Hello Guys,
In this tutorial, I will try to show how to create a Azure Managed VPN and use VyOS on AWS to connect to it. Kindly note that there are currently 2 ways of using route based VPN with azure. There is one that uses Border Gateway Protocol and the other one without.
Below will be what we will be doing
- Create a Resource Group.
- Create Azure Virtual Network.
- Create Azure Gateway Subnet.
- Create Azure Virtual Network Gateway.
- Create Azure Local Network Gateway
- Create Site-To-Site Connection
- Create a firewall rule in Azure for VyOS
- Verify firewall and routing rules on AWS
- Configure VyOS
In our picture below, we are depicting the purpose of this experiment. Our goal is to connect our site A on Azure with a network of 10.1.0.0/16 to our site B with a network of 172.20.0.0/16.
Creating a Resource Group.
We will be creating all our component in a resource group in azure as most azure users already know. I have created one called devops and that’s where I will be creating all we needed for this tutorials. The image below shows how it will look like when we finish creating our components. I also wanted to draw the reader attention on the “+ Add” butten on top of the resource group blade. We will use it extensively to create all the resources in Azure, from vnet to connection. When you click on it, it creates an “Everything” blade where we could search for any Azure resource.
Creating Azure Virtual Network.
We will be creating the virtual network where VPN from AWS will connect to in Azure. Our VNET will be of address 10.1.0.0/16. I think you can even have a /8 network in Azure if I am not mistaken. Let’s search in the everything blade, the virtual network component in order to create our network on azure in the everything blade as shown below.
Creating Azure Subnet Gateway
In order to launch any Azure managed VPN in our network we definitely need to create another subnet which by convention cannot be called anything else than “Gateway Subnet”. Let’s create one in our vnet. Let’s create one with the /27 mask.
Create Azure Virtual Network Gateway (VNG)
The Azure Virtual Network Gateway defines the azure side of the VPN that we are creating. If we are using common description on sides and because we are in azure then you would say the Virtual Network Gateway defines the left side of the VPN. This blade is more like a wizard like where you will choose the virtual network in which you want to create the virtual gateway and the IP you want it to have.
The IP in question , you will have to create it or choose one from your IP components if you already have one. This IP is in fact not static but won’t change unless it recreated. I have not tried it but to be sure of IP not changing you could as well create a static IP separately in the resource group and use that in the virtual network gateway blade instead.
Gateway Type: VPN
VPN Type: Route Based
SKU: Basic
Virtual Network : vpn-vnetwork (created above)
Public IP address: To be created
Configure BGP ASN: NO
In the image above you will notice there is a check box to enable BGP, since we will not be using BGP in this route based vpn, we will leave it unchecked.
Creating Azure Local Network Gateway
Similarly to the Virtual Network Gateway, Local Network Gateway represents the right side of the VPN and in this case the AWS side of our VPN. As stated, our network on AWS is 172.20.0.0/16. Let’s create our Local Network Gateway by searching for it in the “Everything” blade.
IP Address: 34.230.141.57
Address Space: 172.20.0.0/20
Configure BGP settings: No
I think right now some of you would start to ponder as to why we had to put any subnet there since we are using a route-based VPN. I have asked myself this question and the only thing I could think of is the fact that we are not using BGP but we still need to advertise our network from the right side.
After the VNG is created we need to know the IP address that will be assigned to it. That’s the IP we will use as peer ID on VyOS
Connection Type: Site-to-Site
Virtual network Gateway: “picktheoneyoucreated”
Local network Gateway: “picktheyoneoucreated”
Presharedkey Created: “presharedkey” (I will use gies8aej4Vee8aeXai4e)
Creating a firewall rule in Azure for VyOS
I would not go over the detail of creating a linux (ubuntu xenial) box to be a node in our 10.1.0.0/24 (public subnet of our 10.1.0.0/16 vnet). But essentially, we need to create for this box an inbound rule to allow traffic on port 80 from AWS 172.20.0.0/20 network
You could as well assign this rule to the whole vnet.
Verifing firewall and routing rules on AWS
Here as well unfortunately, I would not go over creation of VyOS instance on AWS nor the second box that we will launch into the Virtual Private Computing (VPC, azure vnet equivalent in AWS).
Security Rules on VyOS
Open UDP Port 4500 to: 40.117.189.60
Open UDP Port 500 to : 40.117.189.60
Security Rules on Box behind VyOS
Open All ICMP Ports to: 10.1.0.0/16
Open http Port 80 to : 10.1.0.0/16
It’s also important to update the route table of AWS network to forward all request to 10.1.0.0/16 subnet to the VyOS box (This is only possible if Source/Destination check is disabled on the box).
Configuring VyOS
I will be using the usual VyOS (172.20.0.5) instance it has most of what I configured. It’s important to read the documentation put up by Microsoft for interacting with their managed VPN device. They have validated deviced and non validated ones and a matrix of parameters to use if on policy based or route based. The matrix defines whether one should use IKEv1 or IKEv2 with which DH group etc. You can have peek here https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices#ipsec
Based on information on that page and since we are using route based below are IKE and ESP parameters we will use:
IKE
IKE verion: 2
Encryption Alg: aes256
Hashing Alg: sha1
Lifetime: 28800
IKE verion: 2
Encryption Alg: aes256
Hashing Alg: sha1
Lifetime: 28800
Below is its implementation in VyOS
1 2 3 4 5 6 7 8 9 10 |
# set vpn ipsec ike-group IKE2-AES256-SHA1-LT28800 lifetime 28800 set vpn ipsec ike-group IKE2-AES256-SHA1-LT28800 proposal 1 dh-group 2 set vpn ipsec ike-group IKE2-AES256-SHA1-LT28800 proposal 1 encryption aes256 set vpn ipsec ike-group IKE2-AES256-SHA1-LT28800 proposal 1 hash sha1 set vpn ipsec ike-group IKE2-AES256-SHA1-LT28800 ikev2-reauth 'no' set vpn ipsec ike-group IKE2-AES256-SHA1-LT28800 key-exchange 'ikev2' set vpn ipsec ike-group IKE2-AES256-SHA1-LT28800 dead-peer-detection action restart set vpn ipsec ike-group IKE2-AES256-SHA1-LT28800 dead-peer-detection interval 15 set vpn ipsec ike-group IKE2-AES256-SHA1-LT28800 dead-peer-detection timeout 30 |
ESP
Encryption Alg: aes256
Hashing Alg: sha1
PFS: group 2
Lifetime: 27000
1 2 3 4 5 6 |
# set vpn ipsec esp-group ESP2-AES256-SHA1-LT27000 lifetime 27000 set vpn ipsec esp-group ESP2-AES256-SHA1-LT27000 mode tunnel set vpn ipsec esp-group ESP2-AES256-SHA1-LT27000 pfs dh-group2 set vpn ipsec esp-group ESP2-AES256-SHA1-LT27000 proposal 1 encryption aes256 set vpn ipsec esp-group ESP2-AES256-SHA1-LT27000 proposal 1 hash sha1 |
When you check on Microsoft documentation to have Azure VPN as responder for a RouteBased VPN, if using AES256/SHA1 combination then PFS should be Group 2 , that’s proposal 9 on this list https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices#azure-gateway-as-responder at the time of writing this
IPSEC
peer: 40.117.189.60
remote tunnel: 10.1.0.0/24
local tunnel: 172.20.0.0/20
connection type: initiate
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
# edit vpn ipsec site-to-site peer 40.117.189.60 set description "Azure non BGP route based connection" set authentication mode pre-shared-secret set authentication pre-shared-secret 'gies8aej4Vee8aeXai4e' set connection-type initiate set ike-group IKE2-AES256-SHA1-LT28800 set default-esp-group ESP2-AES256-SHA1-LT27000 set tunnel 1 local prefix 172.20.0.0/20 set tunnel 1 remote prefix 10.1.0.0/24 set local-address 172.20.0.5 top commit save |
Let’s check statuses on both sides
Let’s test from boxes of the 2 networks
That’s it guys, I hope this has been useful. Will try and cover BGP RouteBased with Azure next time