Author – Gaurav Singh, Associate Cloud Engineer
The next resource we need to create for our Azure site is a virtual network gateway. Search for “virtual network gateway” in the search bar and select the virtual network gateway service and then click on add. The configuration should be as shown in the screenshot below. We will create the gateway in the same resource group and network we created before. A separate subnet called “GatewaySubnet” will be created for the gateway. The gateway subnet should always be empty. A public IP will also be created for the gateway. Click on Review + create and verify the configurations. Then click on create to deploy the gateway. Note that the gateway can take up to 45 mins to deploy. You can deploy other resources while it is deploying.
The last resource we will create in our Azure site is a VM. In the search bar type “virtual machines” and select the Virtual Machines service. Click on Add and then select virtual machine from the drop down selection. This will open the configuration page for creating a VM. In resource group, select the resource group we just created and fill in the rest of the details as shown below.
Take a note of the username and the key pair name under administrator account. They will be the credentials we use to login to the VM. Leave rest to defaults and click next till you get to networking. Make sure VM is in the default subnet of the virtual network we created earlier. Then click on Review + create. Verify the configuration and click create to deploy the VM.
After you click on create, you will be prompted to download the private ssh key which is required to connect to the VM. Download it and remember the path where it is downloaded.
You can use the same credentials and key as the AzureSiteVM. Click next till you get to networking and then under virtual network click on create new and add the configuration below. We will create a 172.16.0.0/16 address space with 172.16.0.0/24 subnet. Leave the rest to defaults and create the VM.
This will create a local network gateway called strongSwanGW in strongSwanSite resource group. The address space defines the local network address. In our environment, it would be the address of the strongSwanSite-vnet. Create the resource.
Now, go to AzureSiteGW which is the virtual network gateway created and select the connections blade under settings and click add. Add the configuration as shown. The connection that will be created will be an IPsec connection using IKEv2 Protocol. Select the local network gateway we created. Type “AzureA1b2C3” as the PSK and click OK to create the connection. The status will be unknown or not connected until we configure strongSwanSite.
Meaning of the commands:
Finally to reload the ipsec changes we made run:
sudo ipsec restart
To check the status of connection:
sudo ipsec statusall
You should the following output:
Go to the virtual network gateway and under Connections you will see the status of the connection we created:
If you have setup strongSwan in an on-premises or local machine then you can send data to Azure site from other machines in the same network using the VPN by forwarding the traffic going to Azure site to the strongSwan VM. If you have setup strongSwan in Azure then you have to create a route table with the following configuration:
Then create a route which will forward all traffic going to the Azure site to the strongSwan VM. For example, all traffic going to 10.0.0.0/16 will be forwarded to 172.16.0.4.
Make sure to enable IP forwarding in the Network Interface Card(NIC) of the strongSwanVM and then associate the route to a desired subnet in the strongSwanSite-vnet.
Introduction:
This article describes how to set up a Site-to-Site IPSec VPN(Virtual Private Network) connection between strongSwan on Ubuntu and Azure Virtual Network Gateway. strongSwan is an open-source, cross-platform, full-featured and widely-used IPsec-based VPN service that runs on Linux, FreeBSD, OS X, Windows, Android, and iOS. It is primarily a keying daemon that supports the Internet Key Exchange protocols (IKEv1 and IKEv2) to establish security associations (SA) between two peers. Azure Virtual Network Gateway is a virtual network gateway service that is used to send encrypted traffic between an Azure virtual network and an on-premises location over the public Internet. You can also use it to send encrypted traffic between Azure virtual networks over the Microsoft network.Prerequisites:
You will require an active Azure subscription.Implementation:
We will setup two sites one containing the Azure Virtual Network Gateway and the other containing the strongSwan VM. In this demo, we have created the strongSwan VM site on Azure in a different virtual network but you can create it on an on-premises machine or local machine.Setting up Azure site:
In the Azure site, we will create an Ubuntu VM which we will use to test the connection with strongSwan site. Also, we will create a virtual network gateway which will act like the endpoint of this connection. First, we will create a virtual network in Azure which will contain our VM and gateway. Open the Azure Portal and in the search bar type “virtual network” and select the Virtual networks service. Click on add once the Virtual networks page opens. This will open the configuration page for creating a virtual network resource. In resource group, click on create new and type name “AzureSite”. This will create a resource group for our Azure site and we will be deploying all of our Azure site resources in this resource group. For name enter “AzureSite-Vnet” and select the East US Region. Click on next to configure the IP Addresses. The IPv4 address range by default should be 10.0.0.0/16 and the default subnet for it should be 10.0.0.0/24. If they are different then make the necessary changes. You can make the changes just by clicking on them or deleting them if necessary. You can use different address ranges for both the sites but the most important thing is that the address ranges of our Azure site and strongSwan site should not overlap. Leave the rest to defaults and click on Review + create. Then verify the details as shown below and click on Create. This will deploy your resource.
The next resource we need to create for our Azure site is a virtual network gateway. Search for “virtual network gateway” in the search bar and select the virtual network gateway service and then click on add. The configuration should be as shown in the screenshot below. We will create the gateway in the same resource group and network we created before. A separate subnet called “GatewaySubnet” will be created for the gateway. The gateway subnet should always be empty. A public IP will also be created for the gateway. Click on Review + create and verify the configurations. Then click on create to deploy the gateway. Note that the gateway can take up to 45 mins to deploy. You can deploy other resources while it is deploying.
The last resource we will create in our Azure site is a VM. In the search bar type “virtual machines” and select the Virtual Machines service. Click on Add and then select virtual machine from the drop down selection. This will open the configuration page for creating a VM. In resource group, select the resource group we just created and fill in the rest of the details as shown below.
Take a note of the username and the key pair name under administrator account. They will be the credentials we use to login to the VM. Leave rest to defaults and click next till you get to networking. Make sure VM is in the default subnet of the virtual network we created earlier. Then click on Review + create. Verify the configuration and click create to deploy the VM.
After you click on create, you will be prompted to download the private ssh key which is required to connect to the VM. Download it and remember the path where it is downloaded.
Setting up strongSwan site:
In this setup, we will create another Ubuntu VM in West US region on which we will configure strongSwan. Creating the Ubuntu VM is similar to before, we just need to change a few parameters like location and virtual network. Navigate to the VM creation page and match the configuration as shown below. The strongSwanVM is created in a new resource group “strongSwanSite” in West US region.
You can use the same credentials and key as the AzureSiteVM. Click next till you get to networking and then under virtual network click on create new and add the configuration below. We will create a 172.16.0.0/16 address space with 172.16.0.0/24 subnet. Leave the rest to defaults and create the VM.
Configuring Azure site:
We will create a connection from the gateway we created to the public IP of strongSwanVM. It will be an IKEv2 connection with a Pre-shared Key(PSK). The value of Pre-shared Key will be “AzureA1b2C3”. First, we need to create a local network gateway in Azure. A local network gateway in Azure refers to the on-premises VPN device. In our environment, we will create the local network gateway which will refer to our strongSwanVM. Go to the strongSwanVM resource we created before and copy the public IP. Search for the local network gateway service and click on add. Enter the details as shown below, paste the public IP under IP address.
This will create a local network gateway called strongSwanGW in strongSwanSite resource group. The address space defines the local network address. In our environment, it would be the address of the strongSwanSite-vnet. Create the resource.
Now, go to AzureSiteGW which is the virtual network gateway created and select the connections blade under settings and click add. Add the configuration as shown. The connection that will be created will be an IPsec connection using IKEv2 Protocol. Select the local network gateway we created. Type “AzureA1b2C3” as the PSK and click OK to create the connection. The status will be unknown or not connected until we configure strongSwanSite.
Configuring strongSwan site:
We will now configure strongSwan in the strongSwanVM we created. We will connect to the VM using ssh. You can enter the following commands in bash or Powershell. Type the following command: ssh -i “” @ Example: ssh -i .\Downloads\AzureSiteVM_key.pem azureuser@104.45.239.10 Once the connection is established run command: sudo apt update Then to install strongswan run command: sudo apt install strongswan To run strongSwan, we need to configure the system to enable packet-forwarding, to do this we need to add some system variables. Run: sudo nano /etc/sysctl.conf Uncomment the following lines from the file: net.ipv4.ip_forward = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 The first command enables packet forwading and the next 2 two disable ICMP redirects. To reload sysctl: sudo sysctl -p UFW is disabled by default in Azure but if you want to have it enabled or are connecting from a machine from somewhere else then you need to add some rules. Run: sudo nano /etc/ufw/before.rules Then add the following lines to it: *nat :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s 10.0.0.0/16 -d 172.16.0.0/16 -j MASQUERADE COMMIT Then run: sudo ufw disable sudo ufw enable Now we will create the connection in ipsec.conf file for strongSwan. Create a backup of the ipsec.conf file by: sudo cp /etc/ipsec.conf /etc/ipsec.conf.backup Then open the file: sudo nano /etc/ipsec.conf Add the following configuration to the file:
Meaning of the commands:
- config setup – specifies general configuration information for IPSec which applies to all connections.
- charondebug – defines how much Charon debugging output should be logged.
- uniqueids – specifies whether a particular participant ID should be kept unique.
- conn ss-to-azure – defines connection name.
- type – defines connection type.
- auto – how to handle connection when IPSec is started or restarted.
- keyexchange – defines the version of the IKE protocol to use.
- authby – defines how peers should authenticate each other.
- left – defines the private IP address of the left participant, in our case the strongSwanVM.
- leftsubnet – states the private subnet behind the left participant. In our environment it should be either the network address of swanSongVM which is 172.16.0.0/16 or the subnet address which is 172.16.0.0/24.
- right – specifies the public IP address of the right participant. In our environment it should be public IP of AzureSiteGW.
- rightsubnet – states the private subnet behind the right participant. In our environment it should either be the network address of the gateway which is 10.0.0.0/16 or any subnet it has like 10.0.0.0/24 or 10.0.1.0/16.
- ike – defines a list of IKE/ISAKMP SA encryption/authentication algorithms to be used. You can add a comma-separated list.
- esp – defines a list of ESP encryption/authentication algorithms to be used for the connection. You can add a comma-separated list.
- aggressive – states whether to use Aggressive or Main Mode.
- keyingtries – states the number of attempts that should be made to negotiate a connection.
- ikelifetime – states how long the keying channel of a connection should last before being renegotiated.
- lifetime – defines how long a particular instance of a connection should last, from successful negotiation to expiry.
- dpddelay – specifies the time interval with which R_U_THERE messages/INFORMATIONAL exchanges are sent to the peer.
- dpdtimeout – specifies the timeout interval, after which all connections to a peer are deleted in case of inactivity.
- dpdaction – defines how to use the Dead Peer Detection(DPD) protocol to manage the connection.
Finally to reload the ipsec changes we made run:
sudo ipsec restart
To check the status of connection:
sudo ipsec statusall
You should the following output:
Go to the virtual network gateway and under Connections you will see the status of the connection we created:
Testing the connection:
After the connection is established you can test by pinging the private IP of AzureSiteVM from the strongSwanVM and vice versa. Example:
If you have setup strongSwan in an on-premises or local machine then you can send data to Azure site from other machines in the same network using the VPN by forwarding the traffic going to Azure site to the strongSwan VM. If you have setup strongSwan in Azure then you have to create a route table with the following configuration:
Then create a route which will forward all traffic going to the Azure site to the strongSwan VM. For example, all traffic going to 10.0.0.0/16 will be forwarded to 172.16.0.4.
Make sure to enable IP forwarding in the Network Interface Card(NIC) of the strongSwanVM and then associate the route to a desired subnet in the strongSwanSite-vnet.
