Previous article on FRR, Docker - https://towardsaws.com/configuring-bgp-and-open-source-frr-docker-on-aws-advanced-networking-d21fd0d76b33
we will re-use the same concept and will start a BGP route exchange over IPSEC VPN
Few points to note:
BGP ASN support is both for 2-byte and 4-byte
ASN Range is from 64512-65534
BGP Peering will happen over Tunnel endpoints with address 169.254.x.y/z which amazon usually initiates by default
If you are extending the strong-swan use case, you need to have a configuration reference for the static tunnel as there is no dynamic configuration generated for Strong-swan/Open-swan use case
In static and dynamic routings, VGW Route propagation needs to be done.
I have observed that left-subnet and right-subnet should be 0/0 in AWS for communication of BGP-TCP messages for session establishment.
Strong Swan will default to create a routing entry in a different route table at launch. To disable this feature and use the default route table:
- Open the file /etc/strongswan.d/charon.conf
- Uncomment the line "install_routes=yes"
- Change the value of the line to "install_routes=no"
FRR Points
docker pull frrouting/frr
docker run -d --privileged --name fr1 --net=host frrouting/frr:latest
Enable
a. You need to create a file in /etc/frr called vtysh.conf
b. Enable required protocols in /etc/frr/daemons in our case its BGP
ip nht resolve-via-default ----> If this command is not present, Zebra which is
Tunnel Configuration on Server
sudo ip link add Tunnel1 type vti local 192.168.1.200 remote 52.211.205.215 key 100
sudo ip addr add 169.254.185.82/30 remote 169.254.185.81/30 dev Tunnel1
sudo ip link set Tunnel1 up mtu 1419