Re: BGP & IPSec questions

Thanks for the tip! Ok so here's what I've done to get past the VTI struggles (I'll admit this is the first I've used them): I've fallen back to my original setup of just an IPSec VPN on the primary eth0 with no VTI. I'll tackle vti in the future.

Same story as before, I can get to OpenConfirm, but never established. Azure can see the routes (including 10.0.1.1/32), but the EdgeRouter never gets routes.

ryanb@ubnt# show vpn
 ipsec {
     auto-firewall-nat-exclude enable
     disable-uniqreqids
     esp-group esp-azure {
         compression disable
         lifetime 3600
         mode tunnel
         pfs disable
         proposal 1 {
             encryption aes256
             hash sha1
         }
     }
     ike-group ike-azure {
         ikev2-reauth no
         key-exchange ikev2
         lifetime 28800
         proposal 1 {
             dh-group 2
             encryption aes256
             hash sha1
         }
     }
     ipsec-interfaces {
     }
     nat-traversal enable
     site-to-site {
         peer 2.2.2.2 {
             authentication {
                 mode pre-shared-secret
                 pre-shared-secret LennyR31234
             }
             connection-type respond
             default-esp-group esp-azure
             ike-group ike-azure
             ikev2-reauth inherit
             local-address 1.1.1.1
             tunnel 1 {
                 allow-nat-networks disable
                 allow-public-networks disable
                 esp-group esp-azure
                 local {
                     prefix 10.0.1.1/32
                 }
                 protocol all
                 remote {
                     prefix 10.1.255.254/32
                 }
             }
         }
     }
 }

ryanb@ubnt# show protocols bgp
 bgp 65501 {
     neighbor 10.1.255.254 {
         prefix-list {
             export EXPORT-AS65501
         }
         remote-as 65515
         soft-reconfiguration {
             inbound
         }
         update-source 10.0.1.1
     }
     parameters {
         router-id 10.0.1.1
     }
 }

ryanb@ubnt:~$ show ip bgp summary
BGP router identifier 10.0.1.1, local AS number 65501
BGP table version is 1
0 BGP AS-PATH entries
0 BGP community entries
Neighbor                 V   AS   MsgRcv    MsgSen TblVer   InQ   OutQ    Up/Down   State/PfxRcd
10.1.255.254             4 65515 2070       4322       0      0      0     never OpenConfirm

Total number of neighbors 1

Total number of Established sessions 0

ryanb@ubnt:~$ show vpn ipsec sa
peer-2.2.2.2-tunnel-1: #2, ESTABLISHED, IKEv2, a2030ba777abae88:2a282ea011a0dfe2
  local  '1.1.1.1' @ 1.1.1.1
  remote '2.2.2.2' @ 2.2.2.2
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
  established 659s ago, rekeying in 27109s
  peer-2.2.2.2-tunnel-1: #1, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA1_96
    installed 659 ago, rekeying in 2224s, expires in 2941s
    in  ceb6c5c2,  15226 bytes,   205 packets,   115s ago
    out bc8032b4,  25896 bytes,   373 packets,     5s ago
    local  10.0.1.1/32
    remote 10.1.255.254/32