Wednesday, December 24, 2014

Azure Ipsec router ( Static gateway multi site)

The problem:
Multi site VPN on Azure using IKEv1 (CISCO ASA 8.3)
The situation to solve:

We need a connection between our three on premises sites and the production and staging in a vnet on Azure via VPN. Unfortunately we have an old CISCO ASA hardware running IOS 8.3 and it only supports IKEv1.


Background:
Azure supports two VPN modes, static route VPN gateway and dynamic VPN route gateway.
Static route work with IKEv1 hardware gateways such as Cisco ASA (only the newest versions supports IKEv2).
Dynamic routing works with IKEv2 hardware such as (CISCO ASR and ISR) gateways and Windows 2012 RAS.
IKEv1 is site to site VPN, it only support one site by default.
IKEv2 supports site to multi site VPNs.
Here is a compatibility list of hardware gateways supported by Azure http://msdn.microsoft.com/en-us/library/azure/jj156075.aspx and it includes a very useful information, the gateway type supported by the device.
Here is a comparative between IKEv1 and IKEv2 features:
http://rockhoppervpn.sourceforge.net/techdoc_ikev1vsikev2.html

The proposed solution:
Finally, we decided to use a Ipsec router running over Azure VM and Ubuntu with Openswan software.
It is important to assign a PIP to the IPsec router box, you can check this link http://msdn.microsoft.com/en-us/library/azure/dn690118.aspx to know how to assing a PIP.
Remember, if the box is deprovisioned you are going to lose your public IP.

Useful links to configure Openswan:

http://azure.microsoft.com/blog/2014/05/22/connecting-to-a-windows-azure-virtual-network-via-a-linux-based-software-vpn-device/

http://thejimmahknows.com/site-to-site-ipsec-vpn-using-openswan-and-cisco-asa-9-13/

Here is an example of the ipsec box config:
ipsec.conf
conn AZURE
        authby=secret
        auto=start
        type=tunnel
        left=10.222.222.4 # IPsec Box IP
        leftsubnets={10.222.222.0/27,10.75.0.250/32} # IPsec network and Onpremise network
        leftnexthop=%defaultroute
        right=104.40.XXX.XXX #Azure gateway public IP
        rightsubnet=10.111.112.0/27 #Azure Networks
        rightnexthop=%defaultroute
        ike=3des-sha1-modp1024,aes128-sha1-modp1024
        esp=3des-sha1,aes128-sha1
        pfs=no
        #Tunning keepalive
        dpddelay=30 # Dead peer checks
        dpdtimeout=120  # Dead peer timeout
        dpdaction=restart_by_peer # what to do if dead?
        ikelifetime=86400s
        salifetime=3600s # how long to think that our key pair is secure
ipsec.secrets
#Azure-gateway-ip Ipsec-box-private-ip  KEY
104.40.XXX.XXX  10.222.222.4  : PSK "eVKSik00AsN23n9892jsaaHMafb9EIPsxs"

Set the MTU in the linux box to 1350 (ifconfig eth0 mtu 1350) to improve the VPN performance and prevent fragmentation.
Here is there more information http://www.concurrency.com/infrastructure/site-to-azure-vpn-using-windows-server-2012-rras/#mtunatt about this.

How to debug/troubleshooting:
In a nutshell, there are three main files to review in openswan when you have problems:
  • /var/log/auth.log 
  • /var/log/syslog 
  • /var/log/pluto/peer/a/b/c/d/a.b.c.d.log
In the link there is a very good post about how to configure and troubleshoot Openswan IPsec http://blog.jameskyle.org/2012/07/configuring-openswan-ipsec-server/





No comments:

Post a Comment