In part of my job, I have a customer who wants to test a hybrid cloud between on premise and Azure datacenter to externalize workloads. First of all, we need to create a VPN Site to Site to communicate with both worlds.
S2S with IPSec VPN on Azure:
I assume that the virtual network is created on Azure (I will explain in a further topic how to create a virtual network).
Open your PowerShell and connect to your subscription:
Login-AzureRmAccount (enter your credentials) Get-Azurermsubscription (Copy the sub ID) Select-AzureRmSubscription -SubscriptionId "IDofyoursubscription"
Then create the Variables: (Modify with your values)
$RG = "RGNetwork" $Location = "Westeurope" $GWName = "VNet1GW" $LNGname = "VPN_GW" $Connection = "AzuretoDConprem" $GW1IPconf = "gw1ipconf" $LNGIP6 = "Public IP Adress of your Routeur" $LNGPrefix = "Local Subnet Range on premise"
Next create the virtual Gateway on Azure:
New-AzureRmVirtualNetworkGateway -Name $GWName -ResourceGroupName $RG -Location $Location -IpConfigurations $gw1ipconf1 -GatewayType Vpn -VpnType RouteBased -GatewaySku VpnGw1
Create the Local Gateway on Azure:
New-AzureRmLocalNetworkGateway -Name $LNGname -ResourceGroupName $RG -Location $Location -GatewayIpAddress $LNGIP6 -AddressPrefix $LNGPrefix
Create the new Policy IPsec/IKE: (use the correct value regarding your router, for example: CISCO ASA)
It is possible to download on Azure the configuration file for CISCO ASA or other manufacturers such as juniper …)
The following table lists the corresponding Diffie-Hellman Groups supported by the custom policy:
Diffie-Hellman Group | DHGroup | PFSGroup | Key length |
1 | DHGroup1 | PFS1 | 768-bit MODP |
2 | DHGroup2 | PFS2 | 1024-bit MODP |
14 | DHGroup14 DHGroup2048 |
PFS2048 | 2048-bit MODP |
19 | ECP256 | ECP256 | 256-bit ECP |
20 | ECP384 | ECP284 | 384-bit ECP |
24 | DHGroup24 | PFS24 | 2048-bit MODP |
Refer to RFC3526 and RFC5114 for more details.
$ipsecpolicy = New-AzureRmIpsecPolicy -IkeEncryption AES256 -IkeIntegrity SHA256 -DhGroup DHGroup2 -IpsecEncryption GCMAES256 -IpsecIntegrity GCMAES256 -PfsGroup PFS2 -SALifeTimeSeconds 28800 -SADataSizeKilobytes 102400000
To finish, create the Connection between Azure Virtual Gateway and Local Gateway. The local gateway is your on-premise firewall or router.
New-AzureRmVirtualNetworkGatewayConnection -Name $Connection -ResourceGroupName $RG -VirtualNetworkGateway1 $GWName -LocalNetworkGateway2 $LNGName -Location $Location -ConnectionType IPsec -IpsecPolicies $ipsecpolicy -SharedKey 'yoursharedkey'
Verify IPsec/IKE policy for a connection
In a second step, verify that the connection between Azure and On-Prem is established. You can use the following PowerShell cmdlet:
Get-AzureRmVirtualNetworkGatewayConnection -Name $Connection -ResourceGroupName $RG
The below result indicates that the connection is successful. "connectionStatus": Connected "ingressBytesTransferred": 876588 "egressBytesTransferred": 164096
To check the IPsec policy, run the following cmdlets:
$connection2 = Get-AzureRmVirtualNetworkGatewayConnection -Name $Connection -ResourceGroupName $RG $connection2.IpsecPolicies
Add or update an IPsec/IKE policy for a connection
We can add or edit the current policy on a connection. This is the same process: you have to specify a new policy and then apply it on the connection.
Create New Policy IPsec (with different values)
$newipsecpolicy = New-AzureRmIpsecPolicy -IkeEncryption AES128 -IkeIntegrity SHA1 -DhGroup DHGroup14 -IpsecEncryption AES256 -IpsecIntegrity SHA256 -PfsGroup None -SALifeTimeSeconds 14400 -SADataSizeKilobytes 102400000
Apply or update the policy
Set-AzureRmVirtualNetworkGatewayConnection -VirtualNetworkGatewayConnection $connection2 -IpsecPolicies $newipsecpolicy
Click YES to ALL to erase and recreate the new IPsecpolicy
Have Fun and enjoy 🙂