How to establish a Route Based VPN with Azure VPN (no BGP)

Hello Guys,

In this tutorial, I will try to show how to create a Azure Managed VPN and use VyOS on AWS to connect to it. Kindly note that there are currently 2 ways of using route based VPN with azure. There is one that uses Border Gateway Protocol and the other one without.

Below will be what we will be doing

  • Create a Resource Group.
  • Create Azure Virtual Network.
  • Create Azure Gateway Subnet.
  • Create Azure Virtual Network Gateway.
  • Create Azure Local Network Gateway
  • Create Site-To-Site Connection
  • Create a firewall rule in Azure for VyOS
  • Verify firewall and routing rules on AWS
  • Configure VyOS

In our picture below, we are depicting the purpose of this experiment. Our goal is to connect our site A on Azure with a network of 10.1.0.0/16 to our site B with a network of 172.20.0.0/16.

Context Diagram for our VPN

Creating a Resource Group.

We will be creating all our component in a resource group in azure as most azure users already know. I have created one called devops and that’s where I will be creating all we needed for this tutorials. The image below shows how it will look like when we finish creating our components. I also wanted to draw the reader attention on the “+ Add” butten on top of the resource group blade. We will use it extensively to create all the resources in Azure, from vnet to connection. When you click on it, it creates an “Everything” blade where we could search for any Azure resource.

DevOps Resource Group

Creating Azure Virtual Network.

We will be creating the virtual network where VPN from AWS will connect to in Azure. Our VNET will be of address 10.1.0.0/16. I think you can even have a /8 network in Azure if I am not mistaken. Let’s search in the everything blade, the virtual network component in order to create our network on azure in the everything blade as shown below.

Creating Azure 10.1.0.0/16 VNET

Inputting vnet details

Creating Azure Subnet Gateway

In order to launch any Azure managed VPN in our network we definitely need to create another subnet which by convention cannot be called anything else than “Gateway Subnet”. Let’s create one in our vnet. Let’s create one with the /27 mask.

Creating Gateway subnet

Gateway Subnet details

Create Azure Virtual Network Gateway (VNG)

The Azure Virtual Network Gateway defines the azure side of the VPN that we are creating. If we are using common description on sides and because we are in azure then you would say the Virtual Network Gateway defines the left side of the VPN. This blade is more like a wizard like where you will choose the virtual network in which you want to create the virtual gateway and the IP you want it to have.

The IP in question , you will have to create it or choose one from your IP components if you already have one. This IP is in fact not static but won’t change unless it recreated. I have not tried it but to be sure of IP not changing you could as well create a static IP separately in the resource group and use that in the virtual network gateway blade instead.

Gateway Type: VPN
VPN Type: Route Based
SKU: Basic
Virtual Network : vpn-vnetwork (created above)
Public IP address: To be created
Configure BGP ASN: NO

Attaching Vnet to the Virtual Gateway

Complete Virtual Network Gateway Blade

In the image above you will notice there is a check box to enable BGP, since we will not be using BGP in this route based vpn, we will leave it unchecked.

Creating Azure Local Network Gateway

Similarly to the Virtual Network Gateway, Local Network Gateway represents the right side of the VPN and in this case the AWS side of our VPN. As stated, our network on AWS is 172.20.0.0/16. Let’s create our Local Network Gateway by searching for it in the “Everything” blade.

IP Address: 34.230.141.57
Address Space: 172.20.0.0/20
Configure BGP settings: No

Creating Local Virtual Gateway. Our side of the VPN

I think right now some of you would start to ponder as to why we had to put any subnet there since we are using a route-based VPN. I have asked myself this question and the only thing I could think of is the fact that we are not using BGP but we still need to advertise our network from the right side.

After the VNG is created we need to know the IP address that will be assigned to it. That’s the IP we will use as peer ID on VyOS

IP assigned to our VNG

Connection Type: Site-to-Site
Virtual network Gateway: “picktheoneyoucreated”
Local network Gateway: “picktheyoneoucreated”
Presharedkey Created: “presharedkey” (I will use gies8aej4Vee8aeXai4e)

Defining our connection

Linking connection

Summary of the Wizard

Creating a firewall rule in Azure for VyOS

I would not go over the detail of creating a linux (ubuntu xenial) box to be a node in our 10.1.0.0/24 (public subnet of our 10.1.0.0/16 vnet). But essentially, we need to create for this box an inbound rule to allow traffic on port 80 from AWS 172.20.0.0/20 network

You could as well assign this rule to the whole vnet.

Verifing firewall and routing rules on AWS

Here as well unfortunately, I would not go over creation of VyOS instance on AWS nor the second box that we will launch into the Virtual Private Computing (VPC, azure vnet equivalent in AWS).

Security Rules on VyOS

Open UDP Port 4500 to: 40.117.189.60
Open UDP Port 500 to : 40.117.189.60

Security Rules on Box behind VyOS

Open All ICMP Ports to: 10.1.0.0/16
Open http Port 80 to : 10.1.0.0/16

It’s also important to update the route table of AWS network to forward all request to 10.1.0.0/16 subnet to the VyOS box (This is only possible if Source/Destination check is disabled on the box).

Configuring VyOS

I will be using the usual VyOS (172.20.0.5) instance it has most of what I configured. It’s important to read the documentation put up by Microsoft for interacting with their managed VPN device. They have validated deviced and non validated ones and a matrix of parameters to use if on policy based or route based. The matrix defines whether one should use IKEv1 or IKEv2 with which DH group etc. You can have peek here https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices#ipsec

Based on information on that page and since we are using route based below are IKE and ESP parameters we will use:

IKE

IKE verion: 2
Encryption Alg: aes256
Hashing Alg: sha1
Lifetime: 28800

Below is its implementation in VyOS

ESP

Encryption Alg: aes256
Hashing Alg: sha1
PFS: group 2
Lifetime: 27000

When you check on Microsoft documentation to have Azure VPN as responder for a RouteBased VPN, if using AES256/SHA1 combination then PFS should be Group 2 , that’s proposal 9 on this list https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices#azure-gateway-as-responder at the time of writing this

IPSEC

peer: 40.117.189.60
remote tunnel: 10.1.0.0/24
local tunnel: 172.20.0.0/20
connection type: initiate

Let’s check statuses on both sides

Status on VyOS

Status on Azure connection

Status on Azure gateway

Let’s test from boxes of the 2 networks

From AWS to Azure, ping telnet

From Azure to AWS, ping and telnet

That’s it guys, I hope this has been useful. Will try and cover BGP RouteBased with Azure next time

Leave a Comment

Your email address will not be published. Required fields are marked *

captcha * Time limit is exhausted. Please reload the CAPTCHA.