This article should help you to establish a Site-to-Site IPsec VPN connection from USG / ZyWall gateways to Microsoft Azure.
Microsoft Azure requires that your USGs / ZyWalls WAN Interface has a public IP address, which means it should not be behind a NAT router.
Azure server supports "Policy Based" and "Route Based" VPN.
Route Based VPN
- Initial from USG side: USG support it
- Initial from Azure side: Should be supported in Firmware 4.35
Policy Based VPN
- is supported by the USG / ZyWall
Please stick to the following steps to configure a Policy Based VPN:
On Microsoft Windows Azure
- Create a Virtual Network
- Create a Virtual Network Gateway
- Create Address object for VPN
- Create IPSec Site to Site VPN
Create a Virtual Network
- Sign in to Windows Azure Management Portal
- In the lower left-hand corner of the screen, click New.
- In the navigation pane, click Network Services, and then click Virtual Network.Click Custom Create to begin the configuration wizard.
- On the Virtual Network Details page, enter the information below. Then click the Arrow button in the lower right-hand corner to the next page.
- Name - Name your virtual network. For example, EastASVNet.
- Location – The location is directly related to the physical location (region) where you want your resources (VMs) to reside. For example, if you want the VMs that you deploy to this virtual network to be physically located in East Asia, select that location. You can’t change the region associated with your virtual network after you create it.
- On the DNS Servers and VPN Connectivity page, enter the following information, and then click the next arrow on the lower right.
- Configure Site-To-Site VPN - Select the checkbox for Configure a site-to-site VPN.
- Local Network – A local network represents your physical on-premises location. You can select a local network that you’ve previously created, or you can create a new local network.
- If you’re creating a new local network, you’ll see the Site-To-Site ConnectivityEnter the following information and then click the next arrow.
- Name - The name you want to call your local (on-premises) network behind the ZyWALL/USG.
- VPN Device IP Address - This is the public IPv4 address of your ZyWALL/USG WAN The ZyWALL/USG cannot be located behind a NAT.
- Address Space - including Starting IP and CIDR (Address Count). This is the address range(s) of network behind your ZyWALL/USG.
- On the Virtual Network Address Spaces page, specify the address range of your Windows Azure virtual network.Enter the following information, and then click the checkmark on the lower right to configure your network.
- Address Space - including Starting IP and Address Count. This is the address range(s) of you Windows Azure virtual network.
Note: Don’t overlap any of the Windows Azure virtual network address spaces with the network behind your ZyWALL/USG.
- Add gateway subnet - Click to add the gateway subnet. The gateway subnet is used only for the virtual network gateway and is required for this configuration.
- When it completes, you will see Created listed under Status on the Networks page in the Management Portal.
Create a Virtual Network Gateway
- On the Networks page, click the name of your virtual network.
- On the Dashboard page, at the bottom of the page, click Create Gateway. Then select Static
- When the system prompts you to confirm that you want the gateway created, click Yes.
When your gateway is creating, notice the gateway graphic on the page changes to yellow and says Creating Gateway. It may take up to 15 minutes for the gateway to create. You’ll have to wait until the gateway is complete before you can move forward with other configuration settings.
After the gateway created. You will get the public IPv4 address of VPN gateway of your Windows Azure virtual network. This is the peer gateway address you need to configure in the IPSec VPN Gateway rule on your ZyWALL/USG.
Create Address object for VPN
Go to CONFIGURATION -> Object -> Address, and create an address object as „NET192_168“
Go to CONFIGURATION -> Object -> Address, and create an address object as „Azure_VNET“
Create IPSec Site to Site VPN
Go to CONFIGURATION -> VPN -> IPSec VPN -> VPN Gateway, and create a VPN Gateway.
IKE version: IKEv1
Key Group: DH2
SA Life Time: 28800
Pre-Shared Key: This is auto-generated by Windows Azure. Copy it from the Windows Azure Virtual Network dashboard, under Manage Key.
Go to CONFIGURATION -> VPN -> IPSec VPN -> VPN Connection, and create a VPN Connection.
MSS: 1350 Bytes
Active Protocol / Proposal: ESP / AES128-SHA1
SA Life Time: 3600
Enable Connectivity Check to one of VM instance in Azure as above picture.
Otherwize, if no traffic between peers. Azure will send SA DEL every 5 mins.
Check VPN connection
Go to Networks -> EastASVNET -> Dashboard. We will see the connection is up.
Go to Monitor -> VPN Monitor -> IPSec. We will see that the tunnel is in the list.
Do you want to have a look directly on one of our test devices? Have a look here in our virtual Lab: