BGP over IPsec Connection

Run BGP and build an IPsec connection to a remote site.

BGP over IPsec is the default BGP connection used when creating your Spoke Gateway, unless BGP over LAN is specifically selected when creating your Spoke Gateway.

To set up an external connection via BGP over IPsec:

  1. Go to Networking > Connectivity > External Connections (S2C) tab.

  2. Click + External Connection.

  3. Select or enter the following values:




A name for this connection.

Connect Public Cloud to

Select the External Device radio button. Click on the dropdown menu and select BGP over IPsec.

Local Gateway

The name of the local gateway. This is the gateway in the cloud that will connect to an on-prem gateway or device. Spoke Gateways only display in this list if they have BGP enabled.

Local ASN

Enter the local gateway’s ASN.

Remote ASN

Enter the BGP AS number the external device will use to exchange routes with the local gateway.

Over Private Network

Select this option if your underlying infrastructure is private network, such as AWS Direct Connect and Azure ExpressRoute. When this option is selected, BGP and IPsec run over private IP addresses.


Select this option to connect to the remote site using IKEv2 protocol.

If you configure IKEv1 in a connection that uses certificate-based authentication and is connecting to another Aviatrix device, you must add the intermediate CAs in addition to the root CA. When an intermediate CA is renewed and re-authentication is attempted, the connection will go down until you add the new certificate.

A Transit Gateway cannot have both an IKEv1 and an IKEv2 external connection.


If the Algorithms checkbox is unmarked, the default values will be used. If it is marked, you can set any of the fields defined below.

  • Phase 1 Authentication

  • Phase 1 DH Groups

  • Phase 1 Encryption

  • Phase 2 Authentication

  • Phase 2 DH Groups

  • Phase 2 Encryption

Learned CIDR Approval

This is Off and disabled by default unless the Local Gateway you select has Learned CIDR Approval turned On; the Connection option selected, and the BGP connection selected. Then it is On by default (not editable).

When this setting is On, it completely blocks a BGP prefix to even be considered by the control plane. Prefixes blocked are not programmed in the gateway route table.

ActiveMesh Connection

+Remote Gateway

Click here to add a remote or on-prem gateway instance.

Remote Gateway IP

IP address of the remote or on-prem device.

Local Tunnel IP (optional)

Enter the IP address of the local tunnel.

Remote Tunnel IP (optional)

Enter the IP address of the remote tunnel.

Pre-Shared Key (optional)

optional; it is auto-generated if not entered.

  1. Click Save.

The new BGP over IPsec external connection appears in the table.