This article describes how to connect an Allied Telesis AR4050S, AR3050S, AR2050V, AR2010V or AR1050V to an Azure VPN gateway, using a policy-based or route-based configuration. For more information about policy-based and route-based configuration, see https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps.

Configuring Microsoft Azure

  1. Create a virtual network
    • Click on Create a resource
    • Click on Networking
    • Click on Virtual Network
    • Fill in the following fields:
      • Name
      • Address space
      • Subscription (select which existing subscription to use)
      • Resource group (create and name a new group, or select an existing one)
      • Location (select from dropdown)
      • Subnet Name
      • Subnet Address range
    • Click on Create
    • Wait for the deployment to finish and the Virtual Network to be created
  2. Set the public IP address
    • Click on Create a resource
    • In the search bar, search for Public IP address
    • Click on Create
    • Fill in the following fields:
      • Name
      • IP address assignment (Dynamic)
      • Subscription (select the same subscription as before)
      • Resource group (select the same resource group as before)
      • Location (select the same location as before)
    • Click on Create
    • Wait for the deployment to finish and the public IP address to be created
  3. Create a virtual network gateway
    • Click on Create a resource
    • Click on Networking
    • Click on Virtual network gateway
    • Fill in the following fields:
      • Name
      • VPN type (Policy-based or Route-based)
      • Virtual Network (select the virtual network you created earlier)
      • Public IP address (use the existing public IP address you created earlier)
      • Subscription (select the same subscription as before)
      • Resource group (select the same resource group as before)
      • Location (select the same location as before)
    • Click on Create
    • Wait for the deployment to finish and the virtual network gateway to be created
  4. Create a local network gateways
    • Click on Create a resource
    • Click on Networking
    • Click on Local network gateway
    • Fill in the following fields:
      • Name
      • IP address (the public IP address configured on the AW+ router WAN)
      • Address space (the private network configured on the AW+ router)
      • Subscription (select the same subscription as before)
      • Resource group (select the same resource group as before)
      • Location (select the same location as before)
    • Click on Create
    • Wait for the deployment to finish and the virtual network gateway to be created
  5. Create a connection
    • Click on Create a resource
    • In the search bar, search for Connection
    • Click on Create
    • On the Basics tab, fill in the following fields:
      • Connection type (Site-to-site)
      • Subscription (select the same subscription as before)
      • Resource group (select the same resource group as before)
      • Location (select the same location as before)
    • Click on OK
    • On the Settings tab, fill in the following fields:
      • Virtual network gateway (select the virtual network gateway you created earlier)
      • Local network gateway (select the local network gateway you created earlier)
      • Shared key (the shared key configured on your gateway device, or create one if it doesn’t already exist)
    • Click on OK
    • On the Summary tab, click on OK
    • Wait for the deployment to finish and the connection to be created

Configuring Your AR Series device

  1. Collect all configuration information

    Before you begin configuration, make sure you have the following information:

    • The AR Series device’s eth1 (WAN) IP address
    • The AR Series device’s vlan1 (LAN) IP address
    • Shared Key
    • Tunnel interface IP address
    • Gateway IP address
    • LAN subnet of the side network
    • Microsoft Azure subnet of virtual network

    When one of these values is used during configuration, it will be noted in red. Replace the sample value with the value from your configuration.

  2. Login to the device

    Log in to the AR Series device. The factory-set CLI login ID and password are as follows:

    Login: manager
    Password: friend

    Use those to log in at the prompt:

    awplus login: manager
    Password:
    Last login: Fri Nov 13 17:09:55 JST 2015 on ttyS0
    AlliedWare Plus (TM) 5.4.5 11/12/15 03:11:03
    awplus>
  3. Transition to configuration mode

    When you first log in, you will be in non-privileged exec mode. Use the following command to switch to privileged exec mode:

    awplus> enable

    Use the following command to switch from privileged exec mode to global configuration mode:

    awplus# configure terminal
    Enter configuration commands, one per line. End with CNTL/Z.
    awplus(config)#
  4. Set the LAN interface IP address

    Set the IP address on the LAN side interface (vlan 1) with the following commands:

    awplus(config)# interface vlan1
    awplus(config-if)# description internal lan
    awplus(config-if)# ip address 192.168.1.254/24
  5. Create the WAN interface on ETH1

    Create a WAN interface on the ETH 1 interface with the following commands:

    awplus(config)# interface eth1
    awplus(config-if)# description external wan
    awplus(config-if)#  172.29.0.1/32
  6. Create zones and zone settings

    Define the entity (communicating entity) to use when creating rules for the firewall and NAT.Create a zone "private", representing the internal network, with the following commands:

    awplus(config)# zone private
    awplus(config-zone)# network lan
    awplus(config-network)# ip subnet  192.168.1.0/24
    awplus(config-network)# ip subnet  10.0.0.0/16

    Create a zone "public", representing the external network, with the following commands:

    awplus(config)# zone public
    awplus(config-zone)# network wan
    awplus(config-network)# ip subnet 0.0.0.0/0 interface eth1
    awplus(config-network)# host wan_ip
    awplus(config-host)# ip address  172.29.0.1
  7. Create application and application settings

    Define the "application" used to specify communication contents when creating firewall or NAT rules.Define a custom application "esp", representing IPsec ESP packets, with the following commands:

    awplus(config)# application esp
    awplus(config-application)# protocol 50

    Define a custom application "isakmp", representing ISAKMP packets, with the following commands:

    awplus(config)# application isakmp
    awplus(config-application)# protocol udp
    awplus(config-application)# sport 500
    awplus(config-application)# dport 500
  8. Configure the Firewall and NAT

    Configure the firewall to allow ISAKMP and ESP packets while blocking other outside communication.Set the firewall rules so that communication from inside can be done freely with the following commands:

    awplus(config)# firewall
    awplus(config-firewall)# rule 10 permit isakmp from public.wan.wan_ip to public.wan
    awplus(config-firewall)# rule 20 permit isakmp from public.wan to public.wan.wan_ip
    awplus(config-firewall)# rule 30 permit esp from public.wan to public.wan.wan_ip
    awplus(config-firewall)# rule 40 permit esp from public.wan.wan_ip to public.wan
    awplus(config-firewall)# rule 50 permit any from private to private
    awplus(config-firewall)# rule 60 permit any from private to public
    awplus(config-firewall)# protect

    Configure the LAN so that all computers connected to the network can use the dynamic ENAT function with the following commands:

    awplus(config)# nat
    awplus(config-nat)# rule 10 masq any from private to public
    awplus(config-nat)# enable
  9. Configure IPsec

    Create the policy "Azure-isakmp" for IKE Phase 1 with the following commands:

    For a Policy-based configuration:

    awplus(config)# crypto isakmp profile Azure-isakmp
    awplus(config-isakmp-profile)# version 1 mode main
    awplus(config-isakmp-profile)# lifetime 28800
    awplus(config-isakmp-profile)# transform 1 integrity sha1 encryption aes256 group 2

    For a Route-based configuration:

    awplus(config)# crypto isakmp profile Azure-isakmp
    awplus(config-isakmp-profile)# version 2
    awplus(config-isakmp-profile)# lifetime 28800
    awplus(config-isakmp-profile)# transform 1 integrity sha1 encryption aes256 group 2
    
    awplus(config)# crypto isakmp key ABCDEFGHIJKLMNOPQRSTUVWXYZ1234 address 172.16.0.1
    awplus(config)# crypto isakmp peer address 172.16.0.1 profile Azure-isakmp

    Create the policy "Azure-ipsec" for Phase 2 with the following commands:

    awplus(config)# crypto ipsec profile Azure-ipsec
    awplus(config)# lifetime seconds 3600
    awplus(config-ipsec-profile)# transform 1 protocol esp integrity sha1 encryption aes256
  10. Create and set the tunnel interface

    Create the IPsec tunnel interface “tunnel 0” with the following command:

    awplus(config)# int tunnel0

    Specify the IPsec tunnel's start point (own device) and end point (virtual network gateway) with the following commands:

    awplus(config-if)# tunnel source eth1
    awplus(config-if)# tunnel destination  172.16.0.1

    Specify the policy to be used in IKE phase 2 with the following command:

    awplus(config-if)# tunnel protection ipsec profile Azure-ipsec

    Specify the range of the network to communicate with the following commands:

    awplus(config-if)# tunnel local selector  192.168.1.0/24
    awplus(config-if)# tunnel remote selector  10.0.0.0/16

    Specify the tunneling method with the following command:

    awplus(config-if)# tunnel mode ipsec ipv4

    Set IP address to enable IP communication with the following command:

    awplus(config-if)# ip address  172.30.0.1/32

    Enable rewriting the MSS value of TCP packets passing through the tunnel interface with the following command:

    awplus(config-if)# ip tcp adjust-mss 1260
  11. Set the default route

    Set the default route. Configure communication to the Microsoft Azure virtual network to go through the IPsec tunnel with the following commands:

    awplus(config)# ip route 0.0.0.0/0 eth1
    awplus(config)# ip route  10.0.0.0/16 tunnel0
    awplus(config)# ip route  10.0.0.0/16 null 254
  12. Exit configuration mode and save the configuration

    Configuration is now complete. Save the current settings as startup configuration with the following commands:

    awplus(config)# exit
    awplus# copy running-config startup-config
  13. Verify the configuration

    Display the current settings (running config) with the following command:

    awplus# show running-config

    Compare the results of the show command to the following example, and check whether the settings are correct. The values in red should match the values from your configuration.

    !
    interface eth1
     description external_wan
     ip address  172.29.0.1/32
    !
    interface vlan1
     description internal_lan
     ip address  192.168.1.254/24
    !
    zone private
     network lan
     ip subnet  10.0.0.0/16
     ip subnet  192.168.1.0/24
    !
    zone public
     network wan
      ip subnet 0.0.0.0/0 interface eth1
     host wan_ip
      ip address  172.29.0.1
    !
    application esp
     protocol 50
    !
    application isakmp
     protocol udp
     sport 500
     dport 500
    !
    firewall
     rule 10 permit isakmp from public.wan.wan_ip to public.wan
     rule 20 permit isakmp from public.wan to public.wan.wan_ip
     rule 30 permit esp from public.wan to public.wan.wan_ip
     rule 40 permit esp from public.wan.wan_ip to public.wan
     rule 50 permit any from private to private
     rule 60 permit any from private to public
     protect
    !
    nat
     rule 10 masq any from private to public
     enable
    !
    crypto ipsec profile Azure-ipsec
     lifetime seconds 3600
     transform 1 protocol esp integrity SHA1 encryption AES256
    !
    crypto isakmp profile Azure-isakmp
     version 2
     lifetime 28800
     transform 1 integrity SHA1 encryption AES256 group 2
    !
    crypto isakmp key  ABCDEFGHIJKLMNOPQRSTUVWXYZ1234 address  172.16.0.1
    !
    crypto isakmp peer address  172.16.0.1 profile Azure-isakmp
    !
    interface tunnel0
     tunnel source eth1
     tunnel destination  172.16.0.1
     tunnel protection ipsec profile Azure-ipsec
     tunnel local selector  192.168.1.0/24
     tunnel remote selector  10.0.0.0/16
     tunnel mode ipsec ipv4
     ip address  172.30.0.1/32
     ip tcp adjust-mss 1260
    !
    ip route 0.0.0.0/0 172.29.0.2
    ip route  10.0.0.0/16 tunnel0
    ip route  10.0.0.0/16 Null 254
    !
    end
  14. Test the configuration

    Run the following show commands to test the configuration:

    awplus#  show ipsec sa
    awplus#  show isakmp sa
    

    The following output will be displayed:

    awplus# show ipsec sa
    --------------------------------------------------------------------
    Peer              SPI (in:out)          Mode          Proto  Expires     
                      Encryption            Integrity     PFS  
    --------------------------------------------------------------------
    172.16.0.1        c74bd754:27e7f6a0     tunnel        ESP    3130s       
                      AES256                SHA1          -
    
    awplus#show isakmp sa
    --------------------------------------------------------------------
    Peer       Cookies (initiator:responder)     Auth Ver    Expires
               Encryption    Integrity    Group  DPD  NATT   State
    --------------------------------------------------------------------
    10.0.0.20  f93c2717a1ece407:972bc0c77344d7a4 PSK  1      78340s
               AES256        SHA256       2      yes  no     Established
    10.0.0.22  ccb7f90b54945375:2642525bd20f3428 PSK  1      3334s
               3DES          SHA1         2      yes  no     Established
    10.0.0.25  bd0efef134c86656:d46d0b1b72b46444 PSK  1      819s
               AES128        SHA1         2      yes  no     Established
    

    Ping a remote private IP address within the Azure network, for example:

    awplus # ping 10.0.0.100 source 192.168.1.254
    PING 10.0.0.100 (10.0.0.100) from 192.168.1.254 : 56(84) bytes of data.
    64 bytes from 10.0.0.100: icmp_req=1 ttl=127 time=7.71 ms
    64 bytes from 10.0.0.100: icmp_req=2 ttl=127 time=7.53 ms
    64 bytes from 10.0.0.100: icmp_req=3 ttl=127 time=7.07 ms
    64 bytes from 10.0.0.100: icmp_req=4 ttl=127 time=6.89 ms
    64 bytes from 10.0.0.100: icmp_req=5 ttl=127 time=7.06 ms
    
    --- 10.0.0.100 ping statistics ---
    5 packets transmitted, 5 received, 0% packet loss, time 4003ms
    rtt min/avg/max/mdev = 6.899/7.256/7.716/0.330 ms