Readers will learn how to configure a Route-Based Site-to-Site IPsec VPN between a Microsoft Azure VPN gateway and an EdgeRouter using static routing. The following VPN options are available when connecting to Azure:
Microsoft recommends to use Route-Based IKEv2 VPNs over Policy-Based IKEv1 VPNs as it offers additional rich connectivity features. These features include Point-to-Site VPNs, Active Routing Support (BGP), Support for multiple tunnels as well as ECMP with metric routing, Active-Active Azure Gateway configurations for redundancy, Transit Routing with Point-to-Site, DPD detection and Virtual Network Peering.
NOTES & REQUIREMENTS:
Applicable to EdgeOS firmware v1.10.0 and up on all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and advanced networking knowledge is required. Please see the Related Articles below for more information and see the attachments for the configuration used in this article.
More info about Azure VPNs and their requirements can be found here.
Devices used in this article:
Table of Contents
The network topology is shown below and the following interfaces are in use on the EdgeRouter and Azure:
- eth0 (WAN) - 203.0.113.1
- eth1 (LAN) - 192.168.1.1/24
- vti0 - no address
- Virtual Gateway - 192.0.2.1
- Virtual Network - 172.16.0.0/22
- Default Subnet - 172.16.1.0/24
Static routing will be used to facilitate routing between the two sites.
Configuring a Route-Based VPN
CLI: Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using a program such as PuTTY.
1. Enter configuration mode.
2. Enable the auto-firewall-nat-exclude feature which automatically creates the IPsec firewall/NAT policies in the
set vpn ipsec auto-firewall-nat-exclude enable
3. Create the IKE / Phase 1 (P1) Security Associations (SAs) and set the
key-exchange to IKEv2.
set vpn ipsec ike-group FOO0 key-exchange ikev2
set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 2
set vpn ipsec ike-group FOO0 proposal 1 encryption aes256
set vpn ipsec ike-group FOO0 proposal 1 hash sha1
4. Create the ESP / Phase 2 (P2) SAs and disable Perfect Forward Secrecy (PFS).
set vpn ipsec esp-group FOO0 lifetime 27000
set vpn ipsec esp-group FOO0 pfs disable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes256
set vpn ipsec esp-group FOO0 proposal 1 hash sha1
NOTE: Azure also supports other encryption and hashing methods. For the full list of supported SAs please see the Microsoft article here.
5. Define the Azure VPN Gateway peering address and set the connection-type to
set vpn ipsec site-to-site peer 192.0.2.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret <secret>
set vpn ipsec site-to-site peer 192.0.2.1 connection-type respond
set vpn ipsec site-to-site peer 192.0.2.1 description ipsec
set vpn ipsec site-to-site peer 192.0.2.1 local-address 203.0.113.1
ATTENTION: It is of vital importance that the connection-type is set to
6. Link the SAs created above to the Azure peer and bind the VPN to a virtual tunnel interface (vti0).
set vpn ipsec site-to-site peer 192.0.2.1 ike-group FOO0
set vpn ipsec site-to-site peer 192.0.2.1 vti bind vti0
set vpn ipsec site-to-site peer 192.0.2.1 vti esp-group FOO0
7. Configure the virtual tunnel interface (vti0) without an IP address assigned to it.
set interfaces vti vti0
8. Lower the TCP Maximum Segment Size (MSS) on the vti interfaces to 1350.
set firewall options mss-clamp interface-type vti
set firewall options mss-clamp mss 1350
9. Create a static route for the remote subnet.
set protocols static interface-route 172.16.0.0/22 next-hop-interface vti0
10. Commit the changes and save the configuration.
commit ; save
Setting up the Azure Gateway
The Microsoft Azure side of the Site-to-Site VPN connection is based on this Microsoft article.
GUI: Access the Azure Management Portal.
1. Create a Virtual Network.
Dashboard > New > Networking > Virtual Network
Address Space: 172.16.0.0/22
Subnet name: default
Subnet Address Space: 172.16.1.0/24
Resource Group: ServerNetwork
2. Create a Gateway Subnet.
Dashboard > Virtual Networks > ServerNetwork > Subnets > + Gateway subnet
Name: GatewaySubnet (Required / cannot be changed)
Address Range: 172.16.0.0/24 (Cannot be the same as the default subnet address space)
3. Create a Virtual Network Gateway.
Dashboard > New > Networking > Virtual Network Gateway
Gateway Type: VPN
VPN Type: Route-Based
SKU: Basic (depends on usage)
Virtual Network: ServerNetwork
Public IP Address: Create new > VirtualGateway
NOTE: The provisioning process for a new Virtual Gateway will take time. The Gateway Stock-Keeping Unit (SKU) defines the throughput capabilities of the VPN connection. More info about SKUs can be found in this Microsoft article.
4. Create a Local Network Gateway.
Dashboard > New > Networking > Local Network Gateway
IP Address: 203.0.113.1
Address Space: 192.168.1.0/24
5. Create a VPN Connection and link the LocalGateway to the VirtualGateway.
Daskboard >Virtual Network Gateways > VirtualGateway > Connections > + Add
Connection Type: Site-to-Site (IPsec)
Virtual Network Gateway: VirtualGateway
Local Network Gateway: LocalGateway
Shared Key: <secret>
You can verify the Azure Virtual Gateway Connection with the following command:
Get-AzureRmVirtualNetworkGatewayConnection -Name "IPsecER" -ResourceGroupName "ServerNetwork"
Name : IPsecER
ResourceGroupName : ServerNetwork
Location : eastus
ProvisioningState : Succeeded
ConnectionStatus : Connected
EgressBytesTransferred : 3854
IngressBytesTransferred : 3104
NOTE: More info on how to use Windows PowerShell to manage Azure can be found in the this Microsoft article.