Vigor Router to Microsoft Azure (Dynamic Routing) - IKEv2

Support Model :

More and more network administrator use could server for providing better services and maintaining their servers easily. Microsoft Azure is one of the famous cloud server and it provides VPN service for encrypting the data as well. This document introduces how to set up IPsec IKEv2 tunnel between Vigor Router and Microsoft Azure VPN Server.

   

Microsoft Azure Server Setup

1. Create Virtual Networks on Azure.

a. Click Virtual networks under All services >> NETWORKING.

   

We may also find virtual networks via the Search function.

b. Click Add to create Virtual networks then enter the necessary settings:

-Enter Name

-Enter Address Space, e.g. 10.0.0.0/16

-Select Create New for Source Group

-Select Location

-Leave Subnet setting as Default (Azure will create the Subnet automatically then)

-Click Create

   

2. Create Virtual Network Gateways on Azure. In this step Azure will allocate a public IP for providing the VPN service.

a. Click Virtual network gateways under All services >> NETWORKING.

   

b. Click Add to create Virtual network gateway then enter the necessary settings:

-Enter Name

-Select VPN for Gateway type

-Select Route-Based for VPN type

-Select VpnGw1 for SKU

-Select VNet1 for Virtual Network (VNet1 is the virtual network we created in step1)

-Select Create New for Public IP and enter any IP. (Not sure why Azure requests to enter an IP address)

-Click Create

 

   

3. It may take some time for Azure to arrange the public IP for VPN Network Gateway. After it finishes, we will see the public IP in the same page.

   

4. Create Local Network Gateway on Azure. We need to setup Vigor Router’s Internet IP and its local network in this step. Vigor Router needs to connect to Internet directly and cannot be located behind a NAT device.

Click Add to create Local network gateway then enter the necessary settings:

-Enter Name

-Enter IP Address (It is the WAN IP address of Vigor Router)

-Enter Address space 192.168.8.0/24 (It is the LAN network of Vigor Router)

-Click Use Existing for Resource Group and select VNet.

-Click Create

   

5. Wait for few minutes, we will see the Local Network Gateway profile is created in the same page. Click Connections for creating the VPN connection between Azure to Vigor Router.

   

6. Create VPN connection in Azure and enter the necessary settings:

-Enter Name

-Connection type is fixed in Site to Site (IPsec)

-Select Virtual Gateway which is the Azure VPN Public IP we created in step 2.

-Select Local Network Gateway which is the remote VPN router’s Public IP and network we created in step 5.

-Enter Shared Key (PSK)

-Select VNet for Resource Group

-Click OK

   

7. We’ve finished the VPN configurations on Azure.

Next we will configure VPN profile on Vigor Router.

Vigor Router VPN Setup

8. Click an index to Edit VPN profile on Vigor Router via VPN and Remote Access >> LAN to LAN.

In Common setting field,

a. Enable this VPN profile.

b. Select the WAN which is configured for creating Azure VPN for Dial-Out Through.

c. Select Dial-Out for Call Direction.

d. Tick to Enable Always On.

In Dial-Out setting field,

a. Tick IPsec Tunnel and select IKEv2

b. Enter Azure VPN Server’s Public IP address

c. Enter IKE Pre-Shared Key

d. Select AES with Authentication for IPsec Security Method.

e. Click Advanced button for configuring Proposal and Key Lifetime settings.

   

In IKE advanced Setting window,

-Select AES 256_SHA1_G2 for the phase1 proposal

-Change IKE phase2 key lifetime to 27000 seconds.

-Click OK

   

Microsoft Azure VPN server supports Diffie-Hellman Group G2 only and Phase2 Key Lifetime is 27000 seconds so it is necessary for Vigor Router to specify the phase 1 proposal to using G2.

See more details for the Azure VPN setups here.

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices?ranMID=24542&ranEAID=je6NUbpObpQ&ranSiteID=je6NUbpObpQ-7i7OexX_x3AXUwSP17EQ7Q&epi=je6NUbpObpQ-7i7OexX_x3AXUwSP17EQ7Q&irgwc=1&OCID=AID681541_aff_7593_1243925&tduid=(ir_yUsSjIyGmQ9V2oS1kCX6j1qTUkg0IsQxe2zYXc0)(7593)(1243925)(je6NUbpObpQ-7i7OexX_x3AXUwSP17EQ7Q)()&irclickid=yUsSjIyGmQ9V2oS1kCX6j1qTUkg0IsQxe2zYXc0

In TCP/IP Network Settings field,

-Enter 10.0.0.0/16 in Remote Network and Mask field (It is Azure’s virtual network)

-Enter 192.168.8.0/24 in Local Network and Mask field.

-Click OK to save the settings.

 

   

9. After that, VPN connection from Vigor Router to Azure will be up.

We may check the VPN connection status via VPN and Remote Access >> Connection Management page.

   

For verifying if the packet can be passed correctly through the VPN tunnel, we may try to ping the Virtual Server or Virtual machine in the same Azure Virtual Network.

It is also possible to create IKEv2 VPN connection from Vigor3900, Vigor2960 series router to Microsoft Azure server. Next we will show the VPN configurations on Vigor3900.

Vigor3900 VPN Profile Setup

8. Create IPsec VPN profile on Vigor3900 to Microsoft Azure.

Open VPN and Remote Access >> VPN profiles >> IPsec page and then click Add.

In Basic tab,

a. Enable this VPN profile.

b. Enable Auto Dial-Out and select Always On

c. Select the Dial-Out through Interface (It should be the WAN with the IP which is configured in Azure Local Network Gateway)

d. Input Vigor3900's local IP in local IP /Subnet Mask

e. Input Azure Gateway IP as the Remote Host IP.

f. Input Azure Virtual Network Address Space as the Remote IP/ Subnet Mask.

g. Select IKEv2 as IKE Protocol. (Azure Dynamic Routing uses IKEv2)

h. Enter the Pre-Shared Key we configure in Azure.

   

In Advanced tab, configure 27000 sec for IKE Phase2 key lifetime.

   

In Proposal tab,

- Select AES 256_G2 for the IKE Phase1 proposal.

- Select SHA1 for IKE Phase1 Authentication

- Select AES 256 with auth for the IKE Phase2 proposal.

- Select SHA1 for IKE Phase2 Authentication

- Apply the setting

   

9. After that, VPN connection from Vigor Router to Azure will be up.

We may check the VPN connection status via VPN and Remote Access >> Connection Management page.

   

For verifying if the packet can be passed correctly through the VPN tunnel, we may try to ping the Virtual Server or Virtual machine in the same Azure Virtual Network.

Was this article helpful?
15Vigor Router to Microsoft Azure (Dynamic Routing) - IKEv2 has been viewed------ 15 ------times.