Azure

From VyOS Wiki
Jump to: navigation, search

Policy-based S2S with Azure

vpn {
    ipsec {
        esp-group esp-azure {
            compression disable
            mode tunnel
            pfs disable
            proposal 1 {
                encryption aes256
                hash sha1
            }
        }
        ike-group ike-azure {
            lifetime 28800
            proposal 1 {
                dh-group 2
                encryption aes256
                hash sha1
            }
        }
        ipsec-interfaces {
            interface eth0
        }
        logging {
            log-modes all
        }
        nat-traversal disable
        site-to-site {
            peer 5.8.9.1 {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret xQ4JvYcY8ftwVg4Wa2gB3E9t
                }
                connection-type respond
                default-esp-group esp-azure
                ike-group ike-azure
                local-address 5.9.5.5
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group esp-azure
                    local {
                        prefix 192.0.2.0/24
                    }
                    remote {
                        prefix 10.219.0.0/20
                    }
                }
            }
        }
    }
}

Route-based S2S with Azure

Although the below configuration doesn't match with the documented Microsoft IKE Phase 2 Parameters on https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices#ipsec, this has been found to establish a stable tunnel on a Route-based Gateway with several other VPN connections. I have also been able to extend the below with additional tunnel definitions for multiple other address spaces on the Azure side.

Note: Modifying the ike-group lifetime to match the documented value of "27,000" caused the tunnel to disconnect after around 1 hour.

vpn {
   ipsec {
       esp-group Azure-ESP {
           compression disable
           lifetime 3600
           mode tunnel
           pfs disable
           proposal 1 {
               encryption aes256
               hash sha1
           }
       }
       ike-group Azure-IKE {
           ikev2-reauth no
           key-exchange ikev2
           lifetime 28800
           proposal 1 {
               dh-group 2
               encryption aes256
               hash sha1
           }
       }
       ipsec-interfaces {
           interface <NameOfYourOutsideInterface>
       }
       logging {
           log-modes all
       }
       site-to-site {
           peer <azure gateway ip> {
               authentication {
                   mode pre-shared-secret
                   pre-shared-secret <psk same as azure connection>
               }
               connection-type respond
               default-esp-group Azure-ESP
               ike-group Azure-IKE
               ikev2-reauth inherit
               local-address <public ip of outgoing interface>
               tunnel 1 {
                   allow-nat-networks disable
                   allow-public-networks disable
                   esp-group Azure-ESP
                   local {
                       prefix <local network in CIDR Format e.g. 192.168.0.0/24>
                   }
                   remote {
                       prefix <Azure VNet Address space in CIDR Format e.g. 10.0.0.0/24>
                   }
               }
           }
       }
   }
}