Home | Cloud | Azure | Configure IPsec/IKE policy for S2S connections in Azure

Configure IPsec/IKE policy for S2S connections in Azure

In part of my job, I have a customer who wants to test a hybrid cloud between on premise and Azure datacenter to externalize workloads. First of all, we need to create a VPN Site to Site to communicate with both worlds.

S2S with IPSec VPN on Azure:

I assume that the virtual network is created on Azure (I will explain in a further topic how to create a virtual network).

Open your PowerShell and connect to your subscription:

Login-AzureRmAccount (enter your credentials)
Get-Azurermsubscription (Copy the sub ID)
Select-AzureRmSubscription -SubscriptionId "IDofyoursubscription"

Then create the Variables: (Modify with your values)

$RG         = "RGNetwork"
$Location     = "Westeurope"
$GWName        = "VNet1GW"
$LNGname    = "VPN_GW"
$Connection    = "AzuretoDConprem"
$GW1IPconf        = "gw1ipconf"
$LNGIP6        = "Public IP Adress of your Routeur"
$LNGPrefix    = "Local Subnet Range on premise"

Next create the virtual Gateway on Azure:

New-AzureRmVirtualNetworkGateway -Name $GWName -ResourceGroupName $RG -Location $Location -IpConfigurations $gw1ipconf1 -GatewayType Vpn -VpnType RouteBased -GatewaySku VpnGw1

Create the Local Gateway on Azure:

New-AzureRmLocalNetworkGateway -Name $LNGname -ResourceGroupName $RG -Location $Location -GatewayIpAddress $LNGIP6 -AddressPrefix $LNGPrefix

Create the new Policy IPsec/IKE: (use the correct value regarding your router, for example: CISCO ASA)
It is possible to download on Azure the configuration file for CISCO ASA or other manufacturers such as juniper …)

The following table lists the corresponding Diffie-Hellman Groups supported by the custom policy:

Diffie-Hellman Group DHGroup PFSGroup Key length
1 DHGroup1 PFS1 768-bit MODP
2 DHGroup2 PFS2 1024-bit MODP
14 DHGroup14
DHGroup2048
PFS2048 2048-bit MODP
19 ECP256 ECP256 256-bit ECP
20 ECP384 ECP284 384-bit ECP
24 DHGroup24 PFS24 2048-bit MODP

Refer to RFC3526 and RFC5114 for more details.

$ipsecpolicy = New-AzureRmIpsecPolicy -IkeEncryption AES256 -IkeIntegrity SHA256 -DhGroup DHGroup2 -IpsecEncryption GCMAES256 -IpsecIntegrity GCMAES256 -PfsGroup PFS2 -SALifeTimeSeconds 28800 -SADataSizeKilobytes 102400000

To finish, create the Connection between Azure Virtual Gateway and Local Gateway. The local gateway is your on-premise firewall or router.

New-AzureRmVirtualNetworkGatewayConnection -Name $Connection -ResourceGroupName $RG -VirtualNetworkGateway1 $GWName -LocalNetworkGateway2 $LNGName -Location $Location -ConnectionType IPsec -IpsecPolicies $ipsecpolicy -SharedKey 'yoursharedkey'

Verify IPsec/IKE policy for a connection

In a second step, verify that the connection between Azure and On-Prem is established. You can use the following PowerShell cmdlet:

Get-AzureRmVirtualNetworkGatewayConnection -Name $Connection -ResourceGroupName $RG

The below result indicates that the connection is successful.
"connectionStatus": Connected
"ingressBytesTransferred": 876588
"egressBytesTransferred": 164096

To check the IPsec policy, run the following cmdlets:

$connection2 = Get-AzureRmVirtualNetworkGatewayConnection -Name $Connection -ResourceGroupName $RG
$connection2.IpsecPolicies

Add or update an IPsec/IKE policy for a connection

We can add or edit the current policy on a connection. This is the same process: you have to specify a new policy and then apply it on the connection.

Create New Policy IPsec (with different values)

$newipsecpolicy = New-AzureRmIpsecPolicy -IkeEncryption AES128 -IkeIntegrity SHA1 -DhGroup DHGroup14 -IpsecEncryption AES256 -IpsecIntegrity SHA256 -PfsGroup None -SALifeTimeSeconds 14400 -SADataSizeKilobytes 102400000

Apply or update the policy

Set-AzureRmVirtualNetworkGatewayConnection -VirtualNetworkGatewayConnection $connection2 -IpsecPolicies $newipsecpolicy

Click YES to ALL to erase and recreate the new IPsecpolicy

Have Fun and enjoy 🙂

About Frederic Stefani

Frederic Stefani works as a Solutions Architect at Dell EMC. Frederic is focused on Microsoft Technologies, especially Microsoft Cloud Solutions based on Microsoft System Center, Microsoft Virtualization and Microsoft Azure. This includes Microsoft Hyper-V, Windows Server, Storage, Networking and Azure Pack as well as Service Management Automation. Frederic works closely with Customers and Microsoft to promote Microsoft Technology as speaker for Dell EMC, Microsoft and other Technical events such as Microsoft Experiences or Dell events. Frederic also works ahead of sales with our customers to promote Dell EMC services Specialities: Cloud, Datacenter, Microsoft Azure, Microsoft Azure Stack, Windows Server, Hyper-V, Windows Clients, Disaster Recovery, Powershell, Windows Deployment Services, Windows Unattended Installations, Microsoft Hosting Solutions, Powershell Development, SCVMM, System Center, Datacenter Management, Storage, Networking, Software Defined Datacenter. P-Seller (Partner Seller) within the competences: Core Infrastructure and Azure for Microsoft France

Leave a Reply

%d bloggers like this: