How do I configure a BGP route based VPN between a SonicWall firewall and Azure?
03/26/2020 13 5391
This article covers how to configure a BGP route based VPN between a SonicWall firewall and Microsoft Azure.
The following networks will be used for demonstration purposes during this article. Your networks may be different.
Azure Side Resources
- Gateway subnet: 10.10.1.0/24
- LAN subnet: 10.10.2.0/24
- Public IP: 220.127.116.11
SonicWall Side Resources
- LAN subnet: 192.168.40.0/24
- Public IP: 18.104.22.168
- BGP Local ASN 65513
- BGP REMOTE ASN 65514
- BGP PEER IP 10.10.1.254
- TUNNEL INTERFACE IP 172.16.85.1/30
- Login to the Azure portal https://portal.azure.com.
- Navigate to Virtual Networks and click Add to create a new network scheme.
- In this scenario we've defined the following network. Once filled out click Create.
- Define the LAN subnet and gateway subnet.
- Create a virtual network gateway under Home > Virtual network gateway.
- Click on Configuration and Enable BGP.
- Add a connection by defining the local network gateway, IKEV2, and preshared key.
- Enable BGP.
- Under the local network gateway configuration please define an address space, ASN BGP peer IP address.
Note: The below details will be used in the SonicWall configuration.
- Login to the SonicWall firewall.
- Navigate to the VPN policy tab. We're using the latest SonicOS 6.5 firmware. Click Manage | VPN | Base Settings. Click Add to create a new VPN policy.
- Give the VPN policy a name. We'll use the following settings:
Policy Type: Tunnel Interface
Authentication Method: IKE using Preshared Secret.
Next click the Proposals tab and use default proposals.
- Create a tunnel interface by navigating to Network | Interfaces.
- Create a route to reach the BGP peer IP under Network | Routing.
- Enable advance routing under Network | Routing | Settings and configure BGP using CLI.
admin@0040103538F8> config t
ARS BGP>show run
router bgp 65513
neighbor 10.10.1.254 remote-as 65514
neighbor 10.10.1.254 ebgp-multihop 2
NOTE: Please disable exclude from route advertisement (NSM,OSPF,BGP,RIP) under Network | Interfaces | WAN.