Archive for the ‘Hyper-V’ Category.

Azure VPN with Vyatta

Setting up a router for Hyper-V

Worth mentioning is that this only works with a Static Gateway in Azure!

With the help from this post Using a virtual router for your lab and test environment from Johan Arwidmark, and this post Vyatta Virtual Router on Hyper-V from Stefan Stranger I managed to set up a virtual machine with Vyatta to act as a router for my lab enviroment.

Connect lab enviroment to Azure VPN
I created virtual networks and a Gateway in my Azure subscription with the help of this guide Step-By-Step: Create a Site-to-Site VPN between your network and Azure
And with a couple of blog posts on Vyatta, ipsec, Azure VPN and some “trial and error” I came up with the following Vyatta config:

# Configure IKE group
set vpn ipsec ike-group IKE-POLICY lifetime '28800'
set vpn ipsec ike-group IKE-POLICY proposal 1 encryption 'aes128'
set vpn ipsec ike-group IKE-POLICY proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group '2'

# Configure ESP group
set vpn ipsec esp-group ESP-POLICY lifetime '3600'
set vpn ipsec esp-group ESP-POLICY pfs disable
set vpn ipsec esp-group ESP-POLICY proposal 1 encryption 'aes128'
set vpn ipsec esp-group ESP-POLICY proposal 1 hash 'sha1'

# Enable VPN on the nic
set vpn ipsec ipsec-interfaces interface 'eth0'

# Set up the connction to the Azure gateway
set vpn ipsec site-to-site peer [IP of the Gateway] authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer [IP of the Gateway] authentication pre-shared-secret '[your pre-shared-secret]'
set vpn ipsec site-to-site peer [IP of the Gateway] connection-type respond
set vpn ipsec site-to-site peer [IP of the Gateway] default-esp-group 'ESP-POLICY'
set vpn ipsec site-to-site peer [IP of the Gateway] ike-group 'IKE-POLICY'
set vpn ipsec site-to-site peer [IP of the Gateway] local-address '192.168.0.254' # Vyatta external ip
set vpn ipsec site-to-site peer [IP of the Gateway] tunnel 1 local prefix '192.168.78.0/24' # Lab enviroment subnet
set vpn ipsec site-to-site peer [IP of the Gateway] tunnel 1 remote prefix '10.10.0.0/22' # Azure subnet

commit

save

# Exclude the site-to-site VPN from NAT
set nat source rule 5 destination address '10.10.0.0/22'
set nat source rule 5 source address '192.168.78.0/24'
set nat source rule 5 outbound-interface 'eth0'
set nat source rule 5 'exclude'

set nat source rule 20 source address '10.10.0.0/22'
set nat source rule 20 destination address '192.168.78.0/24'
set nat source rule 20 outbound-interface 'eth0'
set nat source rule 20 'exclude'

commit

save

Used blog posts:
Windows Azure mit VPN (Vyatta) verbinden
Configure a Site-to-site VPN using the Vyatta Network Appliance
Troubleshooting a Vyatta Site-to-site VPN connection