Added Azure VPN examples

Added Azure VPN examples for a single and redundant tunnels with BGP.

This configuration has been tested and it's been proven solid so far.

docs/appendix/examples/azure-vpn-bgp.rst

@@ -0,0 +1,128 @@
+.. _examples-azure-vpn-bgp:
+
+Route-Based Site-to-Site VPN to Azure (BGP over IKEv2/IPsec)
+------------------------------------------------------------
+
+This guide shows an example of a route-based IKEv2 site-to-site VPN to
+Azure using VTI and BGP for dynamic routing updates.
+
+Prerequisites
+^^^^^^^^^^^^^
+
+- A pair of Azure VNet Gateways deployed in active-passive
+  configuration with BGP enabled.
+
+- A local network gateway deployed in Azure representing
+  the Vyos device, matching the below Vyos settings except for
+  address space, which only requires the Vyos private IP, in
+  this example 10.10.0.5/32
+
+- A connection resource deployed in Azure linking the
+  Azure VNet gateway and the local network gateway representing
+  the Vyos device.
+
+Example
+^^^^^^^
+
++---------------------------------------+---------------------+
+| WAN Interface                         | eth0                |
++---------------------------------------+---------------------+
+| On-premises address space             | 10.10.0.0/16        |
++---------------------------------------+---------------------+
+| Azure address space                   |  10.0.0.0/16        |
++---------------------------------------+---------------------+
+| Vyos public IP                        | 198.51.100.3        |
++---------------------------------------+---------------------+
+| Vyos private IP                       | 10.10.0.5           |
++---------------------------------------+---------------------+
+| Azure VNet Gateway public IP          |  203.0.113.2        |
++---------------------------------------+---------------------+
+| Azure VNet Gateway BGP IP             |  10.0.0.4           |
++---------------------------------------+---------------------+
+| Pre-shared key                        | ch00s3-4-s3cur3-psk |
++---------------------------------------+---------------------+
+| Vyos ASN                              | 64499               |
++---------------------------------------+---------------------+
+| Azure ASN                             | 65540               |
++---------------------------------------+---------------------+
+
+Vyos configuration
+^^^^^^^^^^^^^^^^^^
+
+- Configure the IKE and ESP settings to match a subset
+  of those supported by Azure:
+
+.. code-block:: sh
+
+  set vpn ipsec esp-group AZURE compression 'disable'
+  set vpn ipsec esp-group AZURE lifetime '3600'
+  set vpn ipsec esp-group AZURE mode 'tunnel'
+  set vpn ipsec esp-group AZURE pfs 'dh-group2'
+  set vpn ipsec esp-group AZURE proposal 1 encryption 'aes256'
+  set vpn ipsec esp-group AZURE proposal 1 hash 'sha1'
+
+  set vpn ipsec ike-group AZURE dead-peer-detection action 'restart'
+  set vpn ipsec ike-group AZURE dead-peer-detection interval '15'
+  set vpn ipsec ike-group AZURE dead-peer-detection timeout '30'
+  set vpn ipsec ike-group AZURE ikev2-reauth 'yes'
+  set vpn ipsec ike-group AZURE key-exchange 'ikev2'
+  set vpn ipsec ike-group AZURE lifetime '28800'
+  set vpn ipsec ike-group AZURE proposal 1 dh-group '2'
+  set vpn ipsec ike-group AZURE proposal 1 encryption 'aes256'
+  set vpn ipsec ike-group AZURE proposal 1 hash 'sha1'
+
+- Enable IPsec on eth0
+
+.. code-block:: sh
+
+  set vpn ipsec ipsec-interfaces interface 'eth0'
+
+- Configure a VTI with a dummy IP address
+
+.. code-block:: sh
+
+  set interfaces vti vti1 address '10.10.1.5/32'
+  set interfaces vti vti1 description 'Azure Tunnel'
+
+- Clamp the VTI's MSS to 1350 to avoid PMTU blackholes.
+
+.. code-block:: sh
+
+  set firewall options interface vti1 adjust-mss 1350
+
+- Configure the VPN tunnel
+
+.. code-block:: sh
+
+  set vpn ipsec site-to-site peer 203.0.113.2 authentication id '198.51.100.3'
+  set vpn ipsec site-to-site peer 203.0.113.2 authentication mode 'pre-shared-secret'
+  set vpn ipsec site-to-site peer 203.0.113.2 authentication pre-shared-secret 'ch00s3-4-s3cur3-psk'
+  set vpn ipsec site-to-site peer 203.0.113.2 authentication remote-id '203.0.113.2'
+  set vpn ipsec site-to-site peer 203.0.113.2 connection-type 'respond'
+  set vpn ipsec site-to-site peer 203.0.113.2 description 'AZURE PRIMARY TUNNEL'
+  set vpn ipsec site-to-site peer 203.0.113.2 ike-group 'AZURE'
+  set vpn ipsec site-to-site peer 203.0.113.2 ikev2-reauth 'inherit'
+  set vpn ipsec site-to-site peer 203.0.113.2 local-address '10.10.0.5'
+  set vpn ipsec site-to-site peer 203.0.113.2 vti bind 'vti1'
+  set vpn ipsec site-to-site peer 203.0.113.2 vti esp-group 'AZURE'
+
+- **Important**: Add an interface route to reach Azure's BGP listener
+
+.. code-block:: sh
+
+  set protocols static interface-route 10.0.0.4/32 next-hop-interface vti1
+
+- Configure your BGP settings
+
+.. code-block:: sh
+
+  set protocols bgp 64499 neighbor 10.0.0.4 remote-as '65540'
+  set protocols bgp 64499 neighbor 10.0.0.4 address-family ipv4-unicast soft-reconfiguration 'inbound'
+  set protocols bgp 64499 neighbor 10.0.0.4 timers holdtime '30'
+  set protocols bgp 64499 neighbor 10.0.0.4 timers keepalive '10'
+
+- **Important**: Disable connected check \
+
+.. code-block:: sh
+
+  set protocols bgp 64499 neighbor 10.0.0.4 disable-connected-check

docs/appendix/examples/azure-vpn-dual-bgp.rst

@@ -0,0 +1,155 @@
+.. _examples-azure-vpn-dual-bgp:
+
+Route-Based Redundant Site-to-Site VPN to Azure (BGP over IKEv2/IPsec)
+----------------------------------------------------------------------
+
+This guide shows an example of a redundant (active-active) route-based IKEv2
+site-to-site VPN to Azure using VTI
+and BGP for dynamic routing updates.
+
+Prerequisites
+^^^^^^^^^^^^^
+
+- A pair of Azure VNet Gateways deployed in active-passive
+  configuration with BGP enabled.
+
+- A local network gateway deployed in Azure representing
+  the Vyos device, matching the below Vyos settings except for
+  address space, which only requires the Vyos private IP, in
+  this example 10.10.0.5/32
+
+- A connection resource deployed in Azure linking the
+  Azure VNet gateway and the local network gateway representing
+  the Vyos device.
+
+Example
+^^^^^^^
+
++---------------------------------------+---------------------+
+| WAN Interface                         | eth0                |
++---------------------------------------+---------------------+
+| On-premises address space             | 10.10.0.0/16        |
++---------------------------------------+---------------------+
+| Azure address space                   |  10.0.0.0/16        |
++---------------------------------------+---------------------+
+| Vyos public IP                        | 198.51.100.3        |
++---------------------------------------+---------------------+
+| Vyos private IP                       | 10.10.0.5           |
++---------------------------------------+---------------------+
+| Azure VNet Gateway 1 public IP        |  203.0.113.2        |
++---------------------------------------+---------------------+
+| Azure VNet Gateway 2 public IP        |  203.0.113.3        |
++---------------------------------------+---------------------+
+| Azure VNet Gateway BGP IP             |  10.0.0.4,10.0.0.5  |
++---------------------------------------+---------------------+
+| Pre-shared key                        | ch00s3-4-s3cur3-psk |
++---------------------------------------+---------------------+
+| Vyos ASN                              | 64499               |
++---------------------------------------+---------------------+
+| Azure ASN                             | 65540               |
++---------------------------------------+---------------------+
+
+Vyos configuration
+^^^^^^^^^^^^^^^^^^
+
+- Configure the IKE and ESP settings to match a subset
+  of those supported by Azure:
+
+.. code-block:: sh
+
+  set vpn ipsec esp-group AZURE compression 'disable'
+  set vpn ipsec esp-group AZURE lifetime '3600'
+  set vpn ipsec esp-group AZURE mode 'tunnel'
+  set vpn ipsec esp-group AZURE pfs 'dh-group2'
+  set vpn ipsec esp-group AZURE proposal 1 encryption 'aes256'
+  set vpn ipsec esp-group AZURE proposal 1 hash 'sha1'
+
+  set vpn ipsec ike-group AZURE dead-peer-detection action 'restart'
+  set vpn ipsec ike-group AZURE dead-peer-detection interval '15'
+  set vpn ipsec ike-group AZURE dead-peer-detection timeout '30'
+  set vpn ipsec ike-group AZURE ikev2-reauth 'yes'
+  set vpn ipsec ike-group AZURE key-exchange 'ikev2'
+  set vpn ipsec ike-group AZURE lifetime '28800'
+  set vpn ipsec ike-group AZURE proposal 1 dh-group '2'
+  set vpn ipsec ike-group AZURE proposal 1 encryption 'aes256'
+  set vpn ipsec ike-group AZURE proposal 1 hash 'sha1'
+
+- Enable IPsec on eth0
+
+.. code-block:: sh
+
+  set vpn ipsec ipsec-interfaces interface 'eth0'
+
+- Configure two VTIs with a dummy IP address each
+
+.. code-block:: sh
+
+  set interfaces vti vti1 address '10.10.1.5/32'
+  set interfaces vti vti1 description 'Azure Primary Tunnel'
+
+  set interfaces vti vti2 address '10.10.1.6/32'
+  set interfaces vti vti2 description 'Azure Secondary Tunnel'
+
+- Clamp the VTI's MSS to 1350 to avoid PMTU blackholes.
+
+.. code-block:: sh
+
+  set firewall options interface vti1 adjust-mss 1350
+  set firewall options interface vti2 adjust-mss 1350
+
+- Configure the VPN tunnels
+
+.. code-block:: sh
+
+  set vpn ipsec site-to-site peer 203.0.113.2 authentication id '198.51.100.3'
+  set vpn ipsec site-to-site peer 203.0.113.2 authentication mode 'pre-shared-secret'
+  set vpn ipsec site-to-site peer 203.0.113.2 authentication pre-shared-secret 'ch00s3-4-s3cur3-psk'
+  set vpn ipsec site-to-site peer 203.0.113.2 authentication remote-id '203.0.113.2'
+  set vpn ipsec site-to-site peer 203.0.113.2 connection-type 'respond'
+  set vpn ipsec site-to-site peer 203.0.113.2 description 'AZURE PRIMARY TUNNEL'
+  set vpn ipsec site-to-site peer 203.0.113.2 ike-group 'AZURE'
+  set vpn ipsec site-to-site peer 203.0.113.2 ikev2-reauth 'inherit'
+  set vpn ipsec site-to-site peer 203.0.113.2 local-address '10.10.0.5'
+  set vpn ipsec site-to-site peer 203.0.113.2 vti bind 'vti1'
+  set vpn ipsec site-to-site peer 203.0.113.2 vti esp-group 'AZURE'
+
+  set vpn ipsec site-to-site peer 203.0.113.3 authentication id '198.51.100.3'
+  set vpn ipsec site-to-site peer 203.0.113.3 authentication mode 'pre-shared-secret'
+  set vpn ipsec site-to-site peer 203.0.113.3 authentication pre-shared-secret 'ch00s3-4-s3cur3-psk'
+  set vpn ipsec site-to-site peer 203.0.113.3 authentication remote-id '203.0.113.3'
+  set vpn ipsec site-to-site peer 203.0.113.3 connection-type 'respond'
+  set vpn ipsec site-to-site peer 203.0.113.3 description 'AZURE SECONDARY TUNNEL'
+  set vpn ipsec site-to-site peer 203.0.113.3 ike-group 'AZURE'
+  set vpn ipsec site-to-site peer 203.0.113.3 ikev2-reauth 'inherit'
+  set vpn ipsec site-to-site peer 203.0.113.3 local-address '10.10.0.5'
+  set vpn ipsec site-to-site peer 203.0.113.3 vti bind 'vti2'
+  set vpn ipsec site-to-site peer 203.0.113.3 vti esp-group 'AZURE'
+
+- **Important**: Add an interface route to reach both Azure's BGP listeners
+
+.. code-block:: sh
+
+  set protocols static interface-route 10.0.0.4/32 next-hop-interface vti1
+  set protocols static interface-route 10.0.0.5/32 next-hop-interface vti2
+
+- Configure your BGP settings
+
+.. code-block:: sh
+
+  set protocols bgp 64499 neighbor 10.0.0.4 remote-as '65540'
+  set protocols bgp 64499 neighbor 10.0.0.4 address-family ipv4-unicast soft-reconfiguration 'inbound'
+  set protocols bgp 64499 neighbor 10.0.0.4 timers holdtime '30'
+  set protocols bgp 64499 neighbor 10.0.0.4 timers keepalive '10'
+
+  set protocols bgp 64499 neighbor 10.0.0.5 remote-as '65540'
+  set protocols bgp 64499 neighbor 10.0.0.5 address-family ipv4-unicast soft-reconfiguration 'inbound'
+  set protocols bgp 64499 neighbor 10.0.0.5 timers holdtime '30'
+  set protocols bgp 64499 neighbor 10.0.0.5 timers keepalive '10'
+
+- **Important**: Disable connected check, otherwise the routes learned
+  from Azure will not be imported into the routing table.
+
+.. code-block:: sh
+
+  set protocols bgp 64499 neighbor 10.0.0.4 disable-connected-check
+  set protocols bgp 64499 neighbor 10.0.0.5 disable-connected-check