This example shows how to use the VPN Setup Wizard to create a site-to-site VPN between a ZyWALL/USG and a Microsoft (MS) Azure platform. The example instructs how to configure the VPN tunnel between each site. When the VPN tunnel is configured, each site can be accessed securely.
Set Up the IPSec VPN Tunnel on the ZyWALL/USG
1 In the ZyWALL/USG, go to CONFIGURATION > Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the MS Azure. Click Next.
Quick Setup > VPN Setup Wizard > Welcome
2 Choose Advanced to create a VPN rule with the customize phase 1, phase 2 settings and authentication method. Click Next.
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type
3 Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next.
Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario)
4 Then, configure the Secure Gateway IP as the peer MS Azure’s Gateway IP address (in the example, 22.214.171.124); select My Address to be the interface connected to the Internet.
Set the Negotiation, Encryption, Authentication, Key Group and SA Life Time which MS Azure supports. Please make sure you disable Dead Peer Detection (DPD) which is not supported in the MS Azure IKEv1 Policy-based. Type a secure Pre-Shared Key.
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Phase 1 Setting)
5 Continue to Phase 2 Settings to select the Encapsulation, Encryption, Authentication, and SA Life Time settings which MS Azure supports.
Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG and Remote Policy to be the IP address range of the network connected to the MS Azure. Click OK.
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Phase 2 Setting)
Note: For more information about the IPsec Parameters supported in MS Azure, see the Microsoft Azure Documentation About VPN devices for Site-to-Site VPN Gateway connections.
6 This screen provides a read-only summary of the VPN tunnel. Click Save.
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary)
7 Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard.
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings > Wizard Completed
Set Up the IPSec VPN Tunnel on the MS Azure
1 Sign into the Windows Azure Management Portal. In the upper left-hand corner of the screen, click +New > Networking > Virtual Network.
Azure portal > New > Networking > Virtual Network
2 Near the bottom of the Virtual Network blade, from the Select a deployment model list, select Resource Manager, and then click Create.
New > Networking > Virtual Network > Select a deployment model
3 On the Create virtual network page, enter the NAME for the VPN network. For example, VPN_Vnet_to_USG. Add your Address Space, Subnet name and a single Subnet address range.
Click Resource group and either select an existing resource group, or create a new one by typing a name for your new resource group. For example, RG_USG.
LOCATION is directly related to the physical location (region) where the virtual machines (VMs) reside. The region associated with the virtual network cannot be changed after it has been created.
Then, click the Create button. After clicking Create, you will see a tile on your dashboard that will reflect the progress of your VNet. The tile will change as the VNet is being created.
New > Networking > Virtual Network > Create virtual network
4 In the portal, navigate to the virtual network to which you just created. On the blade for your virtual network, click the Settings icon at the top of the blade to expand the Setting blade to Subnets > Add > Add Subnet. Name your subnet GatewaySubnet. You should not name it anything else, or the gateway will not work. Add the IP Address range for your gateway. Click OK at the bottom of the blade to create the subnet.
VPN_Vnet_to_USG > Settings > Subnet > Add subnet
5 In the portal, go to New, then Networking. Select Virtual network gateway from the list. On the Create virtual network gateway blade Name field, name your gateway. Next, choose the Virtual network that you want to deploy this gateway to.
Click the arrow (>) to open the Choose public IP address blade. Then click Create New to open the Create public IP address blade. Input a Name for your public IP address. Note that this is not asking for an IP address. The IP address will be assigned dynamically. Rather, this is the name of the IP address object that the address will be assigned to. Click OK to save your changes.
For Gateway type, select VPN. For VPN type, select Policy-based. For Resource Group, the resource group is determined by the Virtual Network that you select. For Location, make sure it's showing the location that both your Resource Group and VNet exist in.
New > Networking > Create virtual network gateway > Choose public IP address > Create public IP address
6 In the Azure Portal, navigate to New > Networking > Local network gateway. The local network gateway refers to your ZyWALL/USG public IP and local subnet settings.
On the Create local network gateway blade, specify a Name for your ZyWALL/USG gateway object.
Specify public IP address of your ZyWALL/USG. It cannot be behind NAT and has to be reachable by Azure. Address space refers to the address ranges on your ZyWALL/USG local network. For Resource Group, select the resource group that you created before. For Location, if you are creating a new local network gateway, you can use the same location as the virtual network gateway. But, this is not required. The local network gateway can be in a different location.
Click Create to create the local network gateway.
New > Networking > Local network gateway
7 Locate your virtual network gateway (VPN_Connection_to_USG in this example) and click Settings > Connection > Add connection, Name your connection. For Connection type, select Site-to-site (IPSec). For Virtual network gateway, the value is fixed because you are connecting from this gateway (VPN_GW_to_USG in this example).
For Local network gateway, select the local network gateway that you want to use (VPN_Connection_to_USG in this example).
For Shared Key (PSK), the value here must match the value that you are using for your ZyWALL/USG device. For Resource Group, select the resource group that you created before. Click OK to create your connection.
VPN_Connection_to_USG > Settings > Connections > Add connection
8 When the connection is complete, you'll see it appear in the Connections blade for your Gateway.
VPN_Connection_to_USG > Settings > Connections
Test the IPSec VPN Tunnel
1 Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected.
CONFIGURATION > VPN > IPSec VPN > VPN Connection
2 Go to ZyWALL/USG MONITOR > VPN Monitor > IPSec and verify the tunnel Up Time and the Inbound(Bytes)/Outbound(Bytes) traffic.
MONITOR > VPN Monitor > IPSec
3 Go to Azure_Vnet_USG > Settings to check the tunnel DATA IN and DATA OUT.
VPN > VPN Settings > Currently Active VPN Tunnels
4 To test whether or not a tunnel is working, ping from a computer at one site to a computer at the other. Ensure that both computers have Internet access.
PC behind ZyWALL/USG > Window 7 > cmd > ping 10.1.0.33
PC behind MS Azure> Window 7 > cmd > ping 126.96.36.199
What Can Go Wrong?
1 If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings. Make sure your ZyWALL/USG Phase 1 Settings are supported in the MS Azure IKE Phase 1 setup list.
MONITOR > Log
2 If you see that Phase 1 IKE SA process done but still get below [info] log message, please check ZyWALL/USG Phase 2 Settings. Make sure your ZyWALL/USG Phase 2 Settings are supported in the MS Azure IKE Phase 2 setup list.
MONITOR > Log