC tunnel between a Cisco ASA firewall and the Azure VPN Gateway. This is because we will later enable express route with BGP, and we want to use the express route as the primary, and the IPSEC as a backup. For this we need BGP running on both Express route and IPSEC.

For the IPSEC, Im using APIPA addressing 169.254.0.1/30 on the ASA tunnel interface that is going to Azure.

Not sure if Ajay confirmed it is working for him after the help you provided? Can you have a look at below, and check if this is the procedure for migrating from static routing to BGP? Im adding the Cisco ASA on premise commands too on the procedure.

The deployment we are using with static routes and APIPA addressing for the ASA tunnel interfaces is working fine and is taken from the following link

https://www.petenetlive.com/KB/Article/0001515?unapproved=453664&moderation-hash=186d357e74a18b8778682c8062a610fa#comment-453664

Here is my scenario:

I have setup this solution using static routing and using APIPA addressing on the tunnel interface (169.254.0.1/30) and it works fine, but now I need to replace the static routing with BGP, because we plan to add an express route link as a primary and use the Ipsec S2S as a backup. And for this we need BGP running on Both express route and IPSec S2S tunnels. For the IPSEC S2S tunnel, the tunnel interface on the ASA firewall is the following interface Tunnel1 nameif vti-azvpn ip address 169.254.0.1 255.255.255.252 tunnel source interface outside tunnel destination x.x.x.x (x.x.x.x is the public IP of the Azure VPN GW) tunnel mode ipsec ipv4 tunnel protection ipsec profile Azure-Ipsec-PROF route vti-azvpn 10.0.0.0 255.255.255.255 169.254.0.2 (10.0.0.0/24 is as Azure VNET Subnet) On Azure according to the following link, there is a reserved range for BGP when the On premise is using APIPA Addressing. On Azure, the APIPA range for BGP is 169.254.21.0 to 169.254.22.255. https://zcusa.951200.xyz/en-us/azure/vpn-gateway/bgp-howto So, per my understanding, the migration procedure for moving from static routing to BGP when using APIPA addressing should be as follows? Do you agree? 1. On Azure VPN GW, enable BGP, Local AS (65115 default), and Set the "Custom Azure APIPA BGP IP Address" field, set to: 169.254.21.1" 2. On ASA, add a static route to reach the Azure BGP PEER IP 169.254.21.1 with next hop the tunnel interface towards azure: 169.254.0.2 route vti-azvpn 169.254.21.1 255.255.255.255 169.254.0.2 4. On ASA enable BGP with multihop to build and ebgp session with the Azure VPN GW APIPA Addressing 169.254.21.2 router bgp 65010 address-family ipv4 unicast neighbor 169.254.21.1 remote-as 65515 neighbor 169.254.21.1 ebgp-multihop 255 neighbor 169.254.21.1 activate network 169.254.0.0 mask 255.255.255.252 no auto-summary no synchronization exit-address-family After this, we should see the BGP Session is UP, but routing is still static because on the local network gateway "ASA" is still configured with the address space that represents the on premise networks behind the ASA, and on the ASA we still have the routes towards the Azure VNETS configured as static routes with next hop the tunnel interface 169.254.0.2 5. On the ASA to move from static to dynamic bgp learned routes, we remove the static routes to the Azure VNETs, so they are learned over BGP. NO route vti-azvpn 10.0.0.0 255.255.255.255 169.254.0.2 (10.0.0.0/24 is as Azure VNET Subnet) 6. On Azure VPN GW to move from static to dynamic bgp learned routes, we remove the Address space configured (so on premise networks are now learned dynamically over bgp). And I think that should be all? Any thoughts? Dont have a change to test it yet, but I think this should work. So finally, the design of using BGP with APIPA Addressing is based on that the ASA is using the tunnel interface ip address "169.254.0.1" to establish a ebgp multihop peering with Azure VPN GW "169.254.21.1". Thanks!

GitaraniSharma-MSFT 49,616 Reputation points Microsoft Employee

2023-12-06T14:49:19.08+00:00

Hello @Carlos T ,

The migration procedure you shared above seems fine; except I don't see the S2S connection configuration change.

You need to enable BGP on the Azure VPN connection as well.

https://zcusa.951200.xyz/en-us/azure/vpn-gateway/bgp-howto#to-update-an-existing-connection

Cisco ASA doc:

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/214109-configure-asa-ipsec-vti-connection-to-az.html

Regards,

Gita

Carlos T 5 Reputation points

2023-12-06T14:59:49.14+00:00

Hi @GitaraniSharma-MSFT

Thanks for spotting that critical part :)

Sure I added now to my procedure, and will plan to do this on the upcoming week.

Thanks for all your help!

CT

Lavakumar R 36 Reputation points

2024-02-27T16:24:49.2666667+00:00

Hi @GitaraniSharma-MSFT Based on Carlos T's mentioned steps, for the Azure VPN Gateway, he activated BGP and incorporated custom APIPA addresses, specifically 169.254.21.1 (outlined in step 1). Can you clarify the IP that should be configured on the local network gateway for this set up?

GitaraniSharma-MSFT 49,616 Reputation points Microsoft Employee

2024-03-04T11:31:54.2966667+00:00

Hello @Lavakumar R ,

On the local network gateway, you will add the Public IP address of the VPN device that you want to connect to from Azure.

As mentioned in the below how-to document,

https://zcusa.951200.xyz/en-us/azure/vpn-gateway/bgp-howto#1-create-a-local-network-gateway

When you create the local network gateway:

Name: add a name

IP address: The IP address of the gateway endpoint/VPN device you want to connect to.

Address spaces: If BGP is enabled, no address space is required.

To configure BGP settings, go to the Advanced page.

Configure BGP settings: Yes

Autonomous system number (ASN): ASN number that is configured in the On-prem VPN device.

BGP peer IP address: The BGP IP address of the on-premise VPN Device or APIPA IP address.

Important configuration considerations:

The ASN and the BGP peer IP address must match your on-premises VPN router configuration.

You can leave the Address space empty only if you're using BGP to connect to this network. Azure VPN gateway will internally add a route of your BGP peer IP address to the corresponding IPsec tunnel. If you're NOT using BGP between the VPN gateway and this particular network, you must provide a list of valid address prefixes for the Address space.

You can optionally use an APIPA IP address (169.254.x.x) as your on-premises BGP peer IP if needed. But you'll also need to specify an APIPA IP address as described earlier in this article for your VPN gateway, otherwise the BGP session can't establish for this connection.

You can enter the BGP configuration information during the creation of the local network gateway, or you can add or change BGP configuration from the Configuration page of the local network gateway resource.

Regards,

Gita
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Suman Bikram Singh 20 Reputation points

2024-10-07T04:05:43.4833333+00:00

While finding some VPN troubleshooting I found this discussion. I'm planing to complete a POC for multi cloud VPN tunnels between Azure, AWS and Google Cloud. VPN looks easy to configure without BGP (where APIPA are mentioned). I have a couple of questions may be this group can answer. At each cloud side they ask for ASN and BGP APIPA. How to get those values? Let's say if I'm setting up a VPN between Azure and AWS, then what would be the ASN at each side and what would be the BGP at each end? Also if I peer Azure with Google, again what would be the ASN and APIPA for Azure and Google cloud? I understand that some specific values are reserved for each environment . How to understand without copy and paste from online tutorials?
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Site to Site VPN (BGP)

2 answers

Your answer