[vpn-help] Microsoft Azure Virtual Network?
John Connett
jrc at skylon.demon.co.uk
Fri Aug 24 05:01:44 CDT 2012
I am attempting to connect to a Microsoft Azure Virtual Network
using the 90-day free trial preview (https://www.windowsazure.com).
There is a range of officially supported devices from Cisco and
Juniper for which example configuration scripts can be downloaded.
The script for a Cisco ISR 2900 Series Integrated Services Routers
running IOS 15.0 is given below.
Attempts to connect with strongSwan on openSUSE 12.1 (x86_64) and with
the Connection Security Rules option of Windows Firewall with Advanced
Security on Windows 8 Enterprise Evaluation (Build 9200) have been
unsuccessful.
I suspect that the problems relate to the exchange of identities or
configuration information. Perhaps Cisco Unity extensions (not
currently supported by strongSwan)?
Has anyone made a successful connection using VPN Client 2.1?
The path from right/remote to left/local is:
10.4.2.4 server (hotol.cloudapp.net - 168.63.40.163)
10.4.2.0/24 CloudSubnet
10.4.0.0/16 TestNetwork
10.4.1.5:500 private IP (in GatewaySubnet 10.4.1.0/24)
168.63.60.212:1032 public IP (Azure Gateway)
Internet
86.30.202.35:500 public IP (VPN Gateway - skylon.dyndns.org)
192.168.199.1:500 openWrt router
192.168.199.10:500 strongSwan host
192.168.199.0/24 HomeSubnet
192.168.199.6 example client
I have tried running VPN Client 2.1 as an alternative on the
strongSwan host.
The right/remote end knows about the left/local public IP and
HomeSubnet but no further details from behind the NAT.
The left/local end knows about the right/remote public IP,
TestNetwork, CloudSubnet and the server private IP.
The right/remote connection uses a single port for both ISAKMP and
IPSEC-NAT-T traffic, 1032 in the example above but I have also seen
1024. The right/remote private IP is from GatewaySubnet but can also
vary (eg. 10.4.1.4, 10.4.1.5, ...).
It would be very useful to be able to establish a working connection
and to inspect the decryped traffic in the /var/log/ike-*.pcap files!
Any hints as to the VPN Client 2.1 settings required to behave like a
Cisco router? Or any pointers on information about the Cisco Unity
extensions?
Thanks in anticipation
--
John Connett
======================================================================
! Microsoft Corporation
! Windows Azure Virtual Network
! This configuration template applies to Cisco ISR 2900 Series Integrated
Services Routers running IOS 15.0.
! It configures an IPSec VPN tunnel connecting your on-premise VPN device
with the Azure gateway.
!---------------------------------------------------------------------------------------------------------------------
! ACL rules
!
! Proper ACL rules are needed for permitting cross-premise network traffic.
access-list <RP_AccessList> permit ip <SP_OnPremiseNetworkIpRange>
<SP_OnPremiseNetworkWildcardBits> <SP_AzureNetworkIpRange>
<SP_AzureNetworkWildcardBits>
!---------------------------------------------------------------------------------------------------------------------
! Internet Key Exchange (IKE) configuration
!
! This section specifies the authentication, encryption, hashing,
Diffie-Hellman, and lifetime parameters for the Phase
! 1 negotiation and the main mode security association. We have picked an
arbitrary policy # "10" as an example. If
! that happens to conflict with an existing policy, you may choose to use
a different policy #.
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
exit
crypto isakmp key <SP_PresharedKey> address <SP_AzureGatewayIpAddress>
!---------------------------------------------------------------------------------------------------------------------
! IPSec configuration
!
! This section specifies encryption, authentication, tunnel mode
properties for the Phase 2 negotiation
crypto ipsec transform-set <RP_IPSecTransformSet> esp-aes esp-sha-hmac
mode tunnel
exit
!---------------------------------------------------------------------------------------------------------------------
! Crypto map configuration
!
! This section defines a crypto map that binds the cross-premise network
traffic to the
! IPSec transform set and remote peer. We have picked an arbitrary ID #
"10" as an example. If
! that happens to conflict with an existing crypto map, you may choose to
use a different ID #.
crypto map <RP_IPSecCryptoMap> 10 ipsec-isakmp
set peer <SP_AzureGatewayIpAddress>
set security-association lifetime seconds 3600
set security-association lifetime kilobytes 102400000
set transform-set <RP_IPSecTransformSet>
match address <RP_AccessList>
exit
!---------------------------------------------------------------------------------------------------------------------
! External interface configuration
!
! This section binds to the external interface of the router so that the
cross-premise network traffic matching the
! traffic selector defined in the crypto map will be properly encrypted
and transmitted via the IPSec VPN tunnel. It
! also adjusts the TCPMSS value properly to avoid fragmentation
interface <NameOfYourOutsideInterface>
no crypto map
crypto map <RP_IPSecCryptoMap>
ip tcp adjust-mss 1350
exit
======================================================================
More information about the vpn-help
mailing list