OpenBGP routes not getting installed



  • Ive established OpenBGP peering over IPSec to 2 different Azure Vnet gateways (each in separate Vnets). I see routes coming from each of them in the openbgp stats page:

    flags: * = Valid, > = Selected, I = via IBGP, A = Announced, S = Stale
    origin: i = IGP, e = EGP, ? = Incomplete
    
    flags destination          gateway          lpref   med aspath origin
    AI*>  192.168.0.0/22       0.0.0.0            100     0 i
          192.168.252.0/24     192.168.252.254    100     0 65200 i
          192.168.253.0/24     192.168.252.254    100     0 65200 i
          192.168.254.0/24     192.168.254.254    100     0 65100 i
          192.168.255.0/24     192.168.254.254    100     0 65100 i
    

    however for whatever reason, these routes are not making it into the pfsense's routing table in diagnostics->routing, or in results from netstat -nr so my LAN devices cannot reach into my Azure Vnets.

    Oddly enough, Azure was sending me a /32 of my pfsense's local bgp peer IP, I was able to get that removed from the table above using deny from any prefix { 0.0.0.0/0, 192.168.1.1/32 } so at least we know the filtering is working. but why arent the routes installed? (I do have fib-update yes in the config)



  • not sure if im supposed to manually create an SA for the bearer traffic (between 192.168.0.0/22 and 192.168.255.0/24) to go along with the SA I created between the BGP peer IPs?

    I noticed I was not getting any encrypted traffic out my wan interface when trying to ping from 192.168.0.0/22 to 192.168.255.0/24, so I did add an additional SA between 192.168.0.0/22 and 192.168.255.0/24 in pfsense, and now I do see encrypted traffic when I ping, but still no routes in netstat -nr, so this leaves me a bit concerned as to whether/not Ill have good BGP routing resilience in the first place...


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy