Background
For VMware SD-WAN Edge, starting from version 4.3, the feature of BGP over IPSec is introduced. This post documents how to configure VMware SD-WAN Edge to form BGP over IPSec with Cisco IOS device. Although the major use cases of BGP over IPSec on VMware SD-WAN Edge is to allow connect to public cloud VPN gateway, lab testing will be easier with traditional router/firewall, such as Cisco IOS device. Hence, this is the major reason for this post.
Versioning
The VMware SD-WAN Edge is with version 4.3.0 [R430-20210702-GA-61583-76361fa920].
Topology and Diagram
The following is topology being used in the lab environment for this post:
In this lab environment, there is a SD-WAN Edge called ABCD-VCE1. ABCD-VCE1 is having a public IP address 24.5.2.39 connected to the Internet. There are two routers called R-IPSec1 and R-IPSec2, R-IPSec1 is having public IP 98.1.2.212 connected to the Internet while R-IPSec2 is having public IP 184.1.2.212 connected to the Internet.
ABCD-VCE1 will establish IPSec tunnel to R-IPSec1 and R-IPSec2. That means there will be two IPSec tunnels. The first one is between 24.5.2.39 (169.254.80.2) and 98.1.2.212 (169.254.80.1), the 169.254.x.x IP address in the bracket is the corresponding tunnel IP address. The second IPSec tunnel is between 24.5.2.39 (169.254.80.6) and 184.1.2.212 (169.254.80.5), again, the 169.254.x.x IP address in the bracket is the corresponding tunnel IP address.
The BGP peers are eBGP, here is the AS number of each device:
- ABCD-VCE1: AS65123
- R-IPSec1: AS65100
- R-IPSec2: AS65101