Azure support with S2S VPN BGP routing over IPsec VPN with MX 19.1.4 firmware

Solved
LuisR
Comes here often

Azure support with S2S VPN BGP routing over IPsec VPN with MX 19.1.4 firmware

I've a S2S with Azure VPN gateway working fine with static routing

I just installed now the beta MX 19.1.4 that states to support VPN BGP routing.

 

I've followed the documentation https://documentation.meraki.com/MX/Site-to-site_VPN/BGP_routing_over_IPsec_VPN

But the confusing part is the IPsec /30 subnet. This is not something that seems not to work properly. With an example:

  • Configured on Meraki the S2S VPN tunnel BGP with IPsec subnet:192.168.8.0/30, BGP source IP:192.168.8.1, BGP neighbor IP192.168.8.2
  • The the Azure VPN gateway BGP peer is an address from the Azure subnet: 192.168.5.13
  • The AzureGW S2S connection is pointing to the 192.168.8.1

 

From a network trace on Azure, I can see the BPG traffic getting no response/retry on both directions

  • from Meraki MX: 192.168.8.1 to 192.168.8.2
  • from Azure VnetGW: 192.168.5.13 to 192.168.8.1

 

Is this supported somehow?

1 Accepted Solution
MartinLL
Building a reputation

Its for the transportation network within the VPN tunnel for BGP peering.

For example, when you configure a VPN device, for example Cisco ASA with BGP over IPsec it uses APIPA addressing within the tunnel to establish a BGP session. I suspect that the same would work with Meraki S2S.

 

Try to add the Azure reserved APIPA space to the VNG setting called Azure APIPA BGP IP address

Then add that APIPA range to your IPsec subnet config in Meraki as well and see where that gets you.

Configure BGP for VPN Gateway: Portal - Azure VPN Gateway | Microsoft Learn

 

Note that i have not done this with Meraki before, but its worth a try 🙂

 

MLL

View solution in original post

2 Replies 2
MartinLL
Building a reputation

Its for the transportation network within the VPN tunnel for BGP peering.

For example, when you configure a VPN device, for example Cisco ASA with BGP over IPsec it uses APIPA addressing within the tunnel to establish a BGP session. I suspect that the same would work with Meraki S2S.

 

Try to add the Azure reserved APIPA space to the VNG setting called Azure APIPA BGP IP address

Then add that APIPA range to your IPsec subnet config in Meraki as well and see where that gets you.

Configure BGP for VPN Gateway: Portal - Azure VPN Gateway | Microsoft Learn

 

Note that i have not done this with Meraki before, but its worth a try 🙂

 

MLL
LuisR
Comes here often

Thanks for the out-of-the-box thinking 😁

Get notified when there are additional replies to this discussion.