[vpn-help] Microsoft Azure Virtual Network?

John Connett jrc at skylon.demon.co.uk
Fri Aug 24 05:01:44 CDT 2012 

I am attempting to connect to a Microsoft Azure Virtual Network
using the 90-day free trial preview (https://www.windowsazure.com).

There is a range of officially supported devices from Cisco and
Juniper for which example configuration scripts can be downloaded.
The script for a Cisco ISR 2900 Series Integrated Services Routers
running IOS 15.0 is given below.

Attempts to connect with strongSwan on openSUSE 12.1 (x86_64) and with
the Connection Security Rules option of Windows Firewall with Advanced
Security on Windows 8 Enterprise Evaluation (Build 9200) have been
unsuccessful.

I suspect that the problems relate to the exchange of identities or
configuration information.  Perhaps Cisco Unity extensions (not
currently supported by strongSwan)?

Has anyone made a successful connection using VPN Client 2.1?

The path from right/remote to left/local is:

         10.4.2.4         server (hotol.cloudapp.net - 168.63.40.163)
         10.4.2.0/24      CloudSubnet
         10.4.0.0/16      TestNetwork
         10.4.1.5:500     private IP (in GatewaySubnet 10.4.1.0/24)
    168.63.60.212:1032    public IP (Azure Gateway)
         Internet
     86.30.202.35:500     public IP (VPN Gateway - skylon.dyndns.org)
    192.168.199.1:500     openWrt router
   192.168.199.10:500     strongSwan host
    192.168.199.0/24      HomeSubnet
    192.168.199.6         example client

I have tried running VPN Client 2.1 as an alternative on the
strongSwan host.

The right/remote end knows about the left/local public IP and
HomeSubnet but no further details from behind the NAT.

The left/local end knows about the right/remote public IP,
TestNetwork, CloudSubnet and the server private IP.

The right/remote connection uses a single port for both ISAKMP and
IPSEC-NAT-T traffic, 1032 in the example above but I have also seen
1024.  The right/remote private IP is from GatewaySubnet but can also
vary (eg. 10.4.1.4, 10.4.1.5, ...).

It would be very useful to be able to establish a working connection
and to inspect the decryped traffic in the /var/log/ike-*.pcap files!

Any hints as to the VPN Client 2.1 settings required to behave like a
Cisco router?  Or any pointers on information about the Cisco Unity
extensions?

Thanks in anticipation
--
John Connett


======================================================================
! Microsoft Corporation
! Windows Azure Virtual Network

! This configuration template applies to Cisco ISR 2900 Series Integrated  
Services Routers running IOS 15.0.
! It configures an IPSec VPN tunnel connecting your on-premise VPN device  
with the Azure gateway.

!---------------------------------------------------------------------------------------------------------------------
! ACL rules
!
! Proper ACL rules are needed for permitting cross-premise network traffic.
access-list <RP_AccessList> permit ip <SP_OnPremiseNetworkIpRange>  
<SP_OnPremiseNetworkWildcardBits> <SP_AzureNetworkIpRange>  
<SP_AzureNetworkWildcardBits>

!---------------------------------------------------------------------------------------------------------------------
! Internet Key Exchange (IKE) configuration
!
! This section specifies the authentication, encryption, hashing,  
Diffie-Hellman, and lifetime parameters for the Phase
! 1 negotiation and the main mode security association. We have picked an  
arbitrary policy # "10" as an example. If
! that happens to conflict with an existing policy, you may choose to use  
a different policy #.
crypto isakmp policy 10
   authentication pre-share
   encryption aes
   hash sha
   group 2
   lifetime 28800
   exit
crypto isakmp key <SP_PresharedKey> address <SP_AzureGatewayIpAddress>

!---------------------------------------------------------------------------------------------------------------------
! IPSec configuration
!
! This section specifies encryption, authentication, tunnel mode   
properties for the Phase 2 negotiation
crypto ipsec transform-set <RP_IPSecTransformSet> esp-aes esp-sha-hmac
   mode tunnel
   exit

!---------------------------------------------------------------------------------------------------------------------
! Crypto map configuration
!
! This section defines a crypto map that binds the cross-premise network  
traffic to the
! IPSec transform set and remote peer. We have picked an arbitrary ID #  
"10" as an example. If
! that happens to conflict with an existing crypto map, you may choose to  
use a different ID #.
crypto map <RP_IPSecCryptoMap> 10 ipsec-isakmp
   set peer <SP_AzureGatewayIpAddress>
   set security-association lifetime seconds 3600
   set security-association lifetime kilobytes 102400000
   set transform-set <RP_IPSecTransformSet>
   match address <RP_AccessList>
   exit

!---------------------------------------------------------------------------------------------------------------------
! External interface configuration
!
! This section binds to the external interface of the router so that the  
cross-premise network traffic matching the
! traffic selector defined in the crypto map will be properly encrypted  
and transmitted via the IPSec VPN tunnel. It
! also adjusts the TCPMSS value properly to avoid fragmentation
interface <NameOfYourOutsideInterface>
   no crypto map
   crypto map <RP_IPSecCryptoMap>
   ip tcp adjust-mss 1350
   exit
======================================================================

More information about the vpn-help mailing list