This article is part of a series of 4 where I am talking about how to setup site-2-site VPN between on-premises and Azure using Tomato Shibby Mod, Entware-ng and Strongswan. For a better understanding please make sure you read also the other parts:
- Install and configure Entware-ng + strongSwan on your router.
- Configure and perform the site-2-site VPN using Azure dynamic gateway.
- Configure and perform the site-2-site VPN using Azure static gateway.
- Troubleshooting Azure site-2-site VPN and strongSwan.
Please note these steps are not required in case you already configured a Dynamic Routing Azure VPN gateway.
Configure and perform the site-2-site VPN using Azure static gateway
In the Azure Portal, carefully select Static Routing when the VPN gateway creation is initiated.
In this example:
- 184.108.40.206 represents the on-premises gateway IP address (the router configured with Entware-ng + strongSwan)
- 192.168.2.0/24 represents the on-premises network subnet
- 220.127.116.11 represents the Azure VPN gateway IP address
- 192.168.64.0/18 represents the Azure network subnet
- “JHTg6u5euztuFMJ3tvKyB2OKWrztHWzd” represents the pre-shared key
Connect to your router and make the following adjustments to your ipsec.conf and ipsec.secrets files.
# ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # strictcrlpolicy=yes # uniqueids = no # Add connections here. conn AZURE authby=secret right=18.104.22.168 #Azure VPN gateway IP address rightsubnet=192.168.64.0/18 #Azure network subnet defined in cloud leftfirewall=no left=22.214.171.124 #IP address of your on-premises gateway leftsubnet=192.168.2.0/24 #network subnet located on-premises type=tunnel keyexchange=ikev1 ikelifetime=28800s keylife=3600s lifebytes=102400000 esp=aes256-sha1 ike=aes256-sha1-modp1024 rekey=yes keyingtries=1 mobike=no dpdaction=none auto=start rekeymargin=3m
# /etc/ipsec.secrets - strongSwan IPsec secrets file 126.96.36.199 188.8.131.52 : PSK "JHTg6u5euztuFMJ3tvKyB2OKWrztHWzd"
Please note any additional empty new line or invalid characters added to these two configuration files can lead to unsuccessful VPN site-2-site.
Execute the following two commands to ensure the new settings are propagated.
ipsec stop ipsec start
Use the “status” parameter to see if the VPN connection has been established.
After couple of minutes the connected status will be reflected also in the Azure Portal.
By default your router will allow all outbound traffic with your defined Azure networks, but will block all the traffic initiated to your on-premises subnet. That’s why is necessary to open additional traffic between the two internal networks (on-premises and Azure).
Append the following commands in the Firewall script section. Please keep in mind is necessary to call/execute these commands also in the SSH session in case is necessary to make the changes immediately.
iptables -I FORWARD -s 192.168.64.0/18 -d 192.168.2.0/24 -j ACCEPT iptables -I INPUT -p icmp -s 192.168.64.0/18 -d 192.168.2.1/32 -j ACCEPT
Let’s test the site-2-site connectivity.
From on-premises to Azure.
From Azure to on-premises.