IKEv2 VPN between Microsoft Azure and Vigor Router | DrayTek

< Knowledge Base

IKEv2 VPN between Microsoft Azure and Vigor Router

Published On: Dec 05, 2018 

This article introduces how to set up IPsec tunnel between Microsoft Azure Server and Vigor Router in Dynamic Routing mode. The network topology is illustrated below.

network topology
Microsoft Azure Server Setup

1. Create Virtual Networks by clicking Virtual Networks under All services >> NETWORKING, or search virtual networks.

a screenshot of Azure

2. Click Add to create Virtual networks then enter the necessary settings:

  • Enter Name
  • Enter Address Space, e.g. 10.0.0.0/16
  • Select "Create" New for Source Group
  • Select a Location close to your router
  • Leave Subnet settings as default (Azure will create the Subnet automatically then)
  • Click Create
a screenshot of Azure

3. Create Virtual Network Gateways by clicking Virtual network gateways under All services >> NETWORKING.  In this step, Azure will allocate a public IP for VPN service.

4. Click Add to create Virtual network gateway then enter the necessary settings:

  • Enter Name
  • Select "VPN" for Gateway type
  • Select "Route-Based" for VPN type
  • Select "VpnGw1" for SKU
  • Select VNet1 for Virtual Network (VNet1 is the virtual network we created in step1)
  • Select "Create New" for Public IP and enter any IP. (Not sure why Azure requests to enter an IP address)
  • Click Create
a screenshot of Azure

5. It may take some time for Azure to arrange the public IP for VPN Network Gateway. After it finishes, we will see the public IP on the same page.

6. Create Local Network Gateway on Azure. We need to input Vigor Router’s Internet IP and its local network in this step, and Vigor Router must connect to the Internet directly, cannot behind a NAT device. Click Add to create Local network gateway then enter the necessary settings:

  • Enter Name
  • Enter the WAN IP address of Vigor Router at IP Address
  • Enter the LAN network of Vigor Router at Address space, in this example it's 192.168.8.0/24.
  • Click "Use Existing" for Resource group and select VNet.
  • Click Create
a screenshot of Azure

7. Wait for a few minutes, and we will see the Local Network Gateway profile created on the same page. Click Connections for configuring the VPN connection between Azure to Vigor Router.

8. Create VPN connection in Azure and enter the necessary settings:

  • Enter Name
  • Connection type is fixed to Site-to-Site (IPsec)
  • Select Virtual Gateway as the Azure VPN Public IP we created in step 3.
  • Select Local Network Gateway which is the remote VPN router’s Public IP and network we created in step 5.
  • Enter Shared Key (PSK)
  • Select VNet for Resource Group
  • Click OK
a screenshot of Azure

We’ve finished the VPN configurations on Azure. Next, we will configure VPN profile on Vigor Router.

 

1. Go to VPN and Remote Access >> LAN to LAN, click an index to edit the profile as follows:

  • Check Enable this VPN profile
  • Select the WAN of which the IP is configured at Azure's Local Network Gateway for Dial-Out Through
  • Select "Dial-Out" for Call Direction
  • Tick Always On
  • In Dial-Out setting field, select IPsec Tunnel and select IKEv2
  • Enter the public IP address of Azure’s Virtual Network Gateway at Server IP/Host Name
  • Enter IKE Pre-Shared Key as what was configured at Azure's Connections
  • Select "AES with Authentication" for IPsec Security Method.
  • Click Advanced button to configure Proposal and Key Lifetime settings.
a screenshot of DrayOS

2. In IKE advanced settings,

  • Select "AES 256_SHA1_G2" for IKE phase1 proposal (Azure VPN server supports Diffie-Hellman Group G2 only)
  • Change IKE phase2 key lifetime to "27000 seconds" (Azure VPN server supports P27000 seconds for Phase2 Key Lifetime only)
  • Click OK
a screenshot of DrayOS

3. In TCP/IP Network Settings field,

  • Input Azure's Virtual Network "10.0.0.0" and "255.255.0.0/16" for Remote Network and Mask
  • Enter "192.168.8.0" and 255.255.255.0/24" for Local Network and Mask.
  • Click OK to save the settings.
a screenshot of DrayOS

After that, VPN connection from Vigor Router to Azure will be up. We may check the VPN connection status via VPN and Remote Access >> Connection Management. We may try to ping the virtual machine in the Azure Virtual Network to verify the VPN connectivity.

a screenshot of DrayOS

1. Go to VPN and Remote Access >> VPN profiles >> IPsec then click Add to create a new profile. In the Basic tab:

  • Check Enable
  • Select "Enable" for Auto Dial-Out and select Always Dial-Out
  • Select Dial-Out Through Interface to the WAN of which the IP is configured in Azure Local Network Gateway
  • Input the router's local IP in Local IP /Subnet Mask
  • Input the public IP of Azure'a Virtual Network Gateway at Remote Host IP
  • Input Azure's Virtual Network Address Space at Remote IP/ Subnet Mask
  • Select "IKEv2" for IKE Protocol (Azure Dynamic Routing uses IKEv2)
  • Select "PSK" for Auth Type
  • Enter the Pre-Shared Key as what was configured at Azure's Connections/li>
a screenshot of Vigor3900

2. Go to Advanced tab, change Phase2 Key Life Time to "27000" seconds.

a screenshot of Vigor3900

3. Go to the Proposal tab,

  • Select "AES 256_G2" for IKE Phase1 Proposal
  • Select "SHA1" for IKE Phase1 Authentication
  • Select "AES 256 with auth" for IKE Phase2 Proposal
  • Select "SHA1" for IKE Phase2 Authentication
  • Apply the setting
a screenshot of Vigor3900

After that, VPN connection from Vigor Router to Azure will be up. We may check the VPN connection status via VPN and Remote Access >> Connection Management, and try to ping the virtual machine in the Azure Virtual Network to verify the VPN connectivity.

a screenshot of Vigor3900

Was this helpful?     


Related Articles