Configure uma VPN site-to-site sobre o ExpressRoute Microsoft olhandoConfigure a site-to-site VPN over ExpressRoute Microsoft peering

Este artigo ajuda-o a configurar uma conectividade encriptada segura entre a sua rede no local e as suas redes virtuais Azure (VNets) através de uma ligação privada ExpressRoute.This article helps you configure secure encrypted connectivity between your on-premises network and your Azure virtual networks (VNets) over an ExpressRoute private connection. Pode utilizar o Microsoft para estabelecer um túnel VPN IPsec/IKE local entre as suas redes de televisão selecionadas e VNets Azure.You can use Microsoft peering to establish a site-to-site IPsec/IKE VPN tunnel between your selected on-premises networks and Azure VNets. Configurar um túnel seguro sobre o ExpressRoute permite a troca de dados com confidencialidade, anti-repetição, autenticidade e integridade.Configuring a secure tunnel over ExpressRoute allows for data exchange with confidentiality, anti-replay, authenticity, and integrity.

Nota

Quando configurar a VPN site-to-site sobre o espreitamento da Microsoft, é cobrado para o gateway VPN e saída VPN.When you set up site-to-site VPN over Microsoft peering, you are charged for the VPN gateway and VPN egress. Para mais informações, consulte os preços da VPN Gateway.For more information, see VPN Gateway pricing.

Os passos e exemplos deste artigo utilizam os módulos Azure PowerShell Az.The steps and examples in this article use Azure PowerShell Az modules. Para instalar os módulos Az localmente no seu computador, consulte instalar a Azure PowerShell.To install the Az modules locally on your computer, see Install Azure PowerShell. Para saber mais sobre o novo módulo Az, consulte a introdução do novo módulo Azure PowerShell Az.To learn more about the new Az module, see Introducing the new Azure PowerShell Az module. Os cmdlets PowerShell são atualizados frequentemente.PowerShell cmdlets are updated frequently. Se não estiver a executar a versão mais recente, os valores especificados nas instruções podem falhar.If you are not running the latest version, the values specified in the instructions may fail. Para encontrar as versões instaladas do PowerShell no seu sistema, utilize o Get-Module -ListAvailable Az cmdlet.To find the installed versions of PowerShell on your system, use the Get-Module -ListAvailable Az cmdlet.

ArquiteturaArchitecture

Visão geral da conectividade

Para uma elevada disponibilidade e redundância, pode configurar vários túneis sobre os dois pares MSEE-PE de um circuito ExpressRoute e permitir o equilíbrio de carga entre os túneis.For high availability and redundancy, you can configure multiple tunnels over the two MSEE-PE pairs of a ExpressRoute circuit and enable load balancing between the tunnels.

opções de alta disponibilidade

Os túneis VPN sobre o espreitamento da Microsoft podem ser encerrados através do gateway VPN ou utilizando um aparelho virtual de rede apropriado (NVA) disponível através do Azure Marketplace.VPN tunnels over Microsoft peering can be terminated either using VPN gateway, or using an appropriate Network Virtual Appliance (NVA) available through Azure Marketplace. Pode trocar rotas estática ou dinamicamente pelos túneis encriptados sem expor a troca de rotas para o perspitamento subjacente da Microsoft.You can exchange routes statically or dynamically over the encrypted tunnels without exposing the route exchange to the underlying Microsoft peering. Nos exemplos deste artigo, o BGP (diferente da sessão de BGP utilizada para criar o estornudo microsoft) é usado para trocar dinâmicamente prefixos sobre os túneis encriptados.In the examples in this article, BGP (different from the BGP session used to create the Microsoft peering) is used to dynamically exchange prefixes over the encrypted tunnels.

Importante

Para o lado do local, normalmente o espreitamento da Microsoft é terminado no DMZ e o espreitamento privado é terminado na zona de rede principal.For the on-premises side, typically Microsoft peering is terminated on the DMZ and private peering is terminated on the core network zone. As duas zonas seriam segregadas usando firewalls.The two zones would be segregated using firewalls. Se estiver a configurar a Microsoft a espreitar exclusivamente para permitir um túnel seguro sobre o ExpressRoute, lembre-se de filtrar apenas através dos IPs de interesse público que estão a ser anunciados através do espreitamento da Microsoft.If you are configuring Microsoft peering exclusively for enabling secure tunneling over ExpressRoute, remember to filter through only the public IPs of interest that are getting advertised via Microsoft peering.

Fluxo de trabalhoWorkflow

  1. Configure a Microsoft a espreitar para o seu circuito ExpressRoute.Configure Microsoft peering for your ExpressRoute circuit.
  2. Anuncie prefixos públicos regionais selecionados da Azure para a sua rede de instalações através do seu olhar microsoft.Advertise selected Azure regional public prefixes to your on-premises network via Microsoft peering.
  3. Configure uma porta de entrada VPN e estabeleça túneis IPsecConfigure a VPN gateway and establish IPsec tunnels
  4. Configure o dispositivo VPN no local.Configure the on-premises VPN device.
  5. Crie a ligação site-to-site IPsec/IKE.Create the site-to-site IPsec/IKE connection.
  6. (Opcional) Configure as firewalls/filtragem no dispositivo VPN no local.(Optional) Configure firewalls/filtering on the on-premises VPN device.
  7. Teste e valide a comunicação IPsec sobre o circuito ExpressRoute.Test and validate the IPsec communication over the ExpressRoute circuit.

1. Configurar o espreitamento da Microsoft1. Configure Microsoft peering

Para configurar uma ligação VPN site-to-site sobre o ExpressRoute, deve aproveitar o olho da Microsoft ExpressRoute.To configure a site-to-site VPN connection over ExpressRoute, you must leverage ExpressRoute Microsoft peering.

Uma vez configurado o seu circuito e o seu espreitamento da Microsoft, pode facilmente vê-lo usando a página 'Vista Geral' no portal Azure.Once you have configured your circuit and Microsoft peering, you can easily view it using the Overview page in the Azure portal.

circuito

2. Filtros de rota de configuração2. Configure route filters

Um filtro de rota permite-lhe identificar os serviços que deseja consumir através do peering da Microsoft do circuito do ExpressRoute.A route filter lets you identify services you want to consume through your ExpressRoute circuit's Microsoft peering. É essencialmente uma lista de todos os valores comunitários da BGP.It is essentially an allow list of all the BGP community values.

filtro de rota

Neste exemplo, a implantação está apenas na região Azure West US 2.In this example, the deployment is only in the Azure West US 2 region. Uma regra de filtro de rota é adicionada para permitir apenas a publicidade de prefixos regionais Azure West US 2, que tem o valor comunitário BGP 12076:51026.A route filter rule is added to allow only the advertisement of Azure West US 2 regional prefixes, which has the BGP community value 12076:51026. Especifica os prefixos regionais que pretende permitir selecionando a regra De gerir.You specify the regional prefixes that you want to allow by selecting Manage rule.

Dentro do filtro de rota, também é necessário escolher os circuitos ExpressRoute para os quais se aplica o filtro de rota.Within the route filter, you also need to choose the ExpressRoute circuits for which the route filter applies. Pode escolher os circuitos ExpressRoute selecionando o circuito Add.You can choose the ExpressRoute circuits by selecting Add circuit. Na figura anterior, o filtro de rota está associado ao circuito ExpressRoute exemplo.In the previous figure, the route filter is associated to the example ExpressRoute circuit.

2.1 Configurar o filtro de rota2.1 Configure the route filter

Configure um filtro de rota.Configure a route filter. Para obter passos, consulte filtros de rota de configuração para o microsoft espreitar.For steps, see Configure route filters for Microsoft peering.

2.2 Verificar rotas de BGP2.2 Verify BGP routes

Depois de ter criado com sucesso a Microsoft a espreitar o circuito ExpressRoute e ter associado um filtro de rota com o circuito, pode verificar as rotas BGP recebidas dos MSEEs nos dispositivos PE que estão a espreitar com os MSEEs.Once you have successfully created Microsoft peering over your ExpressRoute circuit and associated a route filter with the circuit, you can verify the BGP routes received from MSEEs on the PE devices that are peering with the MSEEs. O comando de verificação varia, dependendo do sistema operativo dos seus dispositivos PE.The verification command varies, depending on the operating system of your PE devices.

Exemplos de CiscoCisco examples

Este exemplo utiliza um comando Cisco IOS-XE.This example uses a Cisco IOS-XE command. No exemplo, é utilizado um caso de encaminhamento e encaminhamento virtual (VRF) para isolar o tráfego de observação.In the example, a virtual routing and forwarding (VRF) instance is used to isolate the peering traffic.

show ip bgp vpnv4 vrf 10 summary

A seguinte saída parcial mostra que 68 prefixos foram recebidos do vizinho * .243.229.34 com o ASN 12076 (MSEE):The following partial output shows that 68 prefixes were received from the neighbor *.243.229.34 with the ASN 12076 (MSEE):

...

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
X.243.229.34    4        12076   17671   17650    25228    0    0 1w4d           68

Para ver a lista de prefixos recebidos do vizinho, use o seguinte exemplo:To see the list of prefixes received from the neighbor, use the following example:

sh ip bgp vpnv4 vrf 10 neighbors X.243.229.34 received-routes

Para confirmar que está a receber o conjunto correto de prefixos, pode verificar.To confirm that you are receiving the correct set of prefixes, you can cross-verify. A seguinte saída de comando Azure PowerShell lista os prefixos anunciados através da Microsoft, olhando para cada um dos serviços e para cada uma das regiões Azure:The following Azure PowerShell command output lists the prefixes advertised via Microsoft peering for each of the services and for each of the Azure region:

Get-AzBgpServiceCommunity

3. Configurar o portal VPN e os túneis IPsec3. Configure the VPN gateway and IPsec tunnels

Nesta secção, os túneis VPN IPsec são criados entre o gateway Azure VPN e o dispositivo VPN no local.In this section, IPsec VPN tunnels are created between the Azure VPN gateway and the on-premises VPN device. Os exemplos utilizam dispositivos VPN Cisco Cloud Service Router (CSR1000).The examples use Cisco Cloud Service Router (CSR1000) VPN devices.

O diagrama seguinte mostra os túneis VPN IPsec estabelecidos entre o dispositivo VPN no local 1 e o par de instâncias de gateway Azure VPN.The following diagram shows the IPsec VPN tunnels established between on-premises VPN device 1, and the Azure VPN gateway instance pair. Os dois túneis VPN IPsec estabelecidos entre o dispositivo VPN 2 no local e o par de instâncias de gateway VPN Azure não estão ilustrados no diagrama, e os detalhes de configuração não estão listados.The two IPsec VPN tunnels established between the on-premises VPN device 2 and the Azure VPN gateway instance pair isn't illustrated in the diagram, and the configuration details are not listed. No entanto, ter túneis VPN adicionais melhora a elevada disponibilidade.However, having additional VPN tunnels improves high availability.

Túneis VPN

Sobre o par do túnel IPsec, é estabelecida uma sessão eBGP para trocar rotas de rede privada.Over the IPsec tunnel pair, an eBGP session is established to exchange private network routes. O seguinte diagrama mostra a sessão eBGP estabelecida sobre o par do túnel IPsec:The following diagram shows the eBGP session established over the IPsec tunnel pair:

Sessões eBGP sobre par de túneis

O diagrama a seguir mostra a visão geral abstrata da rede de exemplos:The following diagram shows the abstracted overview of the example network:

rede exemplo

Sobre os exemplos do modelo do Gestor de Recursos AzureAbout the Azure Resource Manager template examples

Nos exemplos, o gateway VPN e as terminações do túnel IPsec são configurados usando um modelo de Gestor de Recursos Azure.In the examples, the VPN gateway and the IPsec tunnel terminations are configured using an Azure Resource Manager template. Se você é novo para usar modelos de Gestor de Recursos, ou para entender o básico do modelo de Gestor de Recursos, consulte a estrutura e sintaxe dos modelos do Gestor de Recursos Azure.If you are new to using Resource Manager templates, or to understand the Resource Manager template basics, see Understand the structure and syntax of Azure Resource Manager templates. O modelo nesta secção cria um ambiente azul de campo verde (VNet).The template in this section creates a greenfield Azure environment (VNet). No entanto, se tiver um VNet existente, pode fazê-lo referenciar no modelo.However, if you have an existing VNet, you can reference it in the template. Se não estiver familiarizado com as configurações site-to-site do gateway VPN/IKE, consulte Criar uma ligação site-to-site.If you are not familiar with VPN gateway IPsec/IKE site-to-site configurations, see Create a site-to-site connection.

Nota

Não precisa de utilizar os modelos do Gestor de Recursos Azure para criar esta configuração.You do not need to use Azure Resource Manager templates in order to create this configuration. Pode criar esta configuração utilizando o portal Azure ou PowerShell.You can create this configuration using the Azure portal, or PowerShell.

3.1 Declarar as variáveis3.1 Declare the variables

Neste exemplo, as declarações variáveis correspondem à rede de exemplo.In this example, the variable declarations correspond to the example network. Ao declarar variáveis, modifique esta secção para refletir o seu ambiente.When declaring variables, modify this section to reflect your environment.

  • A variável localAddressPrefix é uma série de endereços IP no local para terminar os túneis IPsec.The variable localAddressPrefix is an array of on-premises IP addresses to terminate the IPsec tunnels.
  • O gatewaySku determina a produção VPN.The gatewaySku determines the VPN throughput. Para obter mais informações sobre gatewaySku e vpnType, consulte as definições de configuração do Gateway VPN.For more information about gatewaySku and vpnType, see VPN Gateway configuration settings. Para obter preços, consulte os preços da VPN Gateway.For pricing, see VPN Gateway pricing.
  • Desa estabamente o VPNType para RouteBased.Set the vpnType to RouteBased.
"variables": {
  "virtualNetworkName": "SecureVNet",       // Name of the Azure VNet
  "azureVNetAddressPrefix": "10.2.0.0/24",  // Address space assigned to the VNet
  "subnetName": "Tenant",                   // subnet name in which tenants exists
  "subnetPrefix": "10.2.0.0/25",            // address space of the tenant subnet
  "gatewaySubnetPrefix": "10.2.0.224/27",   // address space of the gateway subnet
  "localGatewayName": "localGW1",           // name of remote gateway (on-premises)
  "localGatewayIpAddress": "X.243.229.110", // public IP address of the on-premises VPN device
  "localAddressPrefix": [
    "172.16.0.1/32",                        // termination of IPsec tunnel-1 on-premises 
    "172.16.0.2/32"                         // termination of IPsec tunnel-2 on-premises 
  ],
  "gatewayPublicIPName1": "vpnGwVIP1",    // Public address name of the first VPN gateway instance
  "gatewayPublicIPName2": "vpnGwVIP2",    // Public address name of the second VPN gateway instance 
  "gatewayName": "vpnGw",                 // Name of the Azure VPN gateway
  "gatewaySku": "VpnGw1",                 // Azure VPN gateway SKU
  "vpnType": "RouteBased",                // type of VPN gateway
  "sharedKey": "string",                  // shared secret needs to match with on-premises configuration
  "asnVpnGateway": 65000,                 // BGP Autonomous System number assigned to the VPN Gateway 
  "asnRemote": 65010,                     // BGP Autonmous Syste number assigned to the on-premises device
  "bgpPeeringAddress": "172.16.0.3",      // IP address of the remote BGP peer on-premises
  "connectionName": "vpn2local1",
  "vnetID": "[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworkName'))]",
  "gatewaySubnetRef": "[concat(variables('vnetID'),'/subnets/','GatewaySubnet')]",
  "subnetRef": "[concat(variables('vnetID'),'/subnets/',variables('subnetName'))]",
  "api-version": "2017-06-01"
},

3.2 Criar rede virtual (VNet)3.2 Create virtual network (VNet)

Se estiver a associar um VNet existente com os túneis VPN, pode saltar este passo.If you are associating an existing VNet with the VPN tunnels, you can skip this step.

{
  "apiVersion": "[variables('api-version')]",
  "type": "Microsoft.Network/virtualNetworks",
  "name": "[variables('virtualNetworkName')]",
  "location": "[resourceGroup().location]",
  "properties": {
    "addressSpace": {
      "addressPrefixes": [
        "[variables('azureVNetAddressPrefix')]"
      ]
    },
    "subnets": [
      {
        "name": "[variables('subnetName')]",
        "properties": {
          "addressPrefix": "[variables('subnetPrefix')]"
        }
      },
      {
        "name": "GatewaySubnet",
        "properties": {
          "addressPrefix": "[variables('gatewaySubnetPrefix')]"
        }
      }
    ]
  },
  "comments": "Create a Virtual Network with Subnet1 and Gatewaysubnet"
},

3.3 Atribuir endereços IP públicos a instâncias de gateway VPN3.3 Assign public IP addresses to VPN gateway instances

Atribua um endereço IP público para cada instância de uma porta de entrada VPN.Assign a public IP address for each instance of a VPN gateway.

{
  "apiVersion": "[variables('api-version')]",
  "type": "Microsoft.Network/publicIPAddresses",
    "name": "[variables('gatewayPublicIPName1')]",
    "location": "[resourceGroup().location]",
    "properties": {
      "publicIPAllocationMethod": "Dynamic"
    },
    "comments": "Public IP for the first instance of the VPN gateway"
  },
  {
    "apiVersion": "[variables('api-version')]",
    "type": "Microsoft.Network/publicIPAddresses",
    "name": "[variables('gatewayPublicIPName2')]",
    "location": "[resourceGroup().location]",
    "properties": {
      "publicIPAllocationMethod": "Dynamic"
    },
    "comments": "Public IP for the second instance of the VPN gateway"
  },

3.4 Especificar a terminação do túnel VPN no local (porta de entrada de rede local)3.4 Specify the on-premises VPN tunnel termination (local network gateway)

Os dispositivos VPN no local são referidos como o portal de rede local.The on-premises VPN devices are referred to as the local network gateway. O seguinte json snippet também especifica detalhes remotos do par BGP:The following json snippet also specifies remote BGP peer details:

{
  "apiVersion": "[variables('api-version')]",
  "type": "Microsoft.Network/localNetworkGateways",
  "name": "[variables('localGatewayName')]",
  "location": "[resourceGroup().location]",
  "properties": {
    "localNetworkAddressSpace": {
      "addressPrefixes": "[variables('localAddressPrefix')]"
    },
    "gatewayIpAddress": "[variables('localGatewayIpAddress')]",
    "bgpSettings": {
      "asn": "[variables('asnRemote')]",
      "bgpPeeringAddress": "[variables('bgpPeeringAddress')]",
      "peerWeight": 0
    }
  },
  "comments": "Local Network Gateway (referred to your on-premises location) with IP address of remote tunnel peering and IP address of remote BGP peer"
},

3.5 Criar o portal VPN3.5 Create the VPN gateway

Esta secção do modelo configura o gateway VPN com as definições necessárias para uma configuração ativa.This section of the template configures the VPN gateway with the required settings for an active-active configuration. Tenha em mente os seguintes requisitos:Keep in mind the following requirements:

  • Crie o gateway VPN com um VpnType "RouteBased".Create the VPN gateway with a "RouteBased" VpnType. Esta definição é obrigatória se pretender ativar o encaminhamento BGP entre o gateway VPN e o VPN no local.This setting is mandatory if you want to enable the BGP routing between the VPN gateway, and the VPN on-premises.
  • Para estabelecer túneis VPN entre as duas instâncias do gateway VPN e um determinado dispositivo no local em modo ativo, o parâmetro "ActiveActive" é definido como verdadeiro no modelo de Gestor de Recursos.To establish VPN tunnels between the two instances of the VPN gateway and a given on-premises device in active-active mode, the "activeActive" parameter is set to true in the Resource Manager template. Para obter mais informações sobre gateways VPN altamente disponíveis, consulte a conectividade de gateway VPN altamente disponível.To understand more about highly available VPN gateways, see Highly available VPN gateway connectivity.
  • Para configurar as sessões de eBGP entre os túneis VPN, deve especificar duas ASNs diferentes de cada lado.To configure eBGP sessions between the VPN tunnels, you must specify two different ASNs on either side. É preferível especificar números ASN privados.It is preferable to specify private ASN numbers. Para mais informações, consulte a visão geral das portas BGP e Azure VPN.For more information, see Overview of BGP and Azure VPN gateways.
{
"apiVersion": "[variables('api-version')]",
"type": "Microsoft.Network/virtualNetworkGateways",
"name": "[variables('gatewayName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
  "[concat('Microsoft.Network/publicIPAddresses/', variables('gatewayPublicIPName1'))]",
  "[concat('Microsoft.Network/publicIPAddresses/', variables('gatewayPublicIPName2'))]",
  "[concat('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]"
],
"properties": {
  "ipConfigurations": [
    {
      "properties": {
        "privateIPAllocationMethod": "Dynamic",
        "subnet": {
          "id": "[variables('gatewaySubnetRef')]"
        },
        "publicIPAddress": {
          "id": "[resourceId('Microsoft.Network/publicIPAddresses',variables('gatewayPublicIPName1'))]"
        }
      },
      "name": "vnetGtwConfig1"
    },
    {
      "properties": {
        "privateIPAllocationMethod": "Dynamic",
        "subnet": {
          "id": "[variables('gatewaySubnetRef')]"
        },
        "publicIPAddress": {
          "id": "[resourceId('Microsoft.Network/publicIPAddresses',variables('gatewayPublicIPName2'))]"
        }
      },
          "name": "vnetGtwConfig2"
        }
      ],
      "sku": {
        "name": "[variables('gatewaySku')]",
        "tier": "[variables('gatewaySku')]"
      },
      "gatewayType": "Vpn",
      "vpnType": "[variables('vpnType')]",
      "enableBgp": true,
      "activeActive": true,
      "bgpSettings": {
        "asn": "[variables('asnVpnGateway')]"
      }
    },
    "comments": "VPN Gateway in active-active configuration with BGP support"
  },

3.6 Estabelecer os túneis IPsec3.6 Establish the IPsec tunnels

A ação final do script cria túneis IPsec entre o gateway Azure VPN e o dispositivo VPN no local.The final action of the script creates IPsec tunnels between the Azure VPN gateway and the on-premises VPN device.

{
  "apiVersion": "[variables('api-version')]",
  "name": "[variables('connectionName')]",
  "type": "Microsoft.Network/connections",
  "location": "[resourceGroup().location]",
  "dependsOn": [
    "[concat('Microsoft.Network/virtualNetworkGateways/', variables('gatewayName'))]",
    "[concat('Microsoft.Network/localNetworkGateways/', variables('localGatewayName'))]"
  ],
  "properties": {
    "virtualNetworkGateway1": {
      "id": "[resourceId('Microsoft.Network/virtualNetworkGateways', variables('gatewayName'))]"
    },
    "localNetworkGateway2": {
      "id": "[resourceId('Microsoft.Network/localNetworkGateways', variables('localGatewayName'))]"
    },
    "connectionType": "IPsec",
    "routingWeight": 0,
    "sharedKey": "[variables('sharedKey')]",
    "enableBGP": "true"
  },
  "comments": "Create a Connection type site-to-site (IPsec) between the Azure VPN Gateway and the VPN device on-premises"
  }

4. Configurar o dispositivo VPN no local4. Configure the on-premises VPN device

O gateway Azure VPN é compatível com muitos dispositivos VPN de diferentes fornecedores.The Azure VPN gateway is compatible with many VPN devices from different vendors. Para obter informações de configuração e dispositivos que tenham sido validados para trabalhar com gateway VPN, consulte sobre dispositivos VPN.For configuration information and devices that have been validated to work with VPN gateway, see About VPN devices.

Ao configurar o seu dispositivo VPN, necessita dos seguintes itens:When configuring your VPN device, you need the following items:

  • Uma chave partilhada.A shared key. Esta é a mesma chave partilhada que especifica ao criar a sua ligação VPN site-to-site.This is the same shared key that you specify when creating your site-to-site VPN connection. Os exemplos usam uma chave partilhada básica.The examples use a basic shared key. Deve gerar uma chave mais complexa para utilizar.We recommend that you generate a more complex key to use.
  • O endereço IP público do seu gateway VPN.The Public IP address of your VPN gateway. Pode ver o endereço IP público através do portal do Azure, do PowerShell ou da CLI.You can view the public IP address by using the Azure portal, PowerShell, or CLI. Para encontrar o endereço IP Público do seu gateway de VPN através do portal do Azure, navegue para Gateways de rede virtual e, em seguida, clique no nome do gateway.To find the Public IP address of your VPN gateway using the Azure portal, navigate to Virtual network gateways, then click the name of your gateway.

Normalmente, os pares eBGP estão ligados diretamente (muitas vezes sobre uma ligação WAN).Typically eBGP peers are directly connected (often over a WAN connection). No entanto, quando está a configurar o eBGP sobre os túneis VPN IPsec através do expressRoute Microsoft, existem vários domínios de encaminhamento entre os pares eBGP.However, when you are configuring eBGP over IPsec VPN tunnels via ExpressRoute Microsoft peering, there are multiple routing domains between the eBGP peers. Use o comando ebgp-multihop para estabelecer a relação de vizinho eBGP entre os dois pares não diretamente ligados.Use the ebgp-multihop command to establish the eBGP neighbor relationship between the two not-directly connected peers. O número inteiro que segue o comando ebgp-multihop especifica o valor TTL nos pacotes BGP.The integer that follows ebgp-multihop command specifies the TTL value in the BGP packets. O comando de vias máximas eibgp 2 permite o equilíbrio de carga do tráfego entre os dois caminhos BGP.The command maximum-paths eibgp 2 enables load balancing of traffic between the two BGP paths.

Exemplo cisco CSR1000Cisco CSR1000 example

O exemplo a seguir mostra a configuração para Cisco CSR1000 numa máquina virtual Hyper-V como o dispositivo VPN no local:The following example shows the configuration for Cisco CSR1000 in a Hyper-V virtual machine as the on-premises VPN device:

!
crypto ikev2 proposal az-PROPOSAL
 encryption aes-cbc-256 aes-cbc-128 3des
 integrity sha1
 group 2
!
crypto ikev2 policy az-POLICY
 proposal az-PROPOSAL
!
crypto ikev2 keyring key-peer1
 peer azvpn1
  address 52.175.253.112
  pre-shared-key secret*1234
 !
!
crypto ikev2 keyring key-peer2
 peer azvpn2
  address 52.175.250.191
  pre-shared-key secret*1234
 !
!
!
crypto ikev2 profile az-PROFILE1
 match address local interface GigabitEthernet1
 match identity remote address 52.175.253.112 255.255.255.255
 authentication remote pre-share
 authentication local pre-share
 keyring local key-peer1
!
crypto ikev2 profile az-PROFILE2
 match address local interface GigabitEthernet1
 match identity remote address 52.175.250.191 255.255.255.255
 authentication remote pre-share
 authentication local pre-share
 keyring local key-peer2
!
crypto ikev2 dpd 10 2 on-demand
!
!
crypto ipsec transform-set az-IPSEC-PROPOSAL-SET esp-aes 256 esp-sha-hmac
 mode tunnel
!
crypto ipsec profile az-VTI1
 set transform-set az-IPSEC-PROPOSAL-SET
 set ikev2-profile az-PROFILE1
!
crypto ipsec profile az-VTI2
 set transform-set az-IPSEC-PROPOSAL-SET
 set ikev2-profile az-PROFILE2
!
!
interface Loopback0
 ip address 172.16.0.3 255.255.255.255
!
interface Tunnel0
 ip address 172.16.0.1 255.255.255.255
 ip tcp adjust-mss 1350
 tunnel source GigabitEthernet1
 tunnel mode ipsec ipv4
 tunnel destination 52.175.253.112
 tunnel protection ipsec profile az-VTI1
!
interface Tunnel1
 ip address 172.16.0.2 255.255.255.255
 ip tcp adjust-mss 1350
 tunnel source GigabitEthernet1
 tunnel mode ipsec ipv4
 tunnel destination 52.175.250.191
 tunnel protection ipsec profile az-VTI2
!
interface GigabitEthernet1
 description External interface
 ip address x.243.229.110 255.255.255.252
 negotiation auto
 no mop enabled
 no mop sysid
!
interface GigabitEthernet2
 ip address 10.0.0.1 255.255.255.0
 negotiation auto
 no mop enabled
 no mop sysid
!
router bgp 65010
 bgp router-id interface Loopback0
 bgp log-neighbor-changes
 network 10.0.0.0 mask 255.255.255.0
 network 10.1.10.0 mask 255.255.255.128
 neighbor 10.2.0.228 remote-as 65000
 neighbor 10.2.0.228 ebgp-multihop 5
 neighbor 10.2.0.228 update-source Loopback0
 neighbor 10.2.0.228 soft-reconfiguration inbound
 neighbor 10.2.0.228 filter-list 10 out
 neighbor 10.2.0.229 remote-as 65000    
 neighbor 10.2.0.229 ebgp-multihop 5
 neighbor 10.2.0.229 update-source Loopback0
 neighbor 10.2.0.229 soft-reconfiguration inbound
 maximum-paths eibgp 2
!
ip route 0.0.0.0 0.0.0.0 10.1.10.1
ip route 10.2.0.228 255.255.255.255 Tunnel0
ip route 10.2.0.229 255.255.255.255 Tunnel1
!

5. Filtragem e firewalls do dispositivo VPN configurado (opcional)5. Configure VPN device filtering and firewalls (optional)

Configure a sua firewall e a filtragem de acordo com os seus requisitos.Configure your firewall and filtering according to your requirements.

6. Testar e validar o túnel IPsec6. Test and validate the IPsec tunnel

O estado dos túneis IPsec pode ser verificado no gateway Azure VPN pelos comandos Powershell:The status of IPsec tunnels can be verified on the Azure VPN gateway by Powershell commands:

Get-AzVirtualNetworkGatewayConnection -Name vpn2local1 -ResourceGroupName myRG | Select-Object  ConnectionStatus,EgressBytesTransferred,IngressBytesTransferred | fl

Exemplo de saída:Example output:

ConnectionStatus        : Connected
EgressBytesTransferred  : 17734660
IngressBytesTransferred : 10538211

Para verificar o estado dos túneis nas instâncias de gateway Azure VPN de forma independente, utilize o seguinte exemplo:To check the status of the tunnels on the Azure VPN gateway instances independently, use the following example:

Get-AzVirtualNetworkGatewayConnection -Name vpn2local1 -ResourceGroupName myRG | Select-Object -ExpandProperty TunnelConnectionStatus

Exemplo de saída:Example output:

Tunnel                           : vpn2local1_52.175.250.191
ConnectionStatus                 : Connected
IngressBytesTransferred          : 4877438
EgressBytesTransferred           : 8754071
LastConnectionEstablishedUtcTime : 11/04/2017 17:03:30

Tunnel                           : vpn2local1_52.175.253.112
ConnectionStatus                 : Connected
IngressBytesTransferred          : 5660773
EgressBytesTransferred           : 8980589
LastConnectionEstablishedUtcTime : 11/04/2017 17:03:13

Também pode verificar o estado do túnel no seu dispositivo VPN no local.You can also check the tunnel status on your on-premises VPN device.

Exemplo cisco CSR1000:Cisco CSR1000 example:

show crypto session detail
show crypto ikev2 sa
show crypto ikev2 session detail
show crypto ipsec sa

Exemplo de saída:Example output:

csr1#show crypto session detail

Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect

Interface: Tunnel1
Profile: az-PROFILE2
Uptime: 00:52:46
Session status: UP-ACTIVE
Peer: 52.175.250.191 port 4500 fvrf: (none) ivrf: (none)
      Phase1_id: 52.175.250.191
      Desc: (none)
  Session ID: 3
  IKEv2 SA: local 10.1.10.50/4500 remote 52.175.250.191/4500 Active
          Capabilities:DN connid:3 lifetime:23:07:14
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 279 drop 0 life (KB/Sec) 4607976/433
        Outbound: #pkts enc'ed 164 drop 0 life (KB/Sec) 4607992/433

Interface: Tunnel0
Profile: az-PROFILE1
Uptime: 00:52:43
Session status: UP-ACTIVE
Peer: 52.175.253.112 port 4500 fvrf: (none) ivrf: (none)
      Phase1_id: 52.175.253.112
      Desc: (none)
  Session ID: 2
  IKEv2 SA: local 10.1.10.50/4500 remote 52.175.253.112/4500 Active
          Capabilities:DN connid:2 lifetime:23:07:17
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 668 drop 0 life (KB/Sec) 4607926/437
        Outbound: #pkts enc'ed 477 drop 0 life (KB/Sec) 4607953/437

O protocolo de linha na Interface do Túnel Virtual (VTI) não muda para "up" até que a fase 2 do IKE esteja concluída.The line protocol on the Virtual Tunnel Interface (VTI) does not change to "up" until IKE phase 2 has completed. O seguinte comando verifica a associação de segurança:The following command verifies the security association:

csr1#show crypto ikev2 sa

IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
2         10.1.10.50/4500       52.175.253.112/4500   none/none            READY
      Encr: AES-CBC, keysize: 256, PRF: SHA1, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/3277 sec

Tunnel-id Local                 Remote                fvrf/ivrf            Status
3         10.1.10.50/4500       52.175.250.191/4500   none/none            READY
      Encr: AES-CBC, keysize: 256, PRF: SHA1, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/3280 sec

IPv6 Crypto IKEv2  SA

csr1#show crypto ipsec sa | inc encaps|decaps
    #pkts encaps: 177, #pkts encrypt: 177, #pkts digest: 177
    #pkts decaps: 296, #pkts decrypt: 296, #pkts verify: 296
    #pkts encaps: 554, #pkts encrypt: 554, #pkts digest: 554
    #pkts decaps: 746, #pkts decrypt: 746, #pkts verify: 746

Verifique a conectividade de ponta a ponta entre a rede interna no local e o Azure VNetVerify end-to-end connectivity between the inside network on-premises and the Azure VNet

Se os túneis IPsec estiverem prontos e as rotas estáticas estiverem corretamente definidas, deverá ser capaz de verificar o endereço IP do remoto par BGP:If the IPsec tunnels are up and the static routes are correctly set, you should be able to ping the IP address of the remote BGP peer:

csr1#ping 10.2.0.228
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.0.228, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/5 ms

#ping 10.2.0.229
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.0.229, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/6 ms

Verifique as sessões de BGP sobre o IPsecVerify the BGP sessions over IPsec

No gateway Azure VPN, verifique o estado do par BGP:On the Azure VPN gateway, verify the status of BGP peer:

Get-AzVirtualNetworkGatewayBGPPeerStatus -VirtualNetworkGatewayName vpnGtw -ResourceGroupName SEA-C1-VPN-ER | ft

Exemplo de saída:Example output:

  Asn ConnectedDuration LocalAddress MessagesReceived MessagesSent Neighbor    RoutesReceived State    
  --- ----------------- ------------ ---------------- ------------ --------    -------------- -----    
65010 00:57:19.9003584  10.2.0.228               68           72   172.16.0.10              2 Connected
65000                   10.2.0.228                0            0   10.2.0.228               0 Unknown  
65000 07:13:51.0109601  10.2.0.228              507          500   10.2.0.229               6 Connected

Para verificar a lista de prefixos de rede recebidos via eBGP a partir do concentrador VPN no local, pode filtrar por atributo "Origem":To verify the list of network prefixes received via eBGP from the VPN concentrator on-premises, you can filter by attribute "Origin":

Get-AzVirtualNetworkGatewayLearnedRoute -VirtualNetworkGatewayName vpnGtw -ResourceGroupName myRG  | Where-Object Origin -eq "EBgp" |ft

No exemplo, o ASN 65010 é o número do sistema autónomo BGP no local de VPN.In the example output, the ASN 65010 is the BGP autonomous system number in the VPN on-premises.

AsPath LocalAddress Network      NextHop     Origin SourcePeer  Weight
------ ------------ -------      -------     ------ ----------  ------
65010  10.2.0.228   10.1.10.0/25 172.16.0.10 EBgp   172.16.0.10  32768
65010  10.2.0.228   10.0.0.0/24  172.16.0.10 EBgp   172.16.0.10  32768

Para ver a lista de rotas anunciadas:To see the list of advertised routes:

Get-AzVirtualNetworkGatewayAdvertisedRoute -VirtualNetworkGatewayName vpnGtw -ResourceGroupName myRG -Peer 10.2.0.228 | ft

Exemplo de saída:Example output:

AsPath LocalAddress Network        NextHop    Origin SourcePeer Weight
------ ------------ -------        -------    ------ ---------- ------
       10.2.0.229   10.2.0.0/24    10.2.0.229 Igp                  0
       10.2.0.229   172.16.0.10/32 10.2.0.229 Igp                  0
       10.2.0.229   172.16.0.5/32  10.2.0.229 Igp                  0
       10.2.0.229   172.16.0.1/32  10.2.0.229 Igp                  0
65010  10.2.0.229   10.1.10.0/25   10.2.0.229 Igp                  0
65010  10.2.0.229   10.0.0.0/24    10.2.0.229 Igp                  0

Exemplo para os locais Cisco CSR1000:Example for the on-premises Cisco CSR1000:

csr1#show ip bgp neighbors 10.2.0.228 routes
BGP table version is 7, local router ID is 172.16.0.10
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
              t secondary path,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>   10.2.0.0/24      10.2.0.228                             0 65000 i
 r>   172.16.0.1/32    10.2.0.228                             0 65000 i
 r>   172.16.0.2/32    10.2.0.228                             0 65000 i
 r>   172.16.0.3/32   10.2.0.228                             0 65000 i

Total number of prefixes 4

A lista de redes anunciadas a partir das instalações cisco CSR1000 até ao gateway Azure VPN pode ser listada usando o seguinte comando:The list of networks advertised from the on-premises Cisco CSR1000 to the Azure VPN gateway can be listed using the following command:

csr1#show ip bgp neighbors 10.2.0.228 advertised-routes
BGP table version is 7, local router ID is 172.16.0.10
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
              t secondary path,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>   10.0.0.0/24      0.0.0.0                  0         32768 i
 *>   10.1.10.0/25     0.0.0.0                  0         32768 i

Total number of prefixes 2

Passos seguintesNext steps