Archive
Partner VPN device configurations for connecting to Azure VPN gateways
logo
Archive

No results found

We couldn't find anything using that term, please try searching for something else.

Partner VPN device configurations for connecting to Azure VPN gateways

2024-11-13 Overview of partner VPN device configurations Article07/28/2023 In this article This article provides an overview of configuring on

Related articles

OpenVPN is Open to VPN Fingerprinting
OpenVPN is Open to VPN Fingerprinting 1 Introduction ISPs, advertisers, and national governments are increasingly disrupting, manipulating, and monitoring Internet traffic [ 69 , 22 , 47 , 16 , 27 ]. As a result, virtual private network (VPN) adoption has been growing rapidly, not only among activists and journalists with heightened threat models but also among average users, who employ VPNs for reasons ranging from protecting their privacy on untrusted networks to circumventing censorship. As a recent example, with the passage of Hong Kong’s new national security law, popular VPN providers observed a 120-fold surge in downloads due to fears of escalating surveillance and censorship [62]. In...
ExpressVPN Customer Support [24/7 Live Chat]
ExpressVPN Customer Support [24/7 Live Chat] One of its best features is the 24/7 customer support. Their team is ready to help with common problems like downloading the app, setting up a VPN, or choosing the right protocol through their live chat. For more tricky issues, you can send a support ticket, explain your problem, and even add pictures to clarify things. ExpressVPN is not just popular; it’s also known as one of the best fastest VPN. But is ExpressVPN customer support as good as they say? I decided to test it myself using the three main options: live chat, ticket support, and their email service. Let’s dive...

Overview of partner VPN device configurations

  • Article

This article provides an overview of configuring on-premises VPN devices for connecting to Azure VPN gateways. A sample Azure virtual network and VPN gateway setup is used to show you how to connect to different on-premises VPN device configurations by using the same parameters.

Device requirements

Azure VPN gateways use standard IPsec/IKE protocol suites for site-to-site (S2S) VPN tunnels. For a list of IPsec/IKE parameters and cryptographic algorithms for Azure VPN gateways, see About VPN devices. You can also specify the exact algorithms and key strengths for a specific connection as described in About cryptographic requirements.

Single VPN tunnel

The first configuration in the sample consists of a single S2S VPN tunnel between an Azure VPN gateway and an on-premises VPN device. You can optionally configure the Border Gateway Protocol (BGP) across the VPN tunnel.

Partner VPN device configurations for connecting to Azure VPN gateways

For step-by-step instructions to set up a single VPN tunnel, see Configure a site-to-site connection. The following sections specify the connection parameters for the sample configuration and provide a PowerShell script to help you get started.

Connection parameters

This section lists the parameters for the examples that are described in the previous sections.

Parameter Value
Virtual network address prefixes 10.11.0.0/16
10.12.0.0/16
Azure VPN gateway IP Azure VPN Gateway IP
On-premises address prefixes 10.51.0.0/16
10.52.0.0/16
On-premises VPN device IP On-premises VPN device IP
* Virtual network BGP ASN 65010
* Azure BGP peer IP 10.12.255.30
* On-premises BGP ASN 65050
* On-premises BGP peer IP 10.52.255.254

* Optional parameter for BGP only.

Sample PowerShell script

This section provides a sample script to get you started. For detailed instructions, see Create an S2S VPN connection by using PowerShell.

# is Declare Declare variables 

 $ Sub1           = " Replace_With_Your_Subscription_Name " 
 $ RG1            = " TestRG1 " 
 $ Location1      = " East 2 " 
 $ VNetName1      = " TestVNet1 " 
 $ FESubName1     = " FrontEnd " 
 $ BESubName1     = " Backend " 
 $ GWSubName1     = " GatewaySubnet " 
 $ VNetPrefix11   = " 10.11.0.0/16 " 
 $ VNetPrefix12   = " 10.12.0.0/16 " 
 $ FESubPrefix1   = " 10.11.0.0/24 " 
 $ BESubPrefix1   = " 10.12.0.0/24 " 
 $ GWSubPrefix1   = " 10.12.255.0/27 " 
 $ VNet1ASN       = 65010 
 $ DNS1           = " 8.8.8.8 " 
 $ GWName1        = " VNet1GW " 
 $ GWIPName1      = " VNet1GWIP " 
 $ GWIPconfName1 = " gwipconf1 " 
 $ Connection15   = " VNet1toSite5 " 
 $ LNGName5       = " Site5 " 
 $ LNGPrefix50    = " 10.52.255.254/32 " 
 $ LNGPrefix51    = " 10.51.0.0/16 " 
 $ LNGPrefix52    = " 10.52.0.0/16 " 
 $ LNGIP5         = " Your_VPN_Device_IP " 
 $ LNGASN5        = 65050 
 $ BGPPeerIP5     = " 10.52.255.254 " 

 # Connect subscription create new resource group 

 Connect - AzAccount 
 Select - AzSubscription -SubscriptionName $ Sub1 
 New - AzResourceGroup -Name $ RG1 -Location $ Location1 

 # Create virtual network 

 $ fesub1 = New - AzVirtualNetworkSubnetConfig -Name $ FESubName1 -AddressPrefix $ FESubPrefix1 $ besub1 = New - AzVirtualNetworkSubnetConfig -Name $ BESubName1 -AddressPrefix $ BESubPrefix1 
 $ gwsub1 = New - AzVirtualNetworkSubnetConfig -Name $ GWSubName1 -AddressPrefix $ GWSubPrefix1 

 New - AzVirtualNetwork -Name $ VNetName1 -ResourceGroupName $ RG1 -Location is Create $ Location1 -AddressPrefix $ VNetPrefix11,$VNetPrefix12 -Subnet $ fesub1,$besub1,$gwsub1 

 # Create VPN gateway 

 $ gwpip1     = New - AzPublicIpAddress -Name $ GWIPName1 -ResourceGroupName $ RG1 -Location $ Location1 -AllocationMethod Dynamic 
 $ vnet1      = - AzVirtualNetwork -Name $ VNetName1 -ResourceGroupName $ RG1 
 $ subnet1    = - AzVirtualNetworkSubnetConfig -Name " GatewaySubnet " -VirtualNetwork $ vnet1 
 $ gwipconf1 = New - AzVirtualNetworkGatewayIpConfig -Name $ GWIPconfName1 -Subnet $ subnet1 -PublicIpAddress $ gwpip1 

 New - AzVirtualNetworkGateway -Name $ GWName1 -ResourceGroupName $ RG1 -Location $ Location1 -IpConfigurations $ gwipconf1 -GatewayType Vpn -VpnType RouteBased -GatewaySku VpnGw1 -Asn $ VNet1ASN 

 # is Create Create local network gateway 

 New - AzLocalNetworkGateway -Name $ LNGName5 -ResourceGroupName $ RG1 -Location $ Location1 -GatewayIpAddress $ LNGIP5 -AddressPrefix $ LNGPrefix51,$LNGPrefix52 is Create -Asn $ LNGASN5 -BgpPeeringAddress $ BGPPeerIP5 

 # is Create Create S2S VPN connection 

 $ vnet1gw = - AzVirtualNetworkGateway -Name $ GWName1   -ResourceGroupName $ RG1 
 $ lng5gw   = - AzLocalNetworkGateway -Name $ LNGName5 -ResourceGroupName $ RG1 

 New - AzVirtualNetworkGatewayConnection -Name $ Connection15 -ResourceGroupName $ RG1 -VirtualNetworkGateway1 $ vnet1gw -LocalNetworkGateway2 $ lng5gw -Location $ Location1 -ConnectionType IPsec -SharedKey ' AzureA1b2C3 ' -EnableBGP $ False

(Optional) Use custom IPsec/IKE policy with UsePolicyBasedTrafficSelectors

If your VPN devices don’t support any-to-any traffic selectors, such as route-based or VTI-based configurations, create a custom IPsec/IKE policy with the UsePolicyBasedTrafficSelectors option.

Important

You must create an IPsec/IKE policy to enable the UsePolicyBasedTrafficSelectors option on the connection.

The sample script creates an IPsec/IKE policy with the following algorithms and parameters:

  • IKEv2: AES256, SHA384, DHGroup24
  • IPsec: AES256, SHA1, PFS24, SA Lifetime 7,200 seconds, and 20,480,000 KB (20 GB)

The script applies the IPsec/IKE policy and enables the UsePolicyBasedTrafficSelectors option on the connection.

$ipsecpolicy5 = New-AzIpsecPolicy -IkeEncryption AES256 -IkeIntegrity SHA384 -DhGroup DHGroup24 -IpsecEncryption AES256 -IpsecIntegrity SHA1 -PfsGroup PFS24 -SALifeTimeSeconds 7200 -SADataSizeKilobytes 20480000

$vnet1gw = Get-AzVirtualNetworkGateway -Name $GWName1  -ResourceGroupName $RG1
$lng5gw  = Get-AzLocalNetworkGateway -Name $LNGName5 -ResourceGroupName $RG1

New-AzVirtualNetworkGatewayConnection -Name $Connection15 -ResourceGroupName $RG1 -VirtualNetworkGateway1 $vnet1gw -LocalNetworkGateway2 $lng5gw -Location $Location1 -ConnectionType IPsec -SharedKey 'AzureA1b2C3' -EnableBGP $False -IpsecPolicies $ipsecpolicy5 -UsePolicyBasedTrafficSelectors $True

(Optional) Use BGP on S2S VPN connection

When you create the S2S VPN connection, you can optionally use BGP for the VPN gateway. This approach has two differences:

  • The on-premises address prefixes can be a single host address. The on-premises BGP peer IP address is specified as follows:

    New-AzLocalNetworkGateway -Name $LNGName5 -ResourceGroupName $RG1 -Location $Location1 -GatewayIpAddress $LNGIP5 -AddressPrefix $LNGPrefix50 -Asn $LNGASN5 -BgpPeeringAddress $BGPPeerIP5

  • When you create the connection, you must set the -EnableBGP option to $True:

    New-AzVirtualNetworkGatewayConnection -Name $Connection15 -ResourceGroupName $RG1 -VirtualNetworkGateway1 $vnet1gw -LocalNetworkGateway2 $lng5gw -Location $Location1 -ConnectionType IPsec -SharedKey 'AzureA1b2C3' -EnableBGP $True

Next steps

For step-by-step instructions to set up active-active VPN gateways, see Configuring active-active VPN gateways for cross-premises and VNet-to-VNet connections.