Configure BGP over IPsec from Gateways

You can configure BGP Settings for SD-WAN Gateways over IPSec tunnels.

Only eBGP is supported with BGP over IPsec.

Note: It is recommended to use eBGP between SDWAN Gateway and NSD sites. If iBGP is used, applying local preference does not work with outbound filter. In that case, customer must choose metric or AS path prepend options to achieve desirable routing.

To configure the BGP settings for a Gateway:

Prerequisites

Note: The Azure vWAN Automation from Gateway feature is not compatible with BGP over IPsec. This is because only static routes are supported when automating connectivity from a Gateway to an Azure vWAN.

Ensure that you have configured the following:

Create a Non SD-WAN Destination via Gateway for one of the following sites:
Associate the Non SD-WAN Destination to a Profile See Configure a Tunnel Between a Branch and a Non SD-WAN Destinations via Gateway.

Note: It is recommended to turn on Distributed Cost Calculation for best performance and scaling when using BGP over IPsec via Gateway. The Distributed Cost Calculation is supported starting from Release 3.4.0.

For more information on Distributed Cost Calculation, refer to the Configure Distributed Cost Calculation section in the VMware SD-WAN Operator Guide available at: https://docs.vmware.com/en/VMware-SD-WAN/index.html.

Procedure

In the Enterprise portal, click Configure > Network Services.
In the Non SD-WAN Destinations via Gateway area, click the Edit link in the BGP column that corresponds to the Non SD-WAN Destination.

In the BGP Editor window, click the slider to ON to configure the BGP settings.

Click Add Filter to create one or more filters. These filters are applied to the neighbor to deny or change the attributes of the route. The same filter can be used for multiple neighbors.

In the Create BGP Filter window, set the rules for the filter.


Option	Description
Filter Name	Enter a descriptive name for the BGP filter.
Match Type and Value	Choose the type of the routes to be matched with the filter: Prefix: Choose to match with a prefix and enter the prefix IP address in the Value field. Community: Choose to match with a community and enter the community string in the Value field.
Exact Match	The filter action is performed only when the BGP routes match exactly with the specified prefix or community string. By default, this option is enabled.
Action Type	Choose the action to be performed when the BGP routes match with the specified prefix or the community string. You can either permit or deny the traffic.
Set	When the BGP routes match the specified criteria, you can set to route the traffic to a network based on the attributes of the path. Select one of the following options from the drop-down list: None: The attributes of the matching routes remain the same. Local Preference: The matching traffic is routed to the path with the specified local preference. Community: The matching routes are filtered by the specified community string. Metric: The matching traffic is routed to the path with the specified metric value. AS-Path-Prepend: Allows prepending multiple entries of Autonomous System (AS) to a BGP route.

Click the plus ( +) icon to add more matching rules for the filter.

Click OK.

Repeat the procedure to create more BGP filters.

The configured filters are displayed in the BGP Editor window.

In the BGP Editor window, configure the BGP settings for the Primary and Secondary Gateways.

Note: The Secondary Gateway option is available only if you have configured a secondary Gateway for the corresponding Non SD-WAN Destination.

Note: For a customer deployment where a Non VMware SD-WAN Destination (NSD) via Gateway is configured to use redundant tunnels, if the Primary and Secondary Gateways advertise a prefix with an equal AS path to the Primary and Secondary NSD tunnels, the Primary NSD tunnel will prefer a redundant Gateway path over the Primary Gateway. The impact of the Primary NSD over Gateway tunnel preferring the redundant Gateway path over the Primary Gateway is experienced only for return traffic to the Gateway from the NSD.

If you do not want your BGP router to prefer the redundant Gateway, the workaround is to configure AS-PATH prepend and set the metric filter to a higher (3 or more) metric for the advertised prefix in the redundant Gateway. Doing this ensures the NSD's primary tunnel chooses the Primary Gateway for return traffic.


Option	Description
Local ASN	Enter the local Autonomous System Number (ASN)
Router ID	Enter the BGP Router ID
Neighbor IP	Enter the IP address of the BGP neighbor
ASN	Enter the ASN of the neighbor
Inbound Filter	Select an Inbound filer from the drop-down list
Outbound Filter	Select an Outbound filer from the drop-down list
Additional Options – Click the view all link to configure the following additional settings:
Local IP	Local IP address is the equivalent of a loopback IP address. Enter an IP address that the BGP neighborships can use as the source IP address for the outgoing packets.
Max-hop	Enter the number of maximum hops to enable multi-hop for the BGP peers. For the 5.1 release and later, the range is from 2 to 255 and the default value is 2. Note: When upgrading to the 5.1 release, any max-hop value of 1 will automatically be updated to a max-hop value of 2. Note: This field is available only for eBGP neighbors, when the local ASN and the neighboring ASN are different.
Allow AS	Select the checkbox to allow the BGP routes to be received and processed even if the Gateway detects its own ASN in the AS-Path.
Default Route	The Default Route adds a network statement in the BGP configuration to advertise the default route to the neighbor.
Enable BFD	Enables subscription to the existing BFD session for the BGP neighbor.
Keep Alive	Enter the keepalive timer in seconds, which is the duration between the keepalive messages that are sent to the peer. The range is from 1 to 65535 seconds. The default value is 60 seconds.
Hold Timer	Enter the hold timer in seconds. When the keepalive message is not received for the specified time, the peer is considered as down. The range is from 1 to 65535 seconds. The default value is 180 seconds.
Connect	Enter the time interval to try a new TCP connection with the peer if it detects that the TCP session is not passive. The default value is 120 seconds.
MD5 Auth	Select the checkbox to enable BGP MD5 authentication. This option is used in a legacy network or federal network, and is used as a security guard for BGP peering.
MD5 Password	Enter a password for MD5 authentication.

Click OK to save the changes.