Community discussions

MikroTik App
 
fernandf
just joined
Topic Author
Posts: 9
Joined: Fri Feb 19, 2016 3:58 pm

Azure IPSEC tunel with BGP

Sun Nov 04, 2018 2:13 pm

Hi,

I have a RB951G-2HnD connected to Azure using IPSEC.

With static routing, it works without problem, but when I use BGP to pass the routes I'm not able to make it work.

I create the BGP peering and the routes are propagated both from Azure to my RB951G-2HnD and from the RB951G-2HnD to Azure. Although the routers are there, I cannot reach the azure remote networks (I only reach the Azure GW).

This is my config:

192.168.100.0/24 -> My local network.
192.168.200.0/24 -> The network where the Azure GW is connected to.
192.168.202.0/24 -> A test network in Azure with a VM.


/ip ipsec policy
add dst-address=192.168.202.254/32 sa-dst-address=a.b.c.d \
sa-src-address=a.b.c.d src-address=192.168.100.0/24 tunnel=yes

/ip ipsec peer
add address=a.b.c.d/32 dh-group=modp1024 enc-algorithm=aes-256,aes-128 \
exchange-mode=ike2 lifetime=8h secret=********

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=\
7h30m pfs-group=none

/routing bgp instance
set default as=65000 redistribute-connected=yes

/routing bgp peer
add multihop=yes name=peer1 remote-address=192.168.202.254 remote-as=65515 \
ttl=default

/ip firewall nat
add action=accept chain=srcnat comment=AzureNAT-BGP dst-address=\
192.168.202.0/24 src-address=192.168.100.0/24
add action=accept chain=srcnat comment=AzureNAT-BGP2 dst-address=\
192.168.200.0/24 src-address=192.168.100.0/24

/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.100.0/24 src-address=\
192.168.202.0/24
add action=notrack chain=prerouting dst-address=192.168.202.0/24 src-address=\
192.168.100.0/24
add action=notrack chain=prerouting dst-address=192.168.100.0/24 src-address=\
192.168.200.0/24
add action=notrack chain=prerouting dst-address=192.168.200.0/24 src-address=\
192.168.100.0/24

I have found some documentation using IPIP and GRE but these protocols are not supported in Azure. Any idea?

Regards.
 
fernandf
just joined
Topic Author
Posts: 9
Joined: Fri Feb 19, 2016 3:58 pm

Re: Azure IPSEC tunel with BGP

Sun Nov 04, 2018 10:08 pm

When you are configuring the Azure side, the system give you an example config script for different routers.

I have downloaded the Cisco ASR-ISR.

Cisco config attached. In theory, I would need an equivalent config for RouterOS.
You do not have the required permissions to view the files attached to this post.
 
Argon
just joined
Posts: 9
Joined: Mon Mar 26, 2012 12:17 pm

Re: Azure IPSEC tunel with BGP

Tue Dec 03, 2019 3:11 pm

To have fully functional BGP over IPSec tunnel, you need the support of Route-based IPSec, or as others called it VTI.

With VTI, you have a dedicated interface for IPSec tunnel, and policy is set to allow any to any within this tunnel, and then you manage your traffic on the route level, instead of managing IPSec policies.

Mikrotik does not have this feature, though it requested 10 years ago (check the forum).

You can still connect Mikrotik to Azure route-based Gateway and advertise your routes to Azure via Mikrotik BGP instance, but the routes received from Azure will not work on Mikrotik.

You have to use static IPSec policies on the Mikrotik level. As I tested, Azure gateway does not support transport IPSec mode, only tunnel mode. So creating Transport IPsec policy for IPIP tunnel on Mikrotik will not work...
 
pe1chl
Forum Guru
Forum Guru
Posts: 9009
Joined: Mon Jun 08, 2015 12:09 pm

Re: Azure IPSEC tunel with BGP

Tue Dec 03, 2019 4:33 pm

I don't know how flexible that Azure gateway is (probably not very...) but it should still be possible to layer an IPIP or GRE tunnel on top of a tunnel-mode IPsec policy, and that should work.
(I have done this between MikroTik and plain Linux systems)
 
Argon
just joined
Posts: 9
Joined: Mon Mar 26, 2012 12:17 pm

Re: Azure IPSEC tunel with BGP

Tue Dec 03, 2019 5:07 pm

I spent a couple of sleepless nights trying to make IPIP work with Azure gateway, and no success. Would appreciate if you find a way to make it work...

As i found, the issue with Azure Gateway is it requires Tunnel mode and does not work in transport IPsec mode.
 
dieselsuxx
just joined
Posts: 4
Joined: Sat Feb 29, 2020 10:05 pm

Re: Azure IPSEC tunel with BGP

Mon Aug 02, 2021 3:12 pm

I know this is an old thread, but maybe I can save someone from sleepless nights with this info:
Azure supports only 3 OSI layer 4 protocols: TCP/IP, UDP and ICMP. Everything else is silently dropped. That means no OSPF, no IPIP, no EoIP, no GRE.
If you want to use something other than the mentioned 3 protocols, you'll need an L2TP connection and terminate it in a VM (like a Mikrotik CHR) in Azure.
 
hkusulja
Frequent Visitor
Frequent Visitor
Posts: 67
Joined: Fri Apr 13, 2012 1:14 am

Re: Azure IPSEC tunel with BGP

Tue Mar 01, 2022 6:12 am

Do did somebody make it work , I am also interested in BGP for both ways sharing / announcing routes
RouterOS 7.1.3 (stable)
 
User avatar
galvesribeiro
newbie
Posts: 34
Joined: Mon Apr 12, 2021 4:34 am

Re: Azure IPSEC tunel with BGP

Fri Apr 08, 2022 3:01 am

@hkusulja after 4 hours with Azure Premier support, we were able to get both IPSec tunnels up with Mikrotik and the BGP connection stablished on both tunnels as well Today. I'm receiving the VNet routes advertised by Azure and they appear both in my Routes table.

However, None of the routes I'm advertising from MikroTik are received and learned on the Azure side.

I'm using a CCR2004-1G-12S+2XS with RouterOS v7.1.5.

I wonder if anyone ever got that to work.

Thank you!
 
OlofL
Member Candidate
Member Candidate
Posts: 113
Joined: Mon Oct 12, 2015 2:37 pm

Re: Azure IPSEC tunel with BGP

Tue May 03, 2022 12:33 pm

@hkusulja after 4 hours with Azure Premier support, we were able to get both IPSec tunnels up with Mikrotik and the BGP connection stablished on both tunnels as well Today. I'm receiving the VNet routes advertised by Azure and they appear both in my Routes table.

However, None of the routes I'm advertising from MikroTik are received and learned on the Azure side.

I'm using a CCR2004-1G-12S+2XS with RouterOS v7.1.5.

I wonder if anyone ever got that to work.

Thank you!
And? What did you end up using? Do you have a routed interface? IPIP? GRE?
 
manolito2112
just joined
Posts: 3
Joined: Wed Feb 28, 2018 11:55 pm

Re: Azure IPSEC tunel with BGP

Wed Aug 31, 2022 6:32 pm

it does advertise to azure via BGP, make sure to add your networks in (Mikrotik BGP Networks) unless you have BGP redistribute defined, also make sure to enable EBGP Multihop you are not using VTI subnet

Who is online

Users browsing this forum: No registered users and 4 guests