IPsec Configuration for BGP

BGP transmits packets in the clear. Therefore for strong security, SonicWALL recommends configuring an IPsec tunnel to use for BGP sessions. The configurations of the IPsec tunnel and of BGP are independent of each other. The IPsec tunnel is configured completely within the VPN configuration section of the SonicOS GUI, while BGP is enabled on the Network > Routing page and then configured on the SonicOS Command Line Interface. When configuring BGP over IPsec, first configure the IPsec tunnel and verify connectivity over the tunnel before configuring BGP.

The following procedure shows a sample IPsec configuration between a SonicWALL and a remote BGP peer, where the SonicWALL is configured for 192.168.168.75/24 on the X0 network and the remote peer is configured for 192.168.168.35/24 on the X0 network.

Navigate to the VPN > Settings page and click the Add button under the VPN Policies section. The VPN Policies dialog displays.

In the Policy Type drop-down menu, make sure that Site to Site is selected.

NOTE: A site-to-site VPN tunnel must be used for BGP over IPsec. Tunnel interfaces will not work for BGP.

Select the desired Authentication Method. In this example, we are using IKE using Preshared Secret.

Enter a Name for the VPN policy.

In the IPsec Primary Gateway Name or Address field, enter the IP address of the remote peer (for this example it is 192.168.168.35).

In the IPsec Secondary Gateway Name or Address field, enter 0.0.0.0.

Enter a Shared Secret and confirm it.

In the Local IKE ID field, enter the IP address of the SonicWall (for this example it is 192.168.168.75)

In the Peer IKE ID field, enter the IP address of the remote peer (192.168.168.35).

Click on the Network tab.

For the local network, select X0 IP from the Choose local network from list drop-down menu.

For the remote network, select the remote peer’s IP address from the Choose destination network from list drop-down menu, which is 192.168.168.35 for this example. If the remote IP address is not listed, select Create new address object to create an address object for the IP address.

Click on the Proposals tab. You can either use the default IPsec proposals or customize them as you see fit.

Click on the Advanced tab.

Check the Enable Keep Alive check box.

Click OK.

The VPN policy is now configured on the SonicWALL appliance. Now complete the corresponding IPsec configuration on the remote peer. When that is complete, return to the VPN > Settings page and check the Enable check box for the VPN policy to initiate the IPsec tunnel.

Use the ping diagnostic on the SonicWALL to ping the BGP peer IP address and use Wireshark to ensure that the request and response are being encapsulated in ESP packets.

NOTE: As configured in this example, routed traffic will not go through the IPSEC tunnel used for BGP. That traffic is sent and received in the clear, which is most likely the desired behavior since the goal is to secure BGP, not all the routed network traffic.

For more detailed information on configuring IPsec, see the VPN chapters in the SonicOS Administrator’s Guide.