- \n
- your router to support one of these firmware’s<\/li>\n
- be able to install strongSwan<\/a> on top of it<\/li>\n<\/ul>\n
Just for understanding – according with TomatoAnon<\/a> (who covers only a tiny part of the available Tomato based routers) there are +35.000 such devices in use. Most likely combined with all the other DD-WRT, OpenWrt routers we probably get to couple of millions devices who with a bit of adjustments are capable to establish site 2 site VPN with Azure.<\/em><\/p>\n
<\/p>\n
Microsoft doesn\u2019t has strongSwan<\/a> on its list of validated VPN devices. Openswan<\/a> and strongSwan<\/a> are FreeS\/WAN<\/a> forks. At the moment of writing this article, Openswan is marked on the Microsoft validated VPN device list as “coming soon”<\/a>. Even if stongSwan is not yet on the official list of validated VPN devices, the fact Microsoft is taking in consideration Openswan is an indication the strongSwan will also be there at some point. More than that Microsoft is providing the VPN specifications<\/a> for the VPN site 2 site tunnel to work also with “not yet validated VPN devices” (the discontinued Microsoft Thread Management Gateway<\/a> is also in this category). Your connection will be OK as long as those specifications are meet, but you will not be able to benefit from the Microsoft support in such setup.<\/p>\n
<\/p>\n
The good thing for the IT PROs who want to configure a site 2 site VPN between on-premises and Microsoft Azure is such setup is possible using the consumer based wireless routers. In fact this type of setup (Tomato Shibby Mod<\/a> + Entware-ng<\/a> + strongSwan<\/a>) is supporting both types of VPN Azure Gateways (static and dynamic<\/a>) – which is really appreciable taking in consideration some top end devices like Cisco ASA, Palo Altos, Watchguard, F5 are not capable to handle the Azure dynamic gateway. This article will not mention the differences between the Azure static and dynamic gateways, but always try to use a dynamic gateway because it gives you extra functionality and flexibility (read more about Azure static vs dynamic gateways here<\/a> and here<\/a>).<\/p>\n
<\/p>\n
This article is split in four parts:<\/p>\n
- \n
- Install and configure Entware-ng + strongSwan on your router<\/li>\n
- Configure and perform the site-2-site VPN using Azure dynamic gateway<\/a><\/li>\n
- Configure and perform the site-2-site VPN using Azure static gateway<\/a><\/li>\n
- Troubleshooting Azure site-2-site VPN and strongSwan<\/a><\/li>\n<\/ol>\n
<\/p>\n
Install Entware-ng on your router<\/h2>\n
The main target is to install strongSwan<\/a> on the router, but in order to install strongSwan<\/a> we need first to install Entware-ng<\/a>. Entware-ng is a package manager and software repository for embedded systems who allows you to easily extend your router capabilities (there are about 1800 additional packages available<\/a>).<\/p>\n
<\/p>\n
<\/p>\n
This is the USB flash drive who will be used to host the Entware-ng<\/a> and strongSwan<\/a>.
\nIt is not really necessary to use a USB flash drive. The Entware-ng<\/a> and strongSwan<\/a> installation can be performed also on Micro-SD\u00a0cards – as long as your router has such interface available (my router does, but for the purpose of this step-by-step article I will use an USB flash drive).<\/em><\/p>\n![\"On-Premises_Site_2_Site_VPN_with_Azure_using_Tomato_Shibby_Mod_Entware-ng_and_Strongswan_01\"](\"https:\/\/www.vioreliftode.com\/wp-content\/uploads\/2016\/04\/On-Premises_Site_2_Site_VPN_with_Azure_using_Tomato_Shibby_Mod_Entware-ng_and_Strongswan_01-1024x492.png\")
<\/a><\/p>\n<\/p>\n
<\/p>\n
This is the USB flash drive initial status. Please make sure to not keep any files on the flash drive because as part of the Entware-ng<\/a> installation is necessary to format it.<\/p>\n
![\"On-Premises_Site_2_Site_VPN_with_Azure_using_Tomato_Shibby_Mod_Entware-ng_and_Strongswan_02\"](\"https:\/\/www.vioreliftode.com\/wp-content\/uploads\/2016\/04\/On-Premises_Site_2_Site_VPN_with_Azure_using_Tomato_Shibby_Mod_Entware-ng_and_Strongswan_02.png\")
<\/a><\/p>\n<\/p>\n
<\/p>\n
Plug the USB flash drive into your router.<\/p>\n
![\"On-Premises_Site_2_Site_VPN_with_Azure_using_Tomato_Shibby_Mod_Entware-ng_and_Strongswan_03\"](\"https:\/\/www.vioreliftode.com\/wp-content\/uploads\/2016\/04\/On-Premises_Site_2_Site_VPN_with_Azure_using_Tomato_Shibby_Mod_Entware-ng_and_Strongswan_03-1024x768.png\")
<\/a><\/p>\n<\/p>\n
<\/p>\n
Connect to your router management interface and make sure you enable the USB support.<\/p>\n
![\"On-Premises_Site_2_Site_VPN_with_Azure_using_Tomato_Shibby_Mod_Entware-ng_and_Strongswan_04\"](\"https:\/\/www.vioreliftode.com\/wp-content\/uploads\/2016\/04\/On-Premises_Site_2_Site_VPN_with_Azure_using_Tomato_Shibby_Mod_Entware-ng_and_Strongswan_04.png\")
<\/a>Make sure the “Run after mounting” and “Run before unmounting” sections contains the following command lines.<\/p>\nRun after mounting<\/span><\/p>\n
\r\n#!\/bin\/sh\r\n\/opt\/etc\/init.d\/rc.unslung start\r\n<\/pre>\n
Run before unmounting<\/span><\/p>\n
\r\n#!\/bin\/sh\r\n\/opt\/etc\/init.d\/rc.unslung stop\r\nsleep 15\r\numount \/opt\r\n<\/pre>\n
After pressing the Save button, the new settings will be applied and the USB device will be recognized.<\/p>\n
<\/p>\n
<\/p>\n
Make sure you unmount the USB device before proceeding to the next step.<\/p>\n
![\"On-Premises_Site_2_Site_VPN_with_Azure_using_Tomato_Shibby_Mod_Entware-ng_and_Strongswan_05\"](\"https:\/\/www.vioreliftode.com\/wp-content\/uploads\/2016\/04\/On-Premises_Site_2_Site_VPN_with_Azure_using_Tomato_Shibby_Mod_Entware-ng_and_Strongswan_05.png\")
<\/a><\/p>\n<\/p>\n
<\/p>\n
In the Administration -> Scripts -> Init section will be necessary to add the following command line to be executed when the router starts.<\/p>\n
\r\necho "LABEL=ENTWARE \/opt ext3 rw,noatime 1 1" >> \/etc\/fstab\r\n<\/pre>\n
![\"On-Premises_Site_2_Site_VPN_with_Azure_using_Tomato_Shibby_Mod_Entware-ng_and_Strongswan_06\"](\"https:\/\/www.vioreliftode.com\/wp-content\/uploads\/2016\/04\/On-Premises_Site_2_Site_VPN_with_Azure_using_Tomato_Shibby_Mod_Entware-ng_and_Strongswan_06.png\")
<\/a><\/p>\n<\/p>\n
<\/p>\n
<\/p>\n
It is time to format the USB flash drive and make it ext3.<\/p>\n
![\"On-Premises_Site_2_Site_VPN_with_Azure_using_Tomato_Shibby_Mod_Entware-ng_and_Strongswan_07\"](\"https:\/\/www.vioreliftode.com\/wp-content\/uploads\/2016\/04\/On-Premises_Site_2_Site_VPN_with_Azure_using_Tomato_Shibby_Mod_Entware-ng_and_Strongswan_07.png\")
<\/a><\/p>\n![\"On-Premises_Site_2_Site_VPN_with_Azure_using_Tomato_Shibby_Mod_Entware-ng_and_Strongswan_08\"](\"https:\/\/www.vioreliftode.com\/wp-content\/uploads\/2016\/04\/On-Premises_Site_2_Site_VPN_with_Azure_using_Tomato_Shibby_Mod_Entware-ng_and_Strongswan_08.png\")
<\/a><\/p>\n<\/p>\n
<\/p>\n
Mount the newly created partition. The Entware-ng installer will require the \/opt to be mounted.<\/p>\n
![\"On-Premises_Site_2_Site_VPN_with_Azure_using_Tomato_Shibby_Mod_Entware-ng_and_Strongswan_09\"](\"https:\/\/www.vioreliftode.com\/wp-content\/uploads\/2016\/04\/On-Premises_Site_2_Site_VPN_with_Azure_using_Tomato_Shibby_Mod_Entware-ng_and_Strongswan_09.png\")
<\/a><\/p>\n![\"On-Premises_Site_2_Site_VPN_with_Azure_using_Tomato_Shibby_Mod_Entware-ng_and_Strongswan_10\"](\"https:\/\/www.vioreliftode.com\/wp-content\/uploads\/2016\/04\/On-Premises_Site_2_Site_VPN_with_Azure_using_Tomato_Shibby_Mod_Entware-ng_and_Strongswan_10.png\")
<\/a><\/p>\n<\/p>\n
<\/p>\n
<\/p>\n
After the \/opt is mounted, the Entware-ng installation will be triggered using the following command.<\/p>\n
\r\nwget -O - http:\/\/pkg.entware.net\/binaries\/mipsel\/installer\/installer.sh | sh\r\n<\/pre>\n
Please note my router is a MIPS CPU based router. In case yours is ARM you will need to use another command.<\/p>\n
\r\nwget -O - http:\/\/pkg.entware.net\/binaries\/armv7\/installer\/entware_install.sh | sh\r\n<\/pre>\n
![\"On-Premises_Site_2_Site_VPN_with_Azure_using_Tomato_Shibby_Mod_Entware-ng_and_Strongswan_11\"](\"https:\/\/www.vioreliftode.com\/wp-content\/uploads\/2016\/04\/On-Premises_Site_2_Site_VPN_with_Azure_using_Tomato_Shibby_Mod_Entware-ng_and_Strongswan_11.png\")
<\/a><\/p>\n<\/p>\n
<\/p>\n
This is a very good moment to restart your router because it will validate if the init & automount scripts are running correctly and Entware-ng installation completed successfully.<\/p>\n
![\"On-Premises_Site_2_Site_VPN_with_Azure_using_Tomato_Shibby_Mod_Entware-ng_and_Strongswan_12\"](\"https:\/\/www.vioreliftode.com\/wp-content\/uploads\/2016\/04\/On-Premises_Site_2_Site_VPN_with_Azure_using_Tomato_Shibby_Mod_Entware-ng_and_Strongswan_12.png\")
<\/a><\/p>\n<\/p>\n
<\/p>\n
After the reboot verify if the following command is returning a valid response.<\/p>\n
\r\nopkg list *strongswan*\r\n<\/pre>\n
![\"On-Premises_Site_2_Site_VPN_with_Azure_using_Tomato_Shibby_Mod_Entware-ng_and_Strongswan_13\"](\"https:\/\/www.vioreliftode.com\/wp-content\/uploads\/2016\/04\/On-Premises_Site_2_Site_VPN_with_Azure_using_Tomato_Shibby_Mod_Entware-ng_and_Strongswan_13.png\")
<\/a><\/p>\n<\/p>\n
<\/h2>\n
Install strongSwan on your router<\/h2>\n
Execute the following commands to perform a full installation of strongSwan.<\/p>\n
\r\nopkg install strongswan strongswan-charon strongswan-mod-addrblock strongswan-mod-aes strongswan-mod-af-alg strongswan-mod-agent strongswan-mod-attr strongswan-mod-attr-sql strongswan-mod-blowfish strongswan-mod-ccm strongswan-mod-cmac strongswan-mod-constraints strongswan-mod-coupling strongswan-mod-ctr strongswan-mod-curl strongswan-mod-des strongswan-mod-dhcp\r\nopkg install strongswan-mod-dnskey strongswan-mod-duplicheck strongswan-mod-eap-identity strongswan-mod-eap-md5 strongswan-mod-eap-mschapv2 strongswan-mod-eap-radius strongswan-mod-farp strongswan-mod-fips-prf strongswan-mod-gcm strongswan-mod-gcrypt strongswan-mod-gmp strongswan-mod-gmpdh strongswan-mod-ha strongswan-mod-hmac strongswan-mod-kernel-libipsec\r\nopkg install strongswan-mod-kernel-netlink strongswan-mod-ldap strongswan-mod-led strongswan-mod-load-tester strongswan-mod-md4 strongswan-mod-md5 strongswan-mod-mysql strongswan-mod-nonce strongswan-mod-openssl strongswan-mod-pem strongswan-mod-pgp strongswan-mod-pkcs1 strongswan-mod-pkcs11 strongswan-mod-pkcs8 strongswan-mod-pubkey strongswan-mod-random\r\nopkg install strongswan-mod-rc2 strongswan-mod-resolve strongswan-mod-revocation strongswan-mod-sha1 strongswan-mod-sha2 strongswan-mod-smp strongswan-mod-socket-default strongswan-mod-socket-dynamic strongswan-mod-sql strongswan-mod-sqlite strongswan-mod-sshkey strongswan-mod-stroke strongswan-mod-test-vectors strongswan-mod-unity strongswan-mod-updown strongswan-mod-whitelist\r\nopkg install strongswan-mod-x509 strongswan-mod-xauth-eap strongswan-mod-xauth-generic strongswan-mod-xcbc strongswan-utils\r\n<\/pre>\n
![\"On-Premises_Site_2_Site_VPN_with_Azure_using_Tomato_Shibby_Mod_Entware-ng_and_Strongswan_14\"](\"https:\/\/www.vioreliftode.com\/wp-content\/uploads\/2016\/04\/On-Premises_Site_2_Site_VPN_with_Azure_using_Tomato_Shibby_Mod_Entware-ng_and_Strongswan_14.png\")
<\/a><\/p>\n<\/h2>\n
<\/h2>\n
Configure strongSwan<\/h2>\n
The following configuration is despite whatever type of Azure gateway we will use (static \/ dynamic). This configuration will allow you troubleshoot and open the necessary ports required for the VPN tunnel.<\/p>\n
nano \/opt\/etc\/strongswan.conf<\/span><\/p>\n
\r\n# strongswan.conf - strongSwan configuration file\r\n#\r\n# Refer to the strongswan.conf(5) manpage for details\r\n#\r\n# Configuration changes should be made in the included files\r\n# Verbosity levels\u000b\r\n# -1: Absolutely silent\r\n# 0: Very basic auditing logs, (e.g. SA up\/SA down)\r\n# 1: Generic control flow with errors, a good default to see whats going on\r\n# 2: More detailed debugging control flow\r\n# 3: Including RAW data dumps in Hex\r\n# 4: Also include sensitive material in dumps, e.g. keys\r\n\r\ncharon {\r\n load_modular = yes\r\n plugins {\r\n include strongswan.d\/charon\/*.conf\r\n }\r\n filelog {\r\n \/opt\/tmp\/charon.log {\r\n time_format = %b %e %T\r\n append = no\r\n default = 0 # in case troubleshoot is required switch this to 2\r\n }\r\n stderr {\r\n ike = 0 # in case troubleshoot is required switch this to 2\r\n knl = 0 # in case troubleshoot is required switch this to 3\r\n ike_name = yes\r\n }\r\n }\r\n syslog {\r\n # enable logging to LOG_DAEMON, use defaults\r\n daemon {\r\n }\r\n # minimalistic IKE auditing logging to LOG_AUTHPRIV\r\n auth {\r\n default = 0 # in case troubleshoot is required switch this to 2\r\n ike = 0 # in case troubleshoot is required switch this to 2\r\n }\r\n }\r\n}\r\n\r\ninclude strongswan.d\/*.conf\r\n<\/pre>\n![\"On-Premises_Site_2_Site_VPN_with_Azure_using_Tomato_Shibby_Mod_Entware-ng_and_Strongswan_15\"](\"https:\/\/www.vioreliftode.com\/wp-content\/uploads\/2016\/04\/On-Premises_Site_2_Site_VPN_with_Azure_using_Tomato_Shibby_Mod_Entware-ng_and_Strongswan_15.png\")
<\/a><\/p>\n<\/p>\n
<\/p>\n
Make sure you open the required VPN communication with your router.<\/p>\n
\r\niptables -t filter -A INPUT -p udp --dport 500 -j ACCEPT\r\niptables -t filter -A INPUT -p udp --dport 4500 -j ACCEPT\r\niptables -t filter -A INPUT -p esp -j ACCEPT\r\n<\/pre>\n
![\"On-Premises_Site_2_Site_VPN_with_Azure_using_Tomato_Shibby_Mod_Entware-ng_and_Strongswan_16\"](\"https:\/\/www.vioreliftode.com\/wp-content\/uploads\/2016\/04\/On-Premises_Site_2_Site_VPN_with_Azure_using_Tomato_Shibby_Mod_Entware-ng_and_Strongswan_16.png\")
<\/a><\/p>\n<\/p>\n
Reboot is required in order the firewall rules to apply.<\/p>\n
<\/p>\n
<\/p>\n
Continue with On-Premises Site 2 Site VPN with Azure using Tomato Shibby Mod (Entware-ng and Strongswan setup) – part 2<\/a>.<\/p>\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
Through the multitude of router firmware projects I found Tomato Firmware (Shibby Mod) as being the best one for my case (I am using it for OpenVPN server, PPTP server, Dynamic DNS, port forwarding, Quality Of Service \u2026 ). This article will describe step by step how you can configure a VPN site 2 site … Continue reading On-Premises Site 2 Site VPN with Azure using Tomato Shibby Mod (Entware-ng and Strongswan setup) – part 1<\/span>
- Configure and perform the site-2-site VPN using Azure static gateway<\/a><\/li>\n