VPN - Configure Site-to-site IPSec VPN with Microsoft (MS) Azure

This article shows how to create a site-to-site VPN between a USG firewall and Microsoft Azure Virtual Gateway. The example instructs how to configure the VPN tunnel between each site.

 

Table of Content

1) Configure IPSec VPN Tunnel on the ZyWALL/USG

1.1 Start the Wizard & Choose Advanced VPN Policy

1.2 Configure the Advanced VPN Settings

2) Configure the IPSec VPN Tunnel on the MS Azure

2.1 Sign into Azure Management Portal

2.2 Select a Deployment Model from Virtual Network Configuration

2.3 Configure the VPN settings on Azure

2.4 Configure the Virtual Network Subnet on Azure

2.5 Configure the Virtual Network Gateway on Azure

2.6 Configure Local Network Gateway on Azure

2.7 Add Connection

2.8 Check the Connection Settings

3) Test the IPSec VPN Tunnel Connectivity

4) What can go Wrong?

 

Note! This Article only works with a single Site VPN.
If you need multiple Sites connected, please check the following Article:

USG/Zywall Series - How to Configure Route-based IPsec VPN to Azure (BGP over IKEv2/IPSec)
For Nebula:
IPSec Site-to-Site-VPN from Nebula Security Gateway (NSG) to Azure

 

1) Configure IPSec VPN Tunnel on the ZyWALL/USG

1.1 Start the Wizard & Choose Advanced VPN Policy

In the ZyWALL/USG, go to CONFIGURATION > Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the MS Azure. Click Next.

Quick Setup > VPN Setup Wizard > Welcome

 

Choose Advanced to create a VPN rule with the customize phase 1, phase 2 settings and authentication method. Click Next.

Quick Setup > VPN Setup Wizard > Welcome > Wizard Type

 

1.2 Configure the Advanced VPN Settings

1.2.1 Configure Rule Name & Scenario

Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next.

Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario)

 

1.2.2 Configure The Phase 1 Settings

Then, configure the Secure Gateway IP as the peer MS Azure’s Gateway IP address (in the example, 13.75.42.148); select My Address to be the interface connected to the Internet.

 

Set the Negotiation, Encryption, Authentication, Key Group and SA Life Time which MS Azure supports. Please make sure you disable Dead Peer Detection (DPD) which is not supported in the MS Azure IKEv1 Policy-based. Type a secure Pre-Shared Key.

Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Phase 1 Setting)

 

 

1.2.3 Configure Phase 2 Settings

Continue to Phase 2 Settings to select the Encapsulation, Encryption, Authentication, and SA Life Time settings which MS Azure supports.

 

Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG and Remote Policy to be the IP address range of the network connected to the MS Azure. Click OK.

Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Phase 2 Setting)

Note: For more information about the IPsec Parameters supported in MS Azure, see the Microsoft Azure Documentation About VPN devices for Site-to-Site VPN Gateway connections.

 

 

1.2.4 Check & Save the Configuration

This screen provides a read-only summary of the VPN tunnel. Click Save.

Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary)

 Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard.

Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings > Wizard Completed

 

 

 

2) Configure the IPSec VPN Tunnel on the MS Azure

2.1 Sign into Azure Management Portal

Sign into the Windows Azure Management Portal. In the upper left-hand corner of the screen, click +New > Networking > Virtual Network.

Azure portal > New > Networking > Virtual Network

 

2.2 Select a Deployment Model from Virtual Network Configuration

Near the bottom of the Virtual Network blade, from the Select a deployment model list, select Resource Manager, and then click Create.

New > Networking > Virtual Network > Select a deployment model

 

  

2.3 Configure the VPN settings on Azure

On the Create virtual network page, enter the NAME for the VPN network. For example, VPN_Vnet_to_USG. Add your Address Space, Subnet name and a single Subnet address range.

 

Click Resource group and either select an existing resource group, or create a new one by typing a name for your new resource group. For example, RG_USG.

 

LOCATION is directly related to the physical location (region) where the virtual machines (VMs) reside. The region associated with the virtual network cannot be changed after it has been created.

 

Then, click the Create button. After clicking Create, you will see a tile on your dashboard that will reflect the progress of your VNet. The tile will change as the VNet is being created.

 

New > Networking > Virtual Network >  Create virtual network

 

2.4 Configure the Virtual Network Subnet on Azure

In the portal, navigate to the virtual network to which you just created. On the blade for your virtual network, click the Settings icon at the top of the blade to expand the Setting blade to Subnets > Add > Add Subnet. Name your subnet GatewaySubnet. You should not name it anything else, or the gateway will not work. Add the IP Address range for your gateway. Click OK at the bottom of the blade to create the subnet.

 

VPN_Vnet_to_USG > Settings > Subnet > Add subnet

 

 

2.5 Configure the Virtual Network Gateway on Azure

In the portal, go to New, then Networking. Select Virtual network gateway from the list. On the Create virtual network gateway blade Name field, name your gateway. Next, choose the Virtual network that you want to deploy this gateway to.

 

Click the arrow (>) to open the Choose public IP address blade. Then click Create New to open the Create public IP address blade. Input a Name for your public IP address. Note that this is not asking for an IP address. The IP address will be assigned dynamically. Rather, this is the name of the IP address object that the address will be assigned to. Click OK to save your changes.

 

For Gateway type, select VPN. For VPN type, select Policy-based. For Resource Group, the resource group is determined by the Virtual Network that you select. For Location, make sure it's showing the location that both your Resource Group and VNet exist in.

 

New > Networking > Create virtual network gateway > Choose public IP address > Create public IP address

 

 

2.6 Configure Local Network Gateway on Azure

In the Azure Portal, navigate to New > Networking > Local network gateway. The local network gateway refers to your ZyWALL/USG public IP and local subnet settings.

On the Create local network gateway blade, specify a Name for your ZyWALL/USG gateway object.

 

Specify public IP address of your ZyWALL/USG. It cannot be behind NAT and has to be reachable by Azure. Address space refers to the address ranges on your ZyWALL/USG local network. For Resource Group, select the resource group that you created before. For Location, if you are creating a new local network gateway, you can use the same location as the virtual network gateway. But, this is not required. The local network gateway can be in a different location.

 

Click Create to create the local network gateway.

New > Networking > Local network gateway  

 

2.7 Add Connection

Locate your virtual network gateway (VPN_Connection_to_USG in this example) and click Settings > Connection > Add connection, Name your connection. For Connection type, select Site-to-site (IPSec). For Virtual network gateway, the value is fixed because you are connecting from this gateway (VPN_GW_to_USG in this example).

 

For Local network gateway, select the local network gateway that you want to use (VPN_Connection_to_USG in this example).

 

For Shared Key (PSK), the value here must match the value that you are using for your ZyWALL/USG device. For Resource Group, select the resource group that you created before. Click OK to create your connection.

VPN_Connection_to_USG > Settings > Connections > Add connection

 

2.8 Check the Connection Settings

When the connection is complete, you'll see it appear in the Connections blade for your Gateway.

VPN_Connection_to_USG > Settings > Connections

 

3) Test the IPSec VPN Tunnel Connectivity

1    

Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected.

 

CONFIGURATION > VPN > IPSec VPN > VPN Connection

2     

Go to ZyWALL/USG MONITOR > VPN Monitor > IPSec and verify the tunnel Up Time and the Inbound(Bytes)/Outbound(Bytes) traffic.

 

 

MONITOR > VPN Monitor > IPSec

 

3     

Go to Azure_Vnet_USG > Settings to check the tunnel DATA IN and DATA OUT.

 

VPN > VPN Settings > Currently Active VPN Tunnels

 

4     

To test whether or not a tunnel is working, ping from a computer at one site to a computer at the other. Ensure that both computers have Internet access.

PC behind ZyWALL/USG > Window 7 > cmd > ping 10.1.0.33

PC behind MS Azure> Window 7 > cmd > ping 192.77.1.33

 

 

4) What can go Wrong?

 

1       

If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings. Make sure your ZyWALL/USG Phase 1 Settings are supported in the MS Azure IKE Phase 1 setup list.

 

MONITOR > Log 

2        

If you see that Phase 1 IKE SA process done but still get below [info] log message, please check ZyWALL/USG Phase 2 Settings. Make sure your ZyWALL/USG Phase 2 Settings are supported in the MS Azure IKE Phase 2 setup list.

MONITOR > Log 

Articles in this section

Was this article helpful?
0 out of 0 found this helpful
Share

Comments

0 comments

Please sign in to leave a comment.