Readers will learn how to configure a Policy-Based Site-to-Site IPsec VPN between a Microsoft Azure VPN gateway and an EdgeRouter. The other VPN options are available when connecting to Azure are:
Microsoft recommends to use Route-Based IKEv2 VPNs over Policy-Based IKEv1 VPNs as it offers additional rich connectivity features. These features include Point-to-Site VPNs, Active Routing Support (BGP), Support for multiple tunnels as well as ECMP with metric routing, Active-Active Azure Gateway configurations for redundancy, Transit Routing with Point-to-Site, DPD detection and Virtual Network Peering.
Table of Contents
Configuring a Policy-Based VPN
The type of VPN that will be created is a Policy-Based over IKEv1/IPsec tunnel.
Follow the steps below to configure the IPsec VPN on the EdgeRouter:
1. Enter configuration mode.
2. Enable the auto-firewall-nat-exclude feature which automatically creates the IPsec firewall/NAT policies in the
set vpn ipsec auto-firewall-nat-exclude enable
3. Create the IKE / Phase 1 (P1) Security Associations (SAs) and set the
key-exchange to IKEv1.
set vpn ipsec ike-group FOO0 key-exchange ikev1
set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 2
set vpn ipsec ike-group FOO0 proposal 1 encryption aes256
set vpn ipsec ike-group FOO0 proposal 1 hash sha1
4. Create the ESP / Phase 2 (P2) SAs and disable Perfect Forward Secrecy (PFS).
set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 pfs disable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes256
set vpn ipsec esp-group FOO0 proposal 1 hash sha1
5. Define the Azure VPN Gateway peering address and set the connection-type to
set vpn ipsec site-to-site peer 192.0.2.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret <secret>
set vpn ipsec site-to-site peer 192.0.2.1 connection-type respond
set vpn ipsec site-to-site peer 192.0.2.1 description ipsec
set vpn ipsec site-to-site peer 192.0.2.1 local-address 203.0.113.1
6. Link the SAs created above to the Azure peer and define the local and remote subnets.
set vpn ipsec site-to-site peer 192.0.2.1 ike-group FOO0
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 esp-group FOO0
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 local prefix 192.168.1.0/24
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 remote prefix 172.16.0.0/22
7. If you are experiencing MTU issues or TCP sessions not establishing, try lowering the TCP Maximum Segment Size (MSS) to 1350.
set firewall options mss-clamp interface-type all
set firewall options mss-clamp mss 1350
8. Commit the changes and save the configuration.
commit ; save
Setting up the Azure Gateway
The Microsoft Azure side of the Site-to-Site VPN connection is based on this Microsoft article.
1. Create a Virtual Network.
Dashboard > New > Networking > Virtual Network
Address Space: 172.16.0.0/22
Subnet name: default
Subnet Address Space: 172.16.1.0/24
Resource Group: ServerNetwork
2. Create a Gateway Subnet.
Dashboard > Virtual Networks > ServerNetwork > Subnets > + Gateway subnet
Name: GatewaySubnet (Required / cannot be changed)
Address Range: 172.16.0.0/24 (Cannot be the same as the default subnet address space)
3. Create a Virtual Network Gateway.
Dashboard > New > Networking > Virtual Network Gateway
Gateway Type: VPN
VPN Type: Policy-Based
SKU: Basic (depends on usage)
Virtual Network: ServerNetwork
Public IP Address: Create new > VirtualGateway
4. Create a Local Network Gateway.
Dashboard > New > Networking > Local Network Gateway
IP Address: 203.0.113.1
Address Space: 192.168.1.0/24
5. Create a VPN Connection and link the LocalGateway to the VirtualGateway.
Daskboard >Virtual Network Gateways > VirtualGateway > Connections > + Add
Connection Type: Site-to-Site (IPsec)
Virtual Network Gateway: VirtualGateway
Local Network Gateway: LocalGateway
Shared Key: <secret>
You can verify the Azure Virtual Gateway Connection using the following PowerShell command:
Get-AzureRmVirtualNetworkGatewayConnection -Name "IPsecER" -ResourceGroupName "ServerNetwork"
Name : IPsecER
ResourceGroupName : ServerNetwork
Location : eastus
ProvisioningState : Succeeded
ConnectionStatus : Connected
EgressBytesTransferred : 3854
IngressBytesTransferred : 3104