Expired

DrayTek to Microsoft Azure Cloud IPsec VPN (Route-based) Configuration Guide

A LAN-to-LAN Virtual Private Network (VPN) connection links two private networks to allow traffic to route directly between them in a private and secure manner while passing through the internet, which could otherwise be susceptible to eavesdropping or tampering.

The Microsoft Azure cloud service can create a Site-to-site VPN tunnel between the virtual network and your VPN endpoint, such as the DrayTek Vigor 2862 router, providing a secured tunnel between Azure's virtual network and your local network. DrayTek Vigor routers with IPsec IKEv2 support (typically available in 3.8.5 and later firmware, check release notes for your individual model) can connect to the Azure cloud using "Route-based" mode.

Connecting a VPN router with a Site-to-Site VPN connection to the Azure network requires a fixed public IP address on the VPN router.

This setup guide demonstrates how to configure both the Azure portal and a DrayTek Vigor router to create an IPsec VPN tunnel between the two, with the IP addresses shown in the Network Overview below.

The configuration of a Site-to-Site VPN tunnel from the Azure cloud to a VPN router is detailed in full on Microsoft's website in this article:
Microsoft Azure - Create a Site-to-Site connection in the Azure portal (external site, correct as of 25/10/17).

If following the Microsoft article, step 6. Configure your VPN device is covered in the DrayTek VPN LAN-to-LAN Configuration section of this page.

For an overview of the concepts and terminology used in this configuration, please refer to this Microsoft documentation article:
Microsoft Azure - VPN Gateway FAQ (external site, correct as of 25/10/17).

Network Overview

 

Azure Site-to-Site Tunnel Configuration

Connect to the Microsoft Azure portal website. In this setup example, a Virtual Network called "TestNetwork" has been created with these details:

Virtual Network Test Network
Address space 172.24.0.0/16
Network Address 172.24.0.0
Subnet Mask 255.255.0.0
"default" Subnet 172.24.10.0/24

The Azure Virtual Network requires a Gateway subnet as part of the Virtual Network address space to utilise to operate the VPN Site-to-Site functionality.

To create the Gateway subnet, select the Virtual Network, go to Settings > Subnets and select "+ Gateway subnet":

Give the Gateway subnet a suitable name and a small address space that is not otherwise used with the Virtual Network's address range. Thsi requires at least 5 IP addresses within the subnet (/29 and larger) for Azure to configure the VPN services.

In this example, 172.24.255.0/27 is set aside from the Virtual Network's address space, to provide 31 IP addresses to the Azure VPN gateway services:

Once the Gateway Subnet has been provisioned by Azure, go to the Virtual Network Gateways section, which can be found under More Services > Networking > Virtual Network Gateways.

Click "+ Add" to create a Virtual Network Gateway, which will define how VPNs are routed to the Virtual Network and provide an Internet IP address for the DrayTek VPN router to connect to.

  • Give the Virtual Network Gateway a suitable Name to identify it
  • Set the Gateway type to VPN
  • Set the VPN type to Route-based
  • Select the SKU that matches your throughput and bandwidth requirements (defined by Microsoft and affects pricing)
  • Select your Virtual network
  • Expand the First IP Configuration to create a new Public IP address linked to your Azure Virtual Network and give it a suitable name

Click Create for Azure to begin provisioning.

Note:

The provisioning can take 30 to 45 minutes and Azure will give a notification when the provisioning is completed.

Once the provisioning of the Virtual Network Gateway has completed, select the created Virtual Network Gateway from the Virtual Network Gateways section.

The Overview will display the Public IP address that has been assigned for VPN connectivity with your Azure network. Make a note of this address so that it can be entered on the DrayTek router later.

Go to the Local Network Gateways section, which can be found under More Services > Networking > Local Network Gateways.

Click "+ Add" to create a new Local Network Gateway, which defines the Internet IP address of the VPN router and the local IP addresses available through that router.

In this example, the router's Internet IP is "198.51.100.154".

It has the "192.168.24.0/24" subnet associated with it, which includes the router's IP Address of "192.168.24.1" and its Subnet Mask of "255.255.255.0", which is written as /24 in CIDR notation.

Important Note:

If the VPN router has multiple subnets available through it and each of them needs to have access to the Azure Virtual Network, these should be specified by clicking "Add additional address range" at this stage.

For instance if the router has VLANs configured with two subnets; "192.168.24.0/24" and "10.0.72.0/24", those would both be specified in this section as Address space(s).

If additional IP ranges need to be added to the Local Network Gateway at a later stage, this will require deleting the VPN tunnel that is created in Azure in the next step.

With the Local Network Gateway configured, go back to the Virtual Network Gateways section, which can be found under More Services > Networking > Virtual Network Gateways.

Select the Virtual Network Gateway that has been created, go to Settings > Connections and click "+ Add" to configure the VPN tunnel settings:

Create the connection with these details:

  • Give the VPN tunnel a suitable Name to identify it
  • Set the Connection type as Site-to-site (IPsec)
  • Select the Virtual Network Gateway that the VPN tunnel will link to in the Azure Virtual Network
  • Select the Local Network Gateway that was created for the Internet IP and LAN IP address(es) of the DrayTek VPN router
  • Enter a strong Shared key (PSK)

Make a note of the Pre Shared Key, which will need to be entered on the DrayTek VPN router to create the VPN tunnel.

Click OK to create and activate the VPN configuration in Azure.

 

 

DrayTek LAN-to-LAN VPN Configuration

To configure the IPsec tunnel on the DrayTek Vigor router, go to [VPN and Remote Access] > [LAN to LAN] and select the first un-used profile:

The IPsec Tunnel connection to the Azure Virtual Network is configured with the following settings, which are broken down into each section of the profile i.e. "2. Dial-Out Settings":

1. Common Settings

  • Specify a suitable Profile Name to identify the VPN
  • Tick Enable this profile
  • Specify the WAN Interface that the VPN will use with the VPN Dial-Out Through setting
  • The Call Direction should be set to Both, or Dial-In
  • Set the Idle Timeout to 0 second(s)

2. Dial-Out Settings

  • Set the VPN type to IPsec Tunnel and select the IKEv2 option
  • Specify the Server IP/Host Name for VPN to the address of the Azure VPN Public IP ("51.140.61.52" in this example)
  • Set the Pre-Shared Key to the key required for the VPN tunnel, this can be entered directly or by clicking the IKE Pre-Shared Key button to enter it twice so that it can be validated
  • Set the IPsec Security Method to High(ESP) and select AES with Authentication from the drop-down list

Click on the Advanced button in the IPsec Security Method section to proceed:

In the IPsec Security Method - Advanced settings panel:

IKE Phase 1 (Main Mode) proposal AES256_SHA1_G2
IKE Phase 1 (Main Mode) key lifetime 28800 seconds (default)
IKE Phase 2 (Quick Mode) proposal AES256_[SHA1,MD5,SHA256]
IKE Phase 2 (Quick Mode) key lifetime 27000 seconds
Perfect Forward Secret Disabled
Local ID (leave this blank)

Click OK on the IKE Advanced Settings window to proceed.

3. Dial-In Settings

  1. Set the Allowed Dial-In Type to IPsec Tunnel

  2. Tick the Specify Remote VPN Gateway option and enter the Peer VPN Server IP as the IP address of the Azure VPN Public IP ("51.140.61.52" in this example)

  3. Tick the Pre-Shared Key option and click the IKE Pre-Shared Key button, this will pop-up a window where the Pre-Shared key can be entered, click OK on that window to close it. The Pre-Shared Key field should now be filled in

  4. Disable any IPsec encyption types that will not be used in the IPsec Security Method section. In this example, only AES encryption will be accepted.

5. TCP/IP Network Settings

  1. The My WAN IP and Remote Gateway IP fields should be left on their default setting of "0.0.0.0"

  2. Specify the Network Address of the Azure Virtual Network under Remote Network IP. In this example, this address is "172.24.0.0"

  3. Configure the Remote Network Mask with the Subnet Mask of the Azure Virtual Network
    In this example, the Subnet Mask of the Azure Virtual Network is a "/16" address, which translates to "255.255.0.0".
    A "/24" Subnet Mask translates to "255.255.255.0"

  4. Ensure that the Local Network IP details are correct, these are pre-set and should not need changing generally but if the local router has multiple subnets, this could be changed to the subnet that will be used for the VPN tunnel

Click OK on that VPN profile to save and apply it.

Checking VPN Connectivity

Once the VPN profile is configured on the DrayTek Vigor router, the Azure VPN will attempt to connect and if successful, will show the VPN connection as active on the DrayTek router under [VPN and Remote Access] > [Connection Management] on the LAN-to-LAN VPN Status tab:

Computers connected to the DrayTek Vigor router should be able to ping and connect to virtual servers on the Azure Virtual Network:

In the Azure Portal, the VPN status can be viewed from the Virtual Network Gateway section by viewing the created Virtual Network Gateway.

In the portal, go to the Connections section. If the VPN is active, the status will display Connected for that tunnel. Click on the VPN tunnel to view its status and configuration:

In the details for the VPN tunnel, the Overview section will display additional information regarding the VPN tunnel state:

How do you rate this article?

1 1 1 1 1 1 1 1 1 1