As a Microsoft employee i have two Azure subscriptions, one from our MSDN subscription like most of our partners as well and an internal subscription.

My goal here is to extend my homelab into azure in order to move forward into my hybrid cloud environment.

i will not describe in this post how to create virtual networks in azure nor the virtual gateway since it’s very well documented on TechNet. If you are starting from scratch please go the links below to find guidance on how to create your gateway and your virtual networks in azure.

Create the virtual gateway from ASM portal : https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-site-to-site-create/

and using ARM (must be done from PowerShell): https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-create-site-to-site-rm-powershell/

Please note that the ARM command provided in this link will only work with the azure module 0.9.8. It will not work with the azure module 1.0.X since the commands did change (mostly only the noun in which we did add Rm, for instance Add-AzureRmAccount)

Important thing to note here is that your Azure VPN Gateway must be in Static mode.

In my demo my configuration will be as follow:

Subscription Azure_MSDN will use 172.16.1.0/24 as remote subnet

Subscription Azure_CSS will use 10.10.0.0/16 as remote subnet

On premise network will be on 192.168.2.0/24

 

In order to create an IPSEC VPN Tunnel we need to define 3 things:

– an IKE group : it defines which encryption to be used for authentication

– an ESP group: it defines which encryption to be used to transfer packets

– our Peers : basically a description of the remote network and its gateway

 

First of all, connect to the ubiquity in SSH or using the CLI from the web interface.

Once connected switch to configuration mode by entering “configure” command.

#Create IKE group

set vpn ipsec ike-group ike-azure

set vpn ipsec ike-group ike-azure lifetime 28800

set vpn ipsec ike-group ike-azure proposal 1

set vpn ipsec ike-group ike-azure proposal 1 dh-group 2

set vpn ipsec ike-group ike-azure proposal 1 encryption aes256

set vpn ipsec ike-group ike-azure proposal 1 hash sha1

set vpn ipsec ipsec-interfaces interface eth1

set vpn ipsec logging log-modes all

set vpn ipsec nat-traversal enable

 

#Create ESP group

set vpn ipsec disable-uniqreqids

set vpn ipsec esp-group esp-azure

set vpn ipsec esp-group esp-azure lifetime 3600

set vpn ipsec esp-group esp-azure pfs disable

set vpn ipsec esp-group esp-azure mode tunnel

set vpn ipsec esp-group esp-azure proposal 1

set vpn ipsec esp-group esp-azure proposal 1 encryption aes256

set vpn ipsec esp-group esp-azure proposal 1 hash sha1

set vpn ipsec esp-group esp-azure compression disable

 

#Create peer 40.115.X.X – Azure_MSDN

set vpn ipsec site-to-site peer 40.115.X.X

set vpn ipsec site-to-site peer 40.115.X.X local-address any (or dhcp-interface)

set vpn ipsec site-to-site peer 40.115.X.X authentication mode pre-shared-secret

set vpn ipsec site-to-site peer 40.115.X.X authentication pre-shared-secret “YourSecret”

set vpn ipsec site-to-site peer 40.115.X.X connection-type respond

set vpn ipsec site-to-site peer 40.115.X.X description Azure_MSDN

set vpn ipsec site-to-site peer 40.115.X.X ike-group ike-azure

set vpn ipsec site-to-site peer 40.115.X.X tunnel 1

set vpn ipsec site-to-site peer 40.115.X.X tunnel 1 esp-group esp-azure

set vpn ipsec site-to-site peer 40.115.X.X tunnel 1 local prefix 192.168.2.0/24

set vpn ipsec site-to-site peer 40.115.X.X tunnel 1 remote prefix 172.168.1.0/24

set vpn ipsec site-to-site peer 40.115.X.X tunnel 1 allow-nat-networks disable

set vpn ipsec site-to-site peer 40.115.X.X tunnel 1 allow-public-networks disable

 

#Create peer 23.97.X.X – Azure_CSS (I’ll use the same IKE group but I did create a second esp group called esp-azure-css using the same settings as esp-azure)

set vpn ipsec site-to-site peer 23.97.X.X

set vpn ipsec site-to-site peer 23.97.X.X local-address any (or dhcp-interface)

set vpn ipsec site-to-site peer 23.97.X.X authentication mode pre-shared-secret

set vpn ipsec site-to-site peer 23.97.X.X authentication pre-shared-secret “YourSecret”

set vpn ipsec site-to-site peer 23.97.X.X connection-type initiate

set vpn ipsec site-to-site peer 23.97.X.X description Azure_CSS

set vpn ipsec site-to-site peer 23.97.X.X ike-group ike-azure

set vpn ipsec site-to-site peer 23.97.X.X tunnel 1

set vpn ipsec site-to-site peer 23.97.X.X tunnel 1 esp-group esp-azure –css

set vpn ipsec site-to-site peer 23.97.X.X tunnel 1 local prefix 192.168.2.0/24

set vpn ipsec site-to-site peer 23.97.X.X tunnel 1 remote prefix 10.10.0.0/16

set vpn ipsec site-to-site peer 23.97.X.X tunnel 1 allow-nat-networks disable

set vpn ipsec site-to-site peer 23.97.X.X tunnel 1 allow-public-networks disable

 

now save the configuration by running the “save’’ command then “commit”

if you exit the configuration mode now and run “show vpn ipsec sa” you should see that your vpn is up and running.

But now we need to configure firewall rules in order to allow packets to go from and to azure network. NAT rules will also need to be updated.

 

# NAT

set service nat rule 5000 description ‘DNAT to Azure’

set service nat rule 5000 destination address 172.16.1.0/24

set service nat rule 5000 exclude

set service nat rule 5000 log disable

set service nat rule 5000 outbound-interface eth1

set service nat rule 5000 source address 192.168.2.0/24

set service nat rule 5000 type masquerade

set service nat rule 5001 description ‘Masq to WAN (NAT)’

set service nat rule 5001 log disable

set service nat rule 5001 outbound-interface eth1

set service nat rule 5001 protocol all

set service nat rule 5001 type masquerade

 

with the web interface :

# configuration firewall IN

Set firewall name WAN_IN rule 21

Set firewall name WAN_IN rule 21 action accept

Set firewall name WAN_IN rule 21 description “Azure IN”

Set firewall name WAN_IN rule 21 destination address X.X.X.X/X

Set firewall name WAN_IN rule 21 log disable

Set firewall name WAN_IN rule 21 protocol all

Set firewall name WAN_IN rule 21 source address X.X.X.X/X

 

with the web interface:

Do not forget to again “save” and “commit” if using the CLI interface or SSH then “exit” to qui configuration mode.

Check your connections by running “show vpn ike sa” and “show vpn ipsec sa”, if everything is up try to ping remote machines in azure.

 

 

As you can see everything is up and running now! Next step is to deploy a domain controller in each environment and create some AD sites in order to optimize traffic between on premise and remote domain joined machines.