Sorry to bring this up again, but I am totally confused about proper tunneling between an AWS VPC and the networks behind the VyOS. I just cant seem to get BGP communication to work, and I would really appreciate some guidance. This is also my first time configuring BGP.
VyOS version is VyOS 1.4-rolling-202112280317
AWS VPC network is 10.220.0.0/16 ( a few subnets in that CIDR)
VyOS network is 10.200.0.0/16 (also a few networks, but I need to grant the VPC(s), access to all).
VPN configuration on vyOS:
set vpn ipsec site-to-site peer aws-peer-1 authentication id ‘vyos-external-ip’
set vpn ipsec site-to-site peer aws-peer-1 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer aws-peer-1 authentication pre-shared-secret ‘’
set vpn ipsec site-to-site peer aws-peer-1 description ‘VPC aws VPC tunnel 0’
set vpn ipsec site-to-site peer aws-peer-1 ike-group ‘VPC-aws-0’
set vpn ipsec site-to-site peer aws-peer-1 ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer aws-peer-1 local-address ‘vyos-external-ip’
set vpn ipsec site-to-site peer aws-peer-1 vti bind ‘vti00’
set vpn ipsec site-to-site peer aws-peer-1 vti esp-group ‘VPC-aws-0’
set vpn ipsec site-to-site peer aws-peer-2 authentication id ‘vyos-external-ip’
set vpn ipsec site-to-site peer aws-peer-2 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer aws-peer-2 authentication pre-shared-secret ‘’
set vpn ipsec site-to-site peer aws-peer-2 description ‘VPC aws VPC tunnel 1’
set vpn ipsec site-to-site peer aws-peer-2 ike-group ‘VPC-aws-1’
set vpn ipsec site-to-site peer aws-peer-2 ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer aws-peer-2 local-address ‘vyos-external-ip’
set vpn ipsec site-to-site peer aws-peer-2 vti bind ‘vti01’
set vpn ipsec site-to-site peer aws-peer-2 vti esp-group ‘VPC-aws-1’
Current bgp configuration:
set protocols bgp address-family ipv4-unicast network 10.200.0.0/16
set protocols bgp local-as ‘65000’
set protocols bgp neighbor 169.254.13.89 address-family ipv4-unicast soft-reconfiguration inbound
set protocols bgp neighbor 169.254.13.89 description ‘BGP VPC 0’
set protocols bgp neighbor 169.254.13.89 disable-connected-check
set protocols bgp neighbor 169.254.13.89 remote-as ‘64512’
set protocols bgp neighbor 169.254.13.89 update-source ‘169.254.13.90’
set protocols bgp neighbor 169.254.88.237 address-family ipv4-unicast soft-reconfiguration inbound
set protocols bgp neighbor 169.254.88.237 description ‘BGP VPC 1’
set protocols bgp neighbor 169.254.88.237 disable-connected-check
set protocols bgp neighbor 169.254.88.237 remote-as ‘64512’
set protocols bgp neighbor 169.254.88.237 update-source ‘169.254.88.238’
set protocols bgp parameters router-id ‘10.0.2.2’
Static routing through the vtis:
set protocols static route 10.220.0.0/16 interface vti00
set protocols static route 10.220.0.0/16 interface vti01
Everything Ive tried so far, (recreating the tunnels multiple times and trying to mess about with the bgp configuration), I can only receive bgp traffic from the AWS on the vtis (checking with tcpdump).
I dont see any responses from the vtis.
Im am totally confused as to why this could be happening and would really appreciate some guidance.
Thanks, what I have in place is I think similar to yours, just using 1.4.
set protocols bgp address-family ipv4-unicast network 10.200.0.0/16
set protocols bgp local-as ‘65000’
set protocols bgp neighbor 169.254.13.89 address-family ipv4-unicast maximum-prefix ‘50’
set protocols bgp neighbor 169.254.13.89 address-family ipv4-unicast nexthop-self
set protocols bgp neighbor 169.254.13.89 address-family ipv4-unicast prefix-list export ‘AWS_64512-OUT’
set protocols bgp neighbor 169.254.13.89 address-family ipv4-unicast prefix-list import ‘AWS_64512-IN’
set protocols bgp neighbor 169.254.13.89 address-family ipv4-unicast soft-reconfiguration inbound
set protocols bgp neighbor 169.254.13.89 capability dynamic
set protocols bgp neighbor 169.254.13.89 description ‘BGP VPC 0’
set protocols bgp neighbor 169.254.13.89 ebgp-multihop ‘2’
set protocols bgp neighbor 169.254.13.89 remote-as ‘64512’
set protocols bgp neighbor 169.254.13.89 timers holdtime ‘30’
set protocols bgp neighbor 169.254.13.89 timers keepalive ‘10’
set protocols bgp neighbor 169.254.13.89 update-source ‘eth2’
set protocols bgp neighbor 169.254.88.237 address-family ipv4-unicast maximum-prefix ‘50’
set protocols bgp neighbor 169.254.88.237 address-family ipv4-unicast nexthop-self
set protocols bgp neighbor 169.254.88.237 address-family ipv4-unicast prefix-list export ‘AWS_64512-OUT’
set protocols bgp neighbor 169.254.88.237 address-family ipv4-unicast prefix-list import ‘AWS_64512-IN’
set protocols bgp neighbor 169.254.88.237 address-family ipv4-unicast soft-reconfiguration inbound
set protocols bgp neighbor 169.254.88.237 capability dynamic
set protocols bgp neighbor 169.254.88.237 description ‘BGP VPC 1’
set protocols bgp neighbor 169.254.88.237 ebgp-multihop ‘2’
set protocols bgp neighbor 169.254.88.237 remote-as ‘64512’
set protocols bgp neighbor 169.254.88.237 timers holdtime ‘30’
set protocols bgp neighbor 169.254.88.237 timers keepalive ‘10’
set protocols bgp neighbor 169.254.88.237 update-source ‘eth2’
set protocols bgp parameters router-id ‘10.0.2.2’
But vyOS does not communicate:
run show ip bgp summary
IPv4 Unicast Summary (VRF default):
BGP router identifier 10.0.2.2, local AS number 65000 vrf-id 0
BGP table version 3
RIB entries 1, using 184 bytes of memory
Peers 2, using 1446 KiB of memory
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd PfxSnt Desc
169.254.13.89 4 64512 0 0 0 0 0 never Active 0 BGP VPC 0
169.254.88.237 4 64512 0 0 0 0 0 never Active 0 BGP VPC 1
Weird, I have gotten BGP communication to work, after setting up a transit gateway on the AWS side, and attaching.
run show ip bgp summary
IPv4 Unicast Summary (VRF default):
BGP router identifier 10.0.2.2, local AS number 65000 vrf-id 0
BGP table version 5
RIB entries 3, using 552 bytes of memory
Peers 4, using 2892 KiB of memory