How do I configure a BGP route based VPN between a SonicWall firewall and Azure?

Description

This article covers how to configure a BGP route based VPN between a SonicWall firewall and Microsoft Azure.

Image

The following networks will be used for demonstration purposes during this article. Your networks may be different.

Azure Side Resources

  1. Gateway subnet: 10.10.1.0/24
  2. LAN subnet: 10.10.2.0/24
  3. Public IP: 52.172.214.101

SonicWall Side Resources

  1. LAN subnet: 192.168.40.0/24
  2. Public IP: 15.206.141.119
  3. BGP Local ASN 65513
  4. BGP REMOTE ASN 65514
  5. BGP PEER IP 10.10.1.254
  6. TUNNEL INTERFACE IP 172.16.85.1/30

Resolution

Azure Configuration

  1. Login to the Azure portal https://portal.azure.com.
  2. Navigate to Virtual Networks and click Add to create a new network scheme.
  3. In this scenario we've defined the following network. Once filled out click Create.
    Image

  4. Define the LAN subnet and gateway subnet.
    Image

  5. Create a virtual network gateway under Home > Virtual network gateway.
    Image 

  6. Click on Configuration and Enable BGP.
    Image

  7. Add a connection by defining the local network gateway, IKEV2, and preshared key.
    Image

  8. Enable BGP.
    Image

  9. Under the local network gateway configuration please define an address space, ASN BGP peer IP address.
    Note: The below details will be used in the SonicWall configuration.
    Image

 

SonicWall Configuration

  1. Login to the SonicWall firewall.
  2. Navigate to the VPN policy tab. We're using the latest SonicOS 6.5 firmware. Click Manage | VPN | Base Settings. Click Add to create a new VPN policy.
  3. Give the VPN policy a name. We'll use the following settings:
    Policy Type: Tunnel Interface
    Authentication Method: IKE using Preshared Secret.
    Next click the Proposals tab and use default proposals.
    Image

  4. Create a tunnel interface by navigating to Network | Interfaces.
    Image

  5. Create a route to reach the BGP peer IP under Network | Routing.
    Image

  6. Enable advance routing under Network | Routing | Settings and configure BGP using CLI.
    Image

    admin@0040103538F8> config t
    config(0040103538F8)# routing
    (config-routing)# bgp
    ARS BGP>show run
    router bgp 65513
    neighbor 10.10.1.254 remote-as 65514
    neighbor 10.10.1.254 ebgp-multihop 2

NOTE: Please disable exclude from route advertisement (NSM,OSPF,BGP,RIP) under Network | Interfaces | WAN.

Related Articles

  • Firewall logs show frequent probe status changes after upgrade
    Read More
  • SSO Agent 4.0: Installation, Configurations, and troubleshooting
    Read More
  • CFS blocks valid sites due to incorrect 64: Not Rated tag
    Read More

Categories

Firewalls
NSv Series
Azure
not finding your answers?
Ask the Community
was this article helpful?
YesNo