Configuring Ubiquity EdgeMax for IPSEC VPN tunnel (with azure gateway for example)

As a Microsoft employee i have two Azure subscriptions, one from our MSDN subscription like most of our partners as well and an internal subscription.
My goal here is to extend my homelab into azure in order to move forward into my hybrid cloud environment.
i will not describe in this post how to create virtual networks in azure nor the virtual gateway since it’s very well documented on TechNet. If you are starting from scratch please go the links below to find guidance on how to create your gateway and your virtual networks in azure.
Create the virtual gateway from ASM portal : https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-site-to-site-create/
and using ARM (must be done from PowerShell): https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-create-site-to-site-rm-powershell/
Please note that the ARM command provided in this link will only work with the azure module 0.9.8. It will not work with the azure module 1.0.X since the commands did change (mostly only the noun in which we did add Rm, for instance Add-AzureRmAccount)
Important thing to note here is that your Azure VPN Gateway must be in Static mode.
In my demo my configuration will be as follow:
Subscription Azure_MSDN will use 172.16.1.0/24 as remote subnet
Subscription Azure_CSS will use 10.10.0.0/16 as remote subnet
On premise network will be on 192.168.2.0/24
In order to create an IPSEC VPN Tunnel we need to define 3 things:
– an IKE group : it defines which encryption to be used for authentication
– an ESP group: it defines which encryption to be used to transfer packets
– our Peers : basically a description of the remote network and its gateway
First of all, connect to the ubiquity in SSH or using the CLI from the web interface.
Once connected switch to configuration mode by entering “configure” command.
#Create IKE group
set vpn ipsec ike-group ike-azure
set vpn ipsec ike-group ike-azure lifetime 28800
set vpn ipsec ike-group ike-azure proposal 1
set vpn ipsec ike-group ike-azure proposal 1 dh-group 2
set vpn ipsec ike-group ike-azure proposal 1 encryption aes256
set vpn ipsec ike-group ike-azure proposal 1 hash sha1
set vpn ipsec ipsec-interfaces interface eth1
set vpn ipsec logging log-modes all
set vpn ipsec nat-traversal enable
#Create ESP group
set vpn ipsec disable-uniqreqids
set vpn ipsec esp-group esp-azure
set vpn ipsec esp-group esp-azure lifetime 3600
set vpn ipsec esp-group esp-azure pfs disable
set vpn ipsec esp-group esp-azure mode tunnel
set vpn ipsec esp-group esp-azure proposal 1
set vpn ipsec esp-group esp-azure proposal 1 encryption aes256
set vpn ipsec esp-group esp-azure proposal 1 hash sha1
set vpn ipsec esp-group esp-azure compression disable
#Create peer 40.115.X.X – Azure_MSDN
set vpn ipsec site-to-site peer 40.115.X.X
set vpn ipsec site-to-site peer 40.115.X.X local-address any (or dhcp-interface)
set vpn ipsec site-to-site peer 40.115.X.X authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 40.115.X.X authentication pre-shared-secret “YourSecret”
set vpn ipsec site-to-site peer 40.115.X.X connection-type respond
set vpn ipsec site-to-site peer 40.115.X.X description Azure_MSDN
set vpn ipsec site-to-site peer 40.115.X.X ike-group ike-azure
set vpn ipsec site-to-site peer 40.115.X.X tunnel 1
set vpn ipsec site-to-site peer 40.115.X.X tunnel 1 esp-group esp-azure
set vpn ipsec site-to-site peer 40.115.X.X tunnel 1 local prefix 192.168.2.0/24
set vpn ipsec site-to-site peer 40.115.X.X tunnel 1 remote prefix 172.168.1.0/24
set vpn ipsec site-to-site peer 40.115.X.X tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer 40.115.X.X tunnel 1 allow-public-networks disable
#Create peer 23.97.X.X – Azure_CSS (I’ll use the same IKE group but I did create a second esp group called esp-azure-css using the same settings as esp-azure)
set vpn ipsec site-to-site peer 23.97.X.X
set vpn ipsec site-to-site peer 23.97.X.X local-address any (or dhcp-interface)
set vpn ipsec site-to-site peer 23.97.X.X authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 23.97.X.X authentication pre-shared-secret “YourSecret”
set vpn ipsec site-to-site peer 23.97.X.X connection-type initiate
set vpn ipsec site-to-site peer 23.97.X.X description Azure_CSS
set vpn ipsec site-to-site peer 23.97.X.X ike-group ike-azure
set vpn ipsec site-to-site peer 23.97.X.X tunnel 1
set vpn ipsec site-to-site peer 23.97.X.X tunnel 1 esp-group esp-azure –css
set vpn ipsec site-to-site peer 23.97.X.X tunnel 1 local prefix 192.168.2.0/24
set vpn ipsec site-to-site peer 23.97.X.X tunnel 1 remote prefix 10.10.0.0/16
set vpn ipsec site-to-site peer 23.97.X.X tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer 23.97.X.X tunnel 1 allow-public-networks disable
now save the configuration by running the “save’’ command then “commit”
if you exit the configuration mode now and run “show vpn ipsec sa” you should see that your vpn is up and running.
But now we need to configure firewall rules in order to allow packets to go from and to azure network. NAT rules will also need to be updated.
# NAT
set service nat rule 5000 description ‘DNAT to Azure’
set service nat rule 5000 destination address 172.16.1.0/24
set service nat rule 5000 exclude
set service nat rule 5000 log disable
set service nat rule 5000 outbound-interface eth1
set service nat rule 5000 source address 192.168.2.0/24
set service nat rule 5000 type masquerade
set service nat rule 5001 description ‘Masq to WAN (NAT)’
set service nat rule 5001 log disable
set service nat rule 5001 outbound-interface eth1
set service nat rule 5001 protocol all
set service nat rule 5001 type masquerade
with the web interface :
# configuration firewall IN
Set firewall name WAN_IN rule 21
Set firewall name WAN_IN rule 21 action accept
Set firewall name WAN_IN rule 21 description “Azure IN”
Set firewall name WAN_IN rule 21 destination address X.X.X.X/X
Set firewall name WAN_IN rule 21 log disable
Set firewall name WAN_IN rule 21 protocol all
Set firewall name WAN_IN rule 21 source address X.X.X.X/X
with the web interface:
Do not forget to again “save” and “commit” if using the CLI interface or SSH then “exit” to qui configuration mode.
Check your connections by running “show vpn ike sa” and “show vpn ipsec sa”, if everything is up try to ping remote machines in azure.
As you can see everything is up and running now! Next step is to deploy a domain controller in each environment and create some AD sites in order to optimize traffic between on premise and remote domain joined machines.