BGP over IPsec Connection
Run BGP and build an IPsec connection to a remote site.
BGP over IPsec is the default BGP connection used when creating your Spoke Gateway, unless BGP over LAN is specifically selected when creating your Spoke Gateway. |
To set up an external connection via BGP over IPsec:
-
Go to Networking > Connectivity > External Connections (S2C) tab.
-
Click + External Connection.
-
Select or enter the following values:
Field |
Description |
||
Name |
A name for this connection. |
||
Connect Public Cloud to |
Select the External Device radio button. Click on the dropdown menu and select BGP over IPsec. |
||
Local Gateway |
The name of the local gateway. This is the gateway in the cloud that will connect to an on-prem gateway or device. Spoke Gateways only display in this list if they have BGP enabled. |
||
Local ASN |
Enter the local gateway’s ASN. |
||
Remote ASN |
Enter the BGP AS number the external device will use to exchange routes with the local gateway. |
||
Over Private Network |
Select this option if your underlying infrastructure is private network, such as AWS Direct Connect and Azure ExpressRoute. When this option is selected, BGP and IPsec run over private IP addresses. |
||
IKev2 |
Select this option to connect to the remote site using IKEv2 protocol.
|
||
Algorithms |
If the Algorithms checkbox is unmarked, the default values will be used. If it is marked, you can set any of the fields defined below.
|
||
Learned CIDR Approval |
This is Off and disabled by default unless the Local Gateway you select has Learned CIDR Approval turned On; the Connection option selected, and the BGP connection selected. Then it is On by default (not editable). When this setting is On, it completely blocks a BGP prefix to even be considered by the control plane. Prefixes blocked are not programmed in the gateway route table. |
||
ActiveMesh Connection |
|||
+Remote Gateway |
Click here to add a remote or on-prem gateway instance. |
||
Remote Gateway IP |
IP address of the remote or on-prem device. |
||
Local Tunnel IP (optional) |
Enter the IP address of the local tunnel. |
||
Remote Tunnel IP (optional) |
Enter the IP address of the remote tunnel. |
||
Pre-Shared Key (optional) |
optional; it is auto-generated if not entered. |
-
Click Save.
The new BGP over IPsec external connection appears in the table.