Wednesday, December 24, 2014

Azure Ipsec router ( Static gateway multi site)

The problem:
Multi site VPN on Azure using IKEv1 (CISCO ASA 8.3)
The situation to solve:

We need a connection between our three on premises sites and the production and staging in a vnet on Azure via VPN. Unfortunately we have an old CISCO ASA hardware running IOS 8.3 and it only supports IKEv1.

Azure supports two VPN modes, static route VPN gateway and dynamic VPN route gateway.
Static route work with IKEv1 hardware gateways such as Cisco ASA (only the newest versions supports IKEv2).
Dynamic routing works with IKEv2 hardware such as (CISCO ASR and ISR) gateways and Windows 2012 RAS.
IKEv1 is site to site VPN, it only support one site by default.
IKEv2 supports site to multi site VPNs.
Here is a compatibility list of hardware gateways supported by Azure and it includes a very useful information, the gateway type supported by the device.
Here is a comparative between IKEv1 and IKEv2 features:

The proposed solution:
Finally, we decided to use a Ipsec router running over Azure VM and Ubuntu with Openswan software.
It is important to assign a PIP to the IPsec router box, you can check this link to know how to assing a PIP.
Remember, if the box is deprovisioned you are going to lose your public IP.

Useful links to configure Openswan:

Here is an example of the ipsec box config:
conn AZURE
        left= # IPsec Box IP
        leftsubnets={,} # IPsec network and Onpremise network
        right=104.40.XXX.XXX #Azure gateway public IP
        rightsubnet= #Azure Networks
        #Tunning keepalive
        dpddelay=30 # Dead peer checks
        dpdtimeout=120  # Dead peer timeout
        dpdaction=restart_by_peer # what to do if dead?
        salifetime=3600s # how long to think that our key pair is secure
#Azure-gateway-ip Ipsec-box-private-ip  KEY
104.40.XXX.XXX  : PSK "eVKSik00AsN23n9892jsaaHMafb9EIPsxs"

Set the MTU in the linux box to 1350 (ifconfig eth0 mtu 1350) to improve the VPN performance and prevent fragmentation.
Here is there more information about this.

How to debug/troubleshooting:
In a nutshell, there are three main files to review in openswan when you have problems:
  • /var/log/auth.log 
  • /var/log/syslog 
  • /var/log/pluto/peer/a/b/c/d/a.b.c.d.log
In the link there is a very good post about how to configure and troubleshoot Openswan IPsec

No comments:

Post a Comment