You are here: Cookbook > VPN > Connecting to Microsoft Azure Using Site-to-Site VPN

Connecting to Microsoft Azure Using Site-to-Site VPN

Today, more and more customers are using public cloud service providers such as Microsoft Azure to deploy their server or services, to get high performance, reliable services that are easy to deploy and get to market fastest.

This example shows how to configure site-to-site VPN to establish a VPN tunnel (IPSec VPN tunnel) between Microsoft Azure and Hillstone device.

The topology is shown as below, the Hillstone device is the gateway for the enterprise. It requires an IPsec VPN tunnel between the company and Microsoft Azure through the Hillstone device. The authentication algorithm uses SHA and the encryption algorithm uses 3DES, thus the local service can be connected with hosted cloud services.

* Note: This topology uses laboratory environment. In this recipe, 124.193.87.66 represents Hillstone device public IP, 192.168.0.0/16 represents the internal subnet of enterprise, 13.94.46.90 represents public IP of Microsoft Azure, 10.11.0.0/16 the internal subnet of Microsoft Azure.

The configuration process as follows:

Configure Microsoft Azure:

  1. Create a virtual network
  2. Create the gateway subnet
  3. Create the VPN gateway
  4. Create the local network gateway
  5. Create the VPN connection

Configure Hillstone device:

  1. Configuring IPSec VPN
  2. Creating IPsec VPN IKEv2 tunnel
  3. Binding the tunnel interface to the IPsec VPN IKEv2 tunnel
  4. Configuring route

Configure Microsoft Azure

In Microsoft Azure, configure the following settings:

Step 1 : Create a virtual network
  1. Access the Microsoft Azure website via the browser and sign in with your Azure account.
  2. Click Virtual networks in the "Azure service" section of the Home page to open the virtual network page.
  3. Click +Add.
  4. In the Create virtual network page, configure the following information (take the environment in the topology as an example):
    • Name: VNet
    • Address space: 10.11.0.0/16
    • Subscription: select the existing subscription to use: “Pay-As-You-Go”
    • Resource group: cloudedge-test
    • Location: East US
    • Subnet name: default
    • Subnet address range: 10.11.0.0/16
  5. Click Create to create the virtual network.

 

Step 2: Create the gateway subnet
  1. In the list of virtual network page, select the created virtual network "VNet" in the list and click its name.
  2. In the Settings section on the left side of the virtual network detail page, select Subnet.
  3. In "VNet-Subnets" page. click +Gateway subnet.
  4. In Add subnet page, configure the following information (take the environment in the topology as an example):
    • Name: The default value "GatewaySubnet"
    • o Address range (CIDR block): 10.11.255.0/27
  5. Click OK to create the gateway subnet.
Step 3: Create a VPN geteway
  1. Click Create a resource in the "Azure service" section of the Home page.
  2. In Search the Marketplace field, search Virtual Network Gateway.
  3. Click Create.
  4. In Create virtual network gateway page, configure the following information (take the environment in the topology as an example):
    • Name: VNetGateway
    • Region: West US (choose the one where your virtual network is located)
    • Gateway type: VPN
    • VPN type: Route-based
    • SKU: VpnGw1 (About SKU, refer to https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsku)
    • Virtual network: VNet (choose the one to which you want to add the gateway)
    • Public IP address: Create new (only dynamic Public IP address allocation is supported currently; input the public address name)
    • Public IP address name: PublicIP
  5. Click Review +create and wait for the virtual network gateway deployment. After the virtual network gateway created, the public IP address will be assigned
Step 4: Create the local network gateway
  1. Click Create a resource in the "Azure service" section of the Home page.
  2. In Search the Marketplace field, search Local Network Gateway
  3. Click Create.
  4. In Create local network gateway page, configure the following information (take the environment in the topology as an example):
    • Name: Hillstone
    • IP address: 124.193.87.66
    • Address space: 192.168.0.0/16
    • Subscription: select the existing subscription to use: “Pay-As-You-Go”
    • Resource group: cloudedge-test
    • Location: East US
  5. Click Create to create the local network gateway.
Step 5: Create the VPN connection (This step is performed after completing the "Configure Hillstone Device")
  1. Click the created virtual network gateway VNetGateway in the Recent resources list on the home page.
  2. In the Settings section on the left side of the virtual network gateway detail page, select Connections
  3. Click Add.
  4. In Add connection page, configure the following information (take the environment in the topology as an example):
    • Name: VNet1toSite2
    • Connection type: Site-to-site (IPSec)
    • Virtual network gateway: VNetGateway
    • Loacl network gateway: Hillstone
    • Shared key (PSK): hillstone (Consistent with "Configure Hillstone Device")
    • Resource group: cloudedge-test
  5. Click OK to create the connection.

Note:

Configure Hillstone Device

Step 1: Configuring IPSec VPN

1.Configuring P1 proposal for IKEv2 SA.

hostname(config)# ikev2 proposal Azure_to_Hillstone_P1

hostname(config-ikev2-proposal)# hash sha

hostname(config-ikev2-proposal)# encryption 3des

hostname(config-ikev2-proposal)# group 2

hostname(config-ikev2-proposal)# lifetime 10800

hostname(config-ikev2-proposal)# exit

2.Configuring P2 proposal for IPSec IKEv2 SA.

hostname(config)# ikev2 ipsec-proposal Azure_to_Hillstone_P2

hostname(config-ikev2-ipsec-proposal)#hash sha

hostname(config-ikev2-ipsec-proposal)#encryption aes

hostname(config-ikev2-ipsec-proposal)#lifetime 3600

hostname(config-ikev2-ipsec-proposal)#exit

3. Configuring IKEv2 peer.

hostname(config)# ikev2 peer peer1

hostname(config-ikev2-peer)# interface ethernet0/1

hostname(config-ikev2-peer)# match-peer 13.94.46.90

hostname(config-ikev2-peer)# ikev2-proposal Azure_to_Hillstone_P1

hostname(config-ikev2-peer)# local-id ip 124.193.87.66

4.Creating IKEv2 Profile.

hostname(config-ikev2-peer)# ikev2-profile esp-peer1

hostname(config-ikev2-profile)# remote id ip 13.94.46.90

hostname(config-ikev2-profile)# remote key hillstone

hostname(config-ikev2-profile)# traffic-selector src subnet 192.168.0.0/16

hostname(config-ikev2-profile)# traffic-selector dst subnet 10.11.0.0/16

hostname(config-ikev2-profile)# exit

hostname(config-ikev2-peer)# exit

hostname(config)#

Step 2: Creating IPsec VPN IKEv2 tunnel

hostname(config)# tunnel ipsec Azure ikev2

hostname(config-ikev2-tunnel)# ikev2-peer peer1

hostname(config-ikev2-tunnel)# ipsec-proposal Azure_to_Hillstone_P2

hostname(config-ikev2-tunnel)# auto-connect

hostname(config-ikev2-tunnel)# exit

hostname(config)#

Step 3 : Binding the tunnel interface to the IPsec VPN IKEv2 tunnel

hostname(config)# interface tunnel1

hostname(config-if-tun1)# zone trust

hostname(config-if-tun1)# tunnel ikev2 Azure

hostname(config-if-tun1)# exit

hostname(config)#

Step 4: Configuring route

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# ip route 10.11.0.0/16 tunnel1

hostname(config-vrouter)# exit