Menu
Authors: Daniel Pires and Daniel Mauser
Introduction
In this article, we are going to show you how to setup a IPSec Site-to-Site VPN between Azure and On-premises location by using MikroTik Router. Another blog post has been published few years ago about the same subject Creating a site-to-site VPN with Windows Azure and MikroTik ( RouterOS ). However, we have some major updates in this article. First, we are going to setup Site-to-Site VPN using Azure Resource Manager Portal (http://portal.azure.com), while original article uses Classic Azure Portal. Second, VPN Gateway in this blog post is Route-Based which will leverage IKE version 2 (IKEv2) compared with the Policy-Based Gateway on first article leveraging IKE version 1(IKEv1). If you are not familiar with the terminology of IPSec Parameters, in particular IKEv2, please take a look on the following documentation About VPN devices and IPsec/IKE parameters for Site-to-Site VPN Gateway connections.
Scenario
Below we have a diagram of the scenario covered in this step-by-step.
Relevant information on the diagram above necessary to configure the Site-to-Site VPN.
Azure Side:
On-Premises Side:
Azure: Configuring Route-Based IPSec Site-to-Site VPN
This section we will go over step-by-step on configuring Site-to-Site VPN on the Azure side. The steps demonstrated here are the same in the official documentation: Create a Site-to-Site connection in the Azure portal. So, we are not going to cover specific step by step on how to get to the screens, you can use the official documentation as reference. Also, If you are already familiar with those steps feel free to jump right the way on the session below: MikroTik (On-Premises) Configuring IPSec (IKEv2) Site-to-Site VPN.
1. Create a virtual network
2. Specify a DNS server (Optional for this and not necessary for this demonstration to work)
3. Create the gateway subnet:
Baldis basics free download. 15 percent will go toward equipment (such as console dev kits) and the remaining 25% percent will cover for taxes and Kickstarter fees.I will also be paying for a few things out of pocket, mainly for a PC suited for game development with most of the funds that players have already donated when downloading the original Baldi's Basics.
a. Select Gateway Subnet
b. Add Gateway subnet. In this case I will use the final 255 network inside 10.4.0.0/16 to create 32 addresses allocated to VPN Gateways and subnet is: 10.4.255.0.27
4. Create the Virtual Network Gateway. It is important here to highlight we are going to use VPN Type: Route-Based Also for your lab purposes you can use SKU Basic, for production workloads it is recommend at least Standard SKU. More information about VPN Gateway sizes consult: Gateway SKUs.
a) Creating the Virtual Network Gateway named VNET1GW
New California Republic – siding with the NCR will lead the Courier to defend Hoover Dam from the Legion. Depending on the faction sided with up to the battle, the Courier will either destroy the Dam so no faction can claim it, conquer it for Caesar's Legion, defend it for the NCR or connect the dam's systems to House's network so either he or Yes Man can take control. The game concludes with a narrated slideshow showing and explaining the results of the Courier's actions, the battle for Hoover Dam deciding the faction that comes to power over New Vegas and the Mojave, and the fates of the various other factions based on how the player negotiated with them and which of the major factions emerged dominant.EndingsThe player then faces a choice to determine the fate of the Mojave Wasteland.
b) After you create Virtual Network Gateway you can see the status as well as the Public IP that is going to be used:
5. Create the local network gateway which requires you specify Public IP of your VPN Device (47.187.117.YY) as well as the On-premises Subnet(s) (192.168.88.0/24).
6. Configure your VPN device – See section: MikroTik (On-Premises) Configuring IPSec (IKEv2) Site-to-Site VPN.
7. Create the VPN connection
8. Verify the VPN connection
MikroTik (On-Premises) Configuring IPSec (IKEv2) Site-to-Site VPN
MikroTik RouterOS has several models and there are very affordable devices models that you can use also to play and learn how to configure Site-to-Site VPN with Azure.
DISCLAIMER: Although we demonstrate Mikrotik in this article, it is important to mention Microsoft does not support the device configuration directly. In case you have issue, please contact device manufacturer for additional support and configuration instructions.
One important point to highlight is IKEv2 has been introduced on release 6.38. Therefore, make sure you have a compatible version to be able to proceed with the configuration demonstrated in this article which we used: RouterBOARD 750 and software version: RouterOS 6.39.
In this tutorial Winbox management utility has been used to perform MikroTik configuration and here are the necessary steps to configure MikroTik correctly:
Validating the IPSec Tunnel
Ping between two computers in each side. In the right side On-Prem computer (192.168.88.17) correctly pinging Azure VM (10.4.0.4) and the other way around works fine too.
In both sides we see TTL of 126 which corresponds to two hops (both Gateways) getting decremented. Default TTL of Windows machines is 128.
Note: By default ICMP is disabled. Make sure you allow ICMP by running the following PowerShell command:
Set-NetfirewallRule -Name FPS-ICMP4-ERQ-In -Enable True
On Azure Side
On Azure Portal you can validate brand new tunnel created as showed on item 8. Verify the VPN connection above. That can be also validated by PowerShell by using command: Get-AzureRmVirtualNetworkGatewayConnection -Name From-Azure-to-Mikrotik -ResourceGroupName S2SVPNDemo
On MikroTik Side
There are multiple ways to validate the IPSec VPN connection to Azure on MikroTik. Here are some ways: 1. IPSec – Policies tab. It shows if the IKE Phase 2 is working correctly. 2. Remote Peers tab. This shows if IKE Phase 1 (Main mode) is working correctly. 3. Installed SAs tab shows current Security Associations: IPSec Troubleshooting
If something does not work for some reason during your configuration, you can do a troubleshooting to determine what is going on. MikroTik provides a good interface for logging and troubleshooting IPSec in case you want to get more detailed information on what is going on. Events can be visualized in Log Menu but to ensure you can get IPSec events exposed you need to make a simple change in Logging configuration (System – Logging) and add the IPSec as a Topic:
After you add this new Logging rule you have will see the following detailed IPSec events:
Extra Tip: See comments about TCP MSS Clamp configuration shared by a reader.
Conclusion
In this article we demonstrated how to setup a IPSec Site-to-Site VPN using IKEv2 (Route-Based) between Azure and MikroTik RouterBoard. These instructions also may help you to setup any IPSec device which is compatible with Azure VPN Gateway settings. I hope you liked the information shared here and please let us know below in the comments if you have additional questions. I would like to make a special thanks to Azure Support Escalation Engineer Daniel Pires who co-author this article with me. Thanks!
Posted by3 years ago
Archived
Hey guys I'm back again with some Mikrotik VPN action. The situation changed however and maybe for the better.
Here is the situation.
I have on my hand, two RB915G-2Hnd routerboards. I also have two offices. Office A has a Zentyal box behind an ISP provided modem connecting to the internet. The Zentyal is the DHCP server, with 192.168.1.1 LAN address.
Office 'B' is at another location, right now they just have an ISP router that acts as DHCP (10.10.10.0/24).
The idea is that office 'B' needs to access the file shares (zentyal) in office 'A', maybe even in the printer in that network. For this we want to use these two Mikrotiks. Now I'm not exactly a Mikrotik guy so I'm kinda in the deep here so please bear with me.
I'm just testing these two things now. I got as far as connecting the two over L2TP, the connection showed up on the server side that's all good and well, but setting up so the two LANs can reach each other is eluding me. I'm familiar with NAT and all but not how this works in Mikrotik.
Can any of you Mikrotik-knights help me out? If you need any more info just let me know.
Thanks in advance.
8 comments
A site-to-site IPsec tunnel interconnects two networks as if they were directlyconnected by a router. Systems at Site A can reach servers or other systems atSite B, and vice versa. This traffic may also be regulated via firewall rules,as with any other network interface. If more than one client will be connectingto another site from the same controlled location, a site-to-site tunnel willlikely be more efficient, not to mention more convenient and easier to support.
With a site-to-site tunnel, the systems on either network need not have anyknowledge that a VPN exists. No client software is needed, and all of the tunnelwork is handled by the tunnel endpoints. This is also a good solution fordevices that have network support but do not handle VPN connections such asprinters, cameras, HVAC systems, and other embedded hardware.
Site-to-site example configuration¶
The key to making a working IPsec tunnel is to ensure that both sides havematching settings for authentication, encryption, and so on. Before starting,make a note of the local and remote WAN IP addresses, as well as the local andremote internal subnets that will be carried across the tunnel. An IP addressfrom the remote subnet to ping is optional, but recommended to keep the tunnelalive. The firewall doesn’t check for replies, as any traffic initiated to an IPaddress on the remote network will trigger IPsec negotiation, so it doesn’tmatter if the host actually responds or not as long as it is an IP address onthe other side of the connection. Aside from the cosmetic tunnel Descriptionand these pieces of information, the other connection settings will beidentical.
In this example and some of the subsequent examples in this chapter,the following settings will be assumed:
Start with Site A. Create the tunnel by clicking Add P1. The phase1 configuration page for the tunnel is shown. Many of these settings may be leftat their default values.
First, fill in the top section that holds the general phase 1 information, shownin Figure figure-vpn-tunnel-settings. Items in bold are required. Fill in thesettings as described:
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |