How to Set Up a Site-to-Site VPN between Microsoft Azure and an AR-series Router
Configuring Microsoft Azure
- Create a virtual network
- Click on Create a resource
- Click on Networking
- Click on Virtual Network
- Fill in the following fields:
- Name
- Address space
- Subscription (select which existing subscription to use)
- Resource group (create and name a new group, or select an existing one)
- Location (select from dropdown)
- Subnet Name
- Subnet Address range
- Click on Create
- Wait for the deployment to finish and the Virtual Network to be created
- Set the public IP address
- Click on Create a resource
- In the search bar, search for Public IP address
- Click on Create
- Fill in the following fields:
- Name
- IP address assignment (Dynamic)
- Subscription (select the same subscription as before)
- Resource group (select the same resource group as before)
- Location (select the same location as before)
- Click on Create
- Wait for the deployment to finish and the public IP address to be created
- Create a virtual network gateway
- Click on Create a resource
- Click on Networking
- Click on Virtual network gateway
- Fill in the following fields:
- Name
- VPN type (Policy-based or Route-based)
- Virtual Network (select the virtual network you created earlier)
- Public IP address (use the existing public IP address you created earlier)
- Subscription (select the same subscription as before)
- Resource group (select the same resource group as before)
- Location (select the same location as before)
- Click on Create
- Wait for the deployment to finish and the virtual network gateway to be created
- Create a local network gateways
- Click on Create a resource
- Click on Networking
- Click on Local network gateway
- Fill in the following fields:
- Name
- IP address (the public IP address configured on the AW+ router WAN)
- Address space (the private network configured on the AW+ router)
- Subscription (select the same subscription as before)
- Resource group (select the same resource group as before)
- Location (select the same location as before)
- Click on Create
- Wait for the deployment to finish and the virtual network gateway to be created
- Create a connection
- Click on Create a resource
- In the search bar, search for Connection
- Click on Create
- On the Basics tab, fill in the following fields:
- Connection type (Site-to-site)
- Subscription (select the same subscription as before)
- Resource group (select the same resource group as before)
- Location (select the same location as before)
- Click on OK
- On the Settings tab, fill in the following fields:
- Virtual network gateway (select the virtual network gateway you created earlier)
- Local network gateway (select the local network gateway you created earlier)
- Shared key (the shared key configured on your gateway device, or create one if it doesn’t already exist)
- Click on OK
- On the Summary tab, click on OK
- Wait for the deployment to finish and the connection to be created
Configuring Your AR Series device
- Collect all configuration information
Before you begin configuration, make sure you have the following information:
- The AR Series device’s eth1 (WAN) IP address
- The AR Series device’s vlan1 (LAN) IP address
- Shared Key
- Tunnel interface IP address
- Gateway IP address
- LAN subnet of the side network
- Microsoft Azure subnet of virtual network
When one of these values is used during configuration, it will be noted in red. Replace the sample value with the value from your configuration.
- Login to the device
Log in to the AR Series device. The factory-set CLI login ID and password are as follows:
Login: manager
Password: friendUse those to log in at the prompt:
awplus login: manager Password: Last login: Fri Nov 13 17:09:55 JST 2015 on ttyS0 AlliedWare Plus (TM) 5.4.5 11/12/15 03:11:03 awplus>
- Transition to configuration mode
When you first log in, you will be in non-privileged exec mode. Use the following command to switch to privileged exec mode:
awplus> enable
Use the following command to switch from privileged exec mode to global configuration mode:
awplus# configure terminal Enter configuration commands, one per line. End with CNTL/Z. awplus(config)#
- Set the LAN interface IP address
Set the IP address on the LAN side interface (vlan 1) with the following commands:
awplus(config)# interface vlan1 awplus(config-if)# description internal lan awplus(config-if)# ip address
192.168.1.254/24
- Create the WAN interface on ETH1
Create a WAN interface on the ETH 1 interface with the following commands:
awplus(config)# interface eth1 awplus(config-if)# description external wan awplus(config-if)#
172.29.0.1/32
- Create zones and zone settings
Define the entity (communicating entity) to use when creating rules for the firewall and NAT.Create a zone "private", representing the internal network, with the following commands:
awplus(config)# zone private awplus(config-zone)# network lan awplus(config-network)# ip subnet
192.168.1.0/24
awplus(config-network)# ip subnet10.0.0.0/16
Create a zone "public", representing the external network, with the following commands:
awplus(config)# zone public awplus(config-zone)# network wan awplus(config-network)# ip subnet 0.0.0.0/0 interface eth1 awplus(config-network)# host wan_ip awplus(config-host)# ip address
172.29.0.1
- Create application and application settings
Define the "application" used to specify communication contents when creating firewall or NAT rules.Define a custom application "esp", representing IPsec ESP packets, with the following commands:
awplus(config)# application esp awplus(config-application)# protocol 50
Define a custom application "isakmp", representing ISAKMP packets, with the following commands:
awplus(config)# application isakmp awplus(config-application)# protocol udp awplus(config-application)# sport 500 awplus(config-application)# dport 500
- Configure the Firewall and NAT
Configure the firewall to allow ISAKMP and ESP packets while blocking other outside communication.Set the firewall rules so that communication from inside can be done freely with the following commands:
awplus(config)# firewall awplus(config-firewall)# rule 10 permit isakmp from public.wan.wan_ip to public.wan awplus(config-firewall)# rule 20 permit isakmp from public.wan to public.wan.wan_ip awplus(config-firewall)# rule 30 permit esp from public.wan to public.wan.wan_ip awplus(config-firewall)# rule 40 permit esp from public.wan.wan_ip to public.wan awplus(config-firewall)# rule 50 permit any from private to private awplus(config-firewall)# rule 60 permit any from private to public awplus(config-firewall)# protect
Configure the LAN so that all computers connected to the network can use the dynamic ENAT function with the following commands:
awplus(config)# nat awplus(config-nat)# rule 10 masq any from private to public awplus(config-nat)# enable
- Configure IPsec
Create the policy "Azure-isakmp" for IKE Phase 1 with the following commands:
For a Policy-based configuration:
awplus(config)# crypto isakmp profile Azure-isakmp awplus(config-isakmp-profile)# version 1 mode main awplus(config-isakmp-profile)# lifetime 28800 awplus(config-isakmp-profile)# transform 1 integrity sha1 encryption aes256 group 2
For a Route-based configuration:
awplus(config)# crypto isakmp profile Azure-isakmp awplus(config-isakmp-profile)# version 2 awplus(config-isakmp-profile)# lifetime 28800 awplus(config-isakmp-profile)# transform 1 integrity sha1 encryption aes256 group 2 awplus(config)# crypto isakmp key
ABCDEFGHIJKLMNOPQRSTUVWXYZ1234
address172.16.0.1
awplus(config)# crypto isakmp peer address172.16.0.1
profile Azure-isakmpCreate the policy "Azure-ipsec" for Phase 2 with the following commands:
awplus(config)# crypto ipsec profile Azure-ipsec awplus(config)# lifetime seconds 3600 awplus(config-ipsec-profile)# transform 1 protocol esp integrity sha1 encryption aes256
- Create and set the tunnel interface
Create the IPsec tunnel interface “tunnel 0” with the following command:
awplus(config)# int tunnel0
Specify the IPsec tunnel's start point (own device) and end point (virtual network gateway) with the following commands:
awplus(config-if)# tunnel source eth1 awplus(config-if)# tunnel destination
172.16.0.1
Specify the policy to be used in IKE phase 2 with the following command:
awplus(config-if)# tunnel protection ipsec profile Azure-ipsec
Specify the range of the network to communicate with the following commands:
awplus(config-if)# tunnel local selector
192.168.1.0/24
awplus(config-if)# tunnel remote selector10.0.0.0/16
Specify the tunneling method with the following command:
awplus(config-if)# tunnel mode ipsec ipv4
Set IP address to enable IP communication with the following command:
awplus(config-if)# ip address
172.30.0.1/32
Enable rewriting the MSS value of TCP packets passing through the tunnel interface with the following command:
awplus(config-if)# ip tcp adjust-mss 1260
- Set the default route
Set the default route. Configure communication to the Microsoft Azure virtual network to go through the IPsec tunnel with the following commands:
awplus(config)# ip route 0.0.0.0/0 eth1 awplus(config)# ip route
10.0.0.0/16
tunnel0 awplus(config)# ip route10.0.0.0/16
null 254 - Exit configuration mode and save the configuration
Configuration is now complete. Save the current settings as startup configuration with the following commands:
awplus(config)# exit awplus# copy running-config startup-config
- Verify the configuration
Display the current settings (running config) with the following command:
awplus# show running-config
Compare the results of the show command to the following example, and check whether the settings are correct. The values in red should match the values from your configuration.
! interface eth1 description external_wan ip address
172.29.0.1/32
! interface vlan1 description internal_lan ip address192.168.1.254/24
! zone private network lan ip subnet10.0.0.0/16
ip subnet192.168.1.0/24
! zone public network wan ip subnet 0.0.0.0/0 interface eth1 host wan_ip ip address172.29.0.1
! application esp protocol 50 ! application isakmp protocol udp sport 500 dport 500 ! firewall rule 10 permit isakmp from public.wan.wan_ip to public.wan rule 20 permit isakmp from public.wan to public.wan.wan_ip rule 30 permit esp from public.wan to public.wan.wan_ip rule 40 permit esp from public.wan.wan_ip to public.wan rule 50 permit any from private to private rule 60 permit any from private to public protect ! nat rule 10 masq any from private to public enable ! crypto ipsec profile Azure-ipsec lifetime seconds 3600 transform 1 protocol esp integrity SHA1 encryption AES256 ! crypto isakmp profile Azure-isakmp version 2 lifetime 28800 transform 1 integrity SHA1 encryption AES256 group 2 ! crypto isakmp keyABCDEFGHIJKLMNOPQRSTUVWXYZ1234
address172.16.0.1
! crypto isakmp peer address172.16.0.1
profile Azure-isakmp ! interface tunnel0 tunnel source eth1 tunnel destination172.16.0.1
tunnel protection ipsec profile Azure-ipsec tunnel local selector192.168.1.0/24
tunnel remote selector10.0.0.0/16
tunnel mode ipsec ipv4 ip address172.30.0.1/32
ip tcp adjust-mss 1260 ! ip route 0.0.0.0/0172.29.0.2
ip route10.0.0.0/16
tunnel0 ip route10.0.0.0/16
Null 254 ! end - Test the configuration
Run the following show commands to test the configuration:
awplus# show ipsec sa awplus# show isakmp sa
The following output will be displayed:
awplus# show ipsec sa -------------------------------------------------------------------- Peer SPI (in:out) Mode Proto Expires Encryption Integrity PFS -------------------------------------------------------------------- 172.16.0.1 c74bd754:27e7f6a0 tunnel ESP 3130s AES256 SHA1 - awplus#show isakmp sa -------------------------------------------------------------------- Peer Cookies (initiator:responder) Auth Ver Expires Encryption Integrity Group DPD NATT State -------------------------------------------------------------------- 10.0.0.20 f93c2717a1ece407:972bc0c77344d7a4 PSK 1 78340s AES256 SHA256 2 yes no Established 10.0.0.22 ccb7f90b54945375:2642525bd20f3428 PSK 1 3334s 3DES SHA1 2 yes no Established 10.0.0.25 bd0efef134c86656:d46d0b1b72b46444 PSK 1 819s AES128 SHA1 2 yes no Established
Ping a remote private IP address within the Azure network, for example:
awplus # ping 10.0.0.100 source 192.168.1.254 PING 10.0.0.100 (10.0.0.100) from 192.168.1.254 : 56(84) bytes of data. 64 bytes from 10.0.0.100: icmp_req=1 ttl=127 time=7.71 ms 64 bytes from 10.0.0.100: icmp_req=2 ttl=127 time=7.53 ms 64 bytes from 10.0.0.100: icmp_req=3 ttl=127 time=7.07 ms 64 bytes from 10.0.0.100: icmp_req=4 ttl=127 time=6.89 ms 64 bytes from 10.0.0.100: icmp_req=5 ttl=127 time=7.06 ms --- 10.0.0.100 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4003ms rtt min/avg/max/mdev = 6.899/7.256/7.716/0.330 ms