Azure VPN with Vyatta

Setting up a router for Hyper-V

Worth mentioning is that this only works with a Static Gateway in Azure!

With the help from this post Using a virtual router for your lab and test environment from Johan Arwidmark, and this post Vyatta Virtual Router on Hyper-V from Stefan Stranger I managed to set up a virtual machine with Vyatta to act as a router for my lab enviroment.

Connect lab enviroment to Azure VPN

I created virtual networks and a Gateway in my Azure subscription with the help of this guide Step-By-Step: Create a Site-to-Site VPN between your network and Azure

And with a couple of blog posts on Vyatta, ipsec, Azure VPN and some “trial and error” I came up with the following Vyatta config:

`

Configure IKE group

set vpn ipsec ike-group IKE-POLICY lifetime ‘28800’
set vpn ipsec ike-group IKE-POLICY proposal 1 encryption ‘aes128’
set vpn ipsec ike-group IKE-POLICY proposal 1 hash ‘sha1’
set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group ‘2’`

# Configure ESP group<br /> set vpn ipsec esp-group ESP-POLICY lifetime '3600'<br /> set vpn ipsec esp-group ESP-POLICY pfs disable<br /> set vpn ipsec esp-group ESP-POLICY proposal 1 encryption 'aes128'<br /> set vpn ipsec esp-group ESP-POLICY proposal 1 hash 'sha1'

# Enable VPN on the nic<br /> set vpn ipsec ipsec-interfaces interface 'eth0'

# Set up the connction to the Azure gateway<br /> set vpn ipsec site-to-site peer [IP of the Gateway] authentication mode 'pre-shared-secret'<br /> set vpn ipsec site-to-site peer [IP of the Gateway] authentication pre-shared-secret '[your pre-shared-secret]'<br /> set vpn ipsec site-to-site peer [IP of the Gateway] connection-type respond<br /> set vpn ipsec site-to-site peer [IP of the Gateway] default-esp-group 'ESP-POLICY'<br /> set vpn ipsec site-to-site peer [IP of the Gateway] ike-group 'IKE-POLICY'<br /> set vpn ipsec site-to-site peer [IP of the Gateway] local-address '192.168.0.254' # Vyatta external ip<br /> set vpn ipsec site-to-site peer [IP of the Gateway] tunnel 1 local prefix '192.168.78.0/24' # Lab enviroment subnet<br /> set vpn ipsec site-to-site peer [IP of the Gateway] tunnel 1 remote prefix '10.10.0.0/22' # Azure subnet

commit

save

# Exclude the site-to-site VPN from NAT<br /> set nat source rule 5 destination address '10.10.0.0/22'<br /> set nat source rule 5 source address '192.168.78.0/24'<br /> set nat source rule 5 outbound-interface 'eth0'<br /> set nat source rule 5 'exclude'

set nat source rule 20 source address '10.10.0.0/22'<br /> set nat source rule 20 destination address '192.168.78.0/24'<br /> set nat source rule 20 outbound-interface 'eth0'<br /> set nat source rule 20 'exclude'

commit

save

Used blog posts:

Windows Azure mit VPN (Vyatta) verbinden

Configure a Site-to-site VPN using the Vyatta Network Appliance

Troubleshooting a Vyatta Site-to-site VPN connection

Written on April 29, 2014