You can configure BGP Settings for SD-WAN Gateways over IPSec tunnels.

Only eBGP is supported with BGP over IPsec.

To configure the BGP settings for a Gateway:


Note: The Azure vWAN Automation from Gateway feature is not compatible with BGP over IPsec. This is because only static routes are supported when automating connectivity from a Gateway to an Azure vWAN.

Ensure that you have configured the following:

Note: It is recommended to turn on Distributed Cost Calculation for best performance and scaling when using BGP over IPsec via Gateway. The Distributed Cost Calculation is supported starting from Release 3.4.0.

For more information on Distributed Cost Calculation, refer to the Configure Distributed Cost Calculation section in the VMware SD-WAN Operator Guide available at:


  1. In the Enterprise portal, click Configure > Network Services.
  2. In the Non SD-WAN Destinations via Gateway area, click the Edit link in the BGP column that corresponds to the Non SD-WAN Destination.
  3. In the BGP Editor window, click the slider to ON to configure the BGP settings.
    1. Click Add Filter to create one or more filters. These filters are applied to the neighbor to deny or change the attributes of the route. The same filter can be used for multiple neighbors.
      In the Create BGP Filter window, set the rules for the filter.
      Option Description
      Filter Name Enter a descriptive name for the BGP filter.
      Match Type and Value Choose the type of the routes to be matched with the filter:
      • Prefix: Choose to match with a prefix and enter the prefix IP address in the Value field.
      • Community: Choose to match with a community and enter the community string in the Value field.
      Exact Match The filter action is performed only when the BGP routes match exactly with the specified prefix or community string. By default, this option is enabled.
      Action Type Choose the action to be performed when the BGP routes match with the specified prefix or the community string. You can either permit or deny the traffic.
      Set When the BGP routes match the specified criteria, you can set to route the traffic to a network based on the attributes of the path. Select one of the following options from the drop-down list:
      • None: The attributes of the matching routes remain the same.
      • Local Preference: The matching traffic is routed to the path with the specified local preference.
      • Community: The matching routes are filtered by the specified community string.
      • Metric: The matching traffic is routed to the path with the specified metric value.
      • AS-Path-Prepend: Allows prepending multiple entries of Autonomous System (AS) to a BGP route.
      Click the plus ( +) icon to add more matching rules for the filter.
      Click OK.
      Repeat the procedure to create more BGP filters.
      The configured filters are displayed in the BGP Editor window.
    2. In the BGP Editor window, configure the BGP settings for the Primary and Secondary Gateways.
      Note: The Secondary Gateway option is available only if you have configured a secondary Gateway for the corresponding Non SD-WAN Destination.
      Option Description
      Local ASN Enter the local Autonomous System Number (ASN)
      Router ID Enter the BGP Router ID
      Neighbor IP Enter the IP address of the BGP neighbor
      ASN Enter the ASN of the neighbor
      Inbound Filter Select an Inbound filer from the drop-down list
      Outbound Filter Select an Outbound filer from the drop-down list
      Additional Options – Click the view all link to configure the following additional settings:
      Local IP Local IP address is the equivalent of a loopback IP address. Enter an IP address that the BGP neighborships can use as the source IP address for the outgoing packets.
      Max-hop Enter the number of maximum hops to enable multi-hop for the BGP peers. The range is from 1 to 255 and the default value is 1.
      Note: This field is available only for eBGP neighbors, when the local ASN and the neighboring ASN are different.
      Allow AS Select the checkbox to allow the BGP routes to be received and processed even if the Gateway detects its own ASN in the AS-Path.
      Default Route The Default Route adds a network statement in the BGP configuration to advertise the default route to the neighbor.
      Enable BFD Enables subscription to the existing BFD session for the BGP neighbor.
      Keep Alive Enter the keepalive timer in seconds, which is the duration between the keepalive messages that are sent to the peer. The range is from 1 to 65535 seconds. The default value is 60 seconds.
      Hold Timer Enter the hold timer in seconds. When the keepalive message is not received for the specified time, the peer is considered as down. The range is from 1 to 65535 seconds. The default value is 180 seconds.
      Connect Enter the time interval to try a new TCP connection with the peer if it detects that the TCP session is not passive. The default value is 120 seconds.
      MD5 Auth Select the checkbox to enable BGP MD5 authentication. This option is used in a legacy network or federal network, and is used as a security guard for BGP peering.
      MD5 Password Enter a password for MD5 authentication.
    3. Click OK to save the changes.