VPN to Azure Virtual Network from On-prem Router – Part 2

This is part two of the Azure VPN to on-prem article.  If you didn’t read part one, go read it first to paint the full picture.

To recap: I set out to implement a VPN tunnel from my on-prem network to my Azure subscription virtual network.  There are several good Microsoft TechNet articles for configuring the Azure side but here I will provide some additional information for configuration of the on-prem router.  I am using a Ubiquiti EdgeRouter X-SFP for my on-prem router which offers flexibility for a good price.

This is the configuration values noted for the commands I needed to run below:
Ubiquiti ER-X SFP
eth0 (WAN) – on-prem public IP (not CIDR notation)
eth1 (LAN) – 10.37.0.0/16
Azure GW
Virtual Gateway – The Azure public IP (not CIDR notation)
Virtual Network – 10.38.0.0/16
Default Subnet – 10.38.0.0/27

Here are the commands to run on the Ubiquiti:

Replace these values below:
azuregwip = Your Azure Gateway Public IP Address
onpremip = Your On-Prem Public IP Address
10.37.0.0/16 = Your On-Prem Subnet
10.38.0.0/27 = Your Azure VNet Gateway Subnet

set vpn ipsec esp-group esp-azure pfs disable
set vpn ipsec esp-group esp-azure mode tunnel
set vpn ipsec esp-group esp-azure proposal 1
set vpn ipsec esp-group esp-azure proposal 1 encryption aes256
set vpn ipsec esp-group esp-azure proposal 1 hash sha1
set vpn ipsec esp-group esp-azure compression disable

set vpn ipsec ike-group ike-azure
set vpn ipsec ike-group ike-azure lifetime 10800
set vpn ipsec ike-group ike-azure proposal 1
set vpn ipsec ike-group ike-azure proposal 1 dh-group 2
set vpn ipsec ike-group ike-azure proposal 1 encryption aes256
set vpn ipsec ike-group ike-azure proposal 1 hash sha1
set vpn ipsec ike-group ike-azure key-exchange ikev2

set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec logging log-modes all
set vpn ipsec nat-traversal enable

set vpn ipsec site-to-site peer azuregwip
set vpn ipsec site-to-site peer azuregwip local-address onpremip
set vpn ipsec site-to-site peer azuregwip authentication mode pre-shared-secret
set vpn ipsec site-to-site peer azuregwip authentication pre-shared-secret supersecretpw
set vpn ipsec site-to-site peer azuregwip connection-type initiate
set vpn ipsec site-to-site peer azuregwip default-esp-group esp-azure
set vpn ipsec site-to-site peer azuregwip ike-group ike-azure
set vpn ipsec site-to-site peer azuregwip tunnel 1
set vpn ipsec site-to-site peer azuregwip tunnel 1 esp-group esp-azure
set vpn ipsec site-to-site peer azuregwip tunnel 1 local prefix 10.37.0.0/16
set vpn ipsec site-to-site peer azuregwip tunnel 1 remote prefix 10.38.0.0/27
set vpn ipsec site-to-site peer azuregwip tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer azuregwip tunnel 1 allow-public-networks disable

set vpn ipsec auto-firewall-nat-exclude enable

 

And that’s it.  After a minute or two, the VPN status comes up and you can now route to virtual resources within your Azure VNet.

Thanks for reading,
Shane

 

Source: This Ubiquiti configuration information was found from this site:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s