Line 1: |
Line 1: |
− | ==Summary== | + | <p style="color:red">The information on this page is updated in accordance with the [https://wiki.teltonika-networks.com/view/FW_%26_SDK_Downloads'''00.07.07.1'''] firmware version .</p> |
| | | |
− | This article will guide you through configuring a '''Site-to-Site IPsec Tunnel''' between Teltonika routers/gateways and Microsodt Azure VPN gateway.
| + | =Introduction= |
| | | |
− | ==Prerequisite== | + | A site-to-site connection using an IPsec tunnel between Teltonika devices and an Azure Virtual Network Gateway is a secure method to link two separate networks over the internet. This setup ensures that data transmitted between the on-premises network, managed by Teltonika routers, and the Azure cloud environment is encrypted and secure. |
| + | |
| + | |
| + | If You have trouble seeing any of the settings, be sure to enable "'''Advanced mode'''" |
| + | [[File:Networking rutos manual webui basic advanced mode 75.gif|none|border|center|class=tlt-border]] |
| + | |
| + | =Topology= |
| + | |
| + | [[File:VNGW_TN_Topology.png|none|border|center|class=tlt-border|600px]] |
| + | |
| + | =Prerequisite= |
| | | |
| The user needs an Azure account with an active subscription. | | The user needs an Azure account with an active subscription. |
| | | |
− | ==Azure Platform== | + | =Azure Platform= |
| + | |
| + | ==Create a VPN Gateway on the Azure Platform== |
| + | |
| + | Log into the Azure portal, search for "Virtual Network Gateways" and click on '''Create'''. |
| + | |
| + | [[File:VNGW_01.png|none|border|left|class=tlt-border|600px]] |
| | | |
− | ===Create a VPN Gateway on the Azure Platform===
| |
− | ----
| |
| | | |
− | Log into the Azure portal, search for "Virtual Network Gateways" and click on "Create".
| |
− | <br> </br>
| |
− | [[File:VNGW_01.png|450px|center]]
| |
− | <br> </br>
| |
| Use the information and images below as reference to complete the settings: | | Use the information and images below as reference to complete the settings: |
− | <br> </br>
| + | |
| + | |
| '''Projects details''' | | '''Projects details''' |
| * '''Suscription:''' Your suscription. | | * '''Suscription:''' Your suscription. |
Line 29: |
Line 40: |
| * '''Generation:''' Generation2 (mandatory). | | * '''Generation:''' Generation2 (mandatory). |
| * '''Virtual Network:''' Select or create a new one. | | * '''Virtual Network:''' Select or create a new one. |
| + | * '''Gateway Subnet Address Range:''' 10.1.1.0/24 (if using Virtual Network default configuration). |
| | | |
| '''Public IP address''' | | '''Public IP address''' |
Line 37: |
Line 49: |
| * '''Configure BGP:''' Disabled. | | * '''Configure BGP:''' Disabled. |
| | | |
− | <br> </br>
| |
− | [[File:VNGW_02.png|600px|center]]
| |
− | <br> </br>
| |
− | [[File:VNGW_03.png|600px|center]]
| |
− | <br> </br>
| |
− | [[File:VNGW_04.png|600px|center]]
| |
| | | |
− | ====Create a Virtual Network==== | + | [[File:VNGW_02.png|none|border|left|class=tlt-border|600px]] |
| + | |
| + | |
| + | [[File:VNGW_03.png|none|border|left|class=tlt-border|600px]] |
| + | |
| + | |
| + | [[File:VNGW_04.png|none|border|left|class=tlt-border|600px]] |
| + | |
| + | |
| + | ===Create a Virtual Network=== |
| ---- | | ---- |
− | In case you do not have a previously created virtual network, click on the blue URL link to create one: | + | In case you do not have previously created a virtual network, click on the blue URL link to create one and use the default settings as shown in the image below: |
− | <br> </br>
| + | |
− | [[File:VNGW_06.png|600px|center]] | + | [[File:VNGW_05.png|none|border|left|class=tlt-border|600px]] |
| | | |
− | ====Finish the VPN gateway configuration====
| + | ===Finish the VPN gateway configuration=== |
| ---- | | ---- |
− | After finishing the previous configuration, you can continue with the tags. This section is not mandatory; therefore, we’ll leave it as default. | + | After finishing the previous configuration, you can continue with the tags. This section is not mandatory; therefore, we left it as default and clicked on '''Review + create''' to check that the network gateway has the parameters shown below, and then click on the '''Create''' button to finish the configuration. |
− | <br> </br>
| + | |
− | [[File:VNGW_07.png|600px|center]] | + | [[File:VNGW_06.png|none|border|left|class=tlt-border|600px]] |
| + | |
| + | ==Create a local network Gateway== |
| + | |
| + | In the search bar, look for "Local Network Gateways" and click on '''Create'''. |
| + | |
| + | [[File:VNGW_07.png|none|border|left|class=tlt-border|600px]] |
| | | |
− | Click on "Review + create", check that the network gateway has the parameters as shown below, and click on the "Create" button to finish.
| |
− | <br> </br>
| |
− | [[File:VNGW_08.png|600px|center]]
| |
| | | |
− | ===Create a local network Gateway===
| + | '''Fill in the configuration fields accordingly and add the remote router address space (LAN network) and the FQDN if the router does not have a static public IP address on its WAN interface. |
− | ----
| + | ''' |
− | In the search bar, look for "Local Network Gateways" and click on "Create".
| |
− | <br> </br>
| |
− | [[File:VNGW_09.png|600px|center]]
| |
− | <br> </br>
| |
− | Fill in the configuration fields accordingly and add the remote router address space (LAN network) and the FQDN if the router does not have a public IP address on its WAN interface. | |
| | | |
| '''Projects details''' | | '''Projects details''' |
Line 76: |
Line 89: |
| * '''Name:''' toRegion. | | * '''Name:''' toRegion. |
| * '''Endpoint:''' FQDN. | | * '''Endpoint:''' FQDN. |
− | * '''FQDN:''' the fully qualified domain name of the router's remote connection. | + | * '''FQDN:''' The fully qualified domain name of the router's remote connection. |
| * '''Address Space:''' The router's LAN network(s) | | * '''Address Space:''' The router's LAN network(s) |
| * '''Configure BGP settings:''' No. | | * '''Configure BGP settings:''' No. |
− | <br> </br>
| |
− | [[File:VNGW_10.png|600px|center]]
| |
− | <br> </br>
| |
− | [[File:VNGW_11.png|600px|center]]
| |
| | | |
− | Verify the configuration and click on "Create" to finish.
| |
− | <br> </br>
| |
− | [[File:VNGW_12.png|600px|center]]
| |
| | | |
− | ===Create a connection=== | + | [[File:VNGW_08.png|none|border|left|class=tlt-border|600px]] |
− | ----
| + | |
| + | |
| + | [[File:VNGW_09.png|none|border|left|class=tlt-border|600px]] |
| + | |
| + | Verify the configuration and click on '''Create''' to finish. |
| + | |
| + | |
| + | [[File:VNGW_10.png|none|border|left|class=tlt-border|600px]] |
| + | |
| + | ==Create a connection== |
| + | |
| Search for "Connections" and create a new one: | | Search for "Connections" and create a new one: |
− | <br> </br>
| + | |
− | [[File:VNGW_13.png|600px|center]] | + | [[File:VNGW_11.png|none|border|left|class=tlt-border|600px]] |
− | <br> </br>
| + | |
− | Complete the connection settings using the information and images below as reference: | + | '''Complete the connection settings using the information and images below as reference:''' |
− | <br> </br>
| + | |
| + | |
| '''Projects details''' | | '''Projects details''' |
| * '''Suscription:''' Your suscription. | | * '''Suscription:''' Your suscription. |
Line 108: |
Line 125: |
| * '''Virtual network gateway:''' Vnet1GW. | | * '''Virtual network gateway:''' Vnet1GW. |
| * '''Local network gateway:''' toRegion. | | * '''Local network gateway:''' toRegion. |
− | * '''IKE Protocol:''' IKEv2. | + | * '''Shared Key(PSK):''' Your Pre-shared key (It must match the one in the router IPsec configuration). |
| * '''Use Azure Private IP Address:''' Unchecked. | | * '''Use Azure Private IP Address:''' Unchecked. |
| * '''IPsec/IKE policy:''' Custom. | | * '''IPsec/IKE policy:''' Custom. |
− | * '''IKE Phase 1:''' Encryption: AES256 ; Integrity/PRF: SHA1 ; DH Group: DHGroup2 | + | * '''IKE Phase 1:''' Encryption: AES256 , Integrity/PRF: SHA1 , DH Group: DHGroup2. |
− | * '''IKE Phase 2:''' Encryption: AES256 ; IPsec Integrity: SHA1 ; PFS Group: None | + | * '''IKE Phase 2:''' Encryption: AES256 , IPsec Integrity: SHA1 , PFS Group: None. |
| * '''IPsec SA lifetime in KiloBytes:''' 0. | | * '''IPsec SA lifetime in KiloBytes:''' 0. |
| * '''IPsec SA lifetime in seconds:''' 10800. | | * '''IPsec SA lifetime in seconds:''' 10800. |
Line 122: |
Line 139: |
| * '''Ingress NAT Rules:''' 0 selected. | | * '''Ingress NAT Rules:''' 0 selected. |
| * '''Egress NAT Rules:''' 0 selected. | | * '''Egress NAT Rules:''' 0 selected. |
− | <br> </br>
| + | |
− | [[File:VNGW_14.png|600px|center]] | + | |
− | <br> </br>
| + | [[File:VNGW_12.png|none|border|left|class=tlt-border|600px]] |
− | [[File:VNGW_15.png|600px|center]] | + | |
− | <br> </br>
| + | |
− | [[File:VNGW_16.png|600px|center]] | + | [[File:VNGW_13.png|none|border|left|class=tlt-border|600px]] |
− | <br> </br>
| + | |
| + | |
| + | [[File:VNGW_14.png|none|border|left|class=tlt-border|600px]] |
| + | |
| + | |
| '''Note:''' You can use different crypto proposals; however, you must ensure that they match on the router. | | '''Note:''' You can use different crypto proposals; however, you must ensure that they match on the router. |
− | <br> </br>
| |
− | [[File:VNGW_17.png|600px|center]]
| |
| | | |
− | '''Note:''' the tag field can be leaved empty.
| |
− | <br> </br>
| |
− | Check that the parameters match and click on "Create"
| |
− | <br> </br>
| |
− | [[File:VNGW_18.png|600px|center]]
| |
− | ==Teltonika device configuration==
| |
| | | |
− | ===DDNS configuration=== | + | Click on '''Review + Create''', then verify the configuration and click on '''Create''' to finish. |
| + | |
| + | [[File:VNGW_15.png|none|border|left|class=tlt-border|600px]] |
| + | |
| + | =Teltonika Device Configuration= |
| + | |
| + | ==DDNS configuration== |
| + | |
| + | Log into the router via WebUI. |
| + | |
| + | |
| + | In case you don’t have a static public IP address on the WAN interface, you can enable the Dynamic DNS service as explained here: [[DDNS Configuration Examples]] |
| + | |
| + | |
| + | '''Path:''' WebUI > Services > Dynamic DNS. |
| + | |
| + | |
| + | '''Note:''' On devices other than the RUTX series, you will need to download the DDNS service from the Package Manager. |
| + | |
| + | |
| + | [[File:TN_DDNS.png|none|border|left|class=tlt-border|600px]] |
| + | |
| + | |
| + | After finishing the configuration, you should get the public IP address of the created domain. |
| + | |
| + | |
| + | [[File:TN_DDNS02.png|none|border|left|class=tlt-border|600px]] |
| + | |
| + | ==IPsec configuration== |
| + | |
| + | |
| + | Locate the following path: '''WebUI > Services > IPsec''' ; and a new instance: |
| + | |
| + | |
| + | '''Instance details''' |
| + | * '''Enable:''' On. |
| + | * '''Authentication method:''' Pre-shared key. |
| + | * '''Pre-shared key:''' Your pre-shared key (must match the pre-shared key configured in the Azure platform's IPsec settings). |
| + | * '''Local Identifier:''' Empty. |
| + | * '''Remote Identifier:''' Empty. |
| + | |
| + | '''General Settings''' |
| + | * '''Mode:''' Start. |
| + | * '''Type:''' Tunnel. |
| + | * '''Default route:''' off. |
| + | * '''Local Subnet:''' The router local network(s). |
| + | * '''Remote Subnet:''' The virtual network you want to access remotely hosted in your virtual environment in Azure. |
| + | * '''Key Exchange:''' IKEv2 |
| + | |
| + | '''Advanced Settings''' |
| + | * '''Dead peer detection:''' On. |
| + | * '''DPD action:''' Restart. |
| + | * '''DPD delay:''' 45. |
| + | * '''Leave all other advanced settings as default..''' |
| + | |
| + | '''Proposal Settings''' |
| + | * '''Phase 1:''' Encryption: AES256 , Authentication: SHA1 , DH Group: MODP1024. |
| + | * '''Phase 2:''' Encryption: AES256 , Hash: SHA1 , PFS Group: No PFS. |
| + | * '''Force crypto Proposal:''' off. |
| + | * '''lifetimes:''' Empty. |
| + | |
| + | |
| + | [[File:TN_IPSEC01.png|none|border|left|class=tlt-border|600px]] |
| + | |
| + | |
| + | [[File:TN_IPsec02.png|none|border|left|class=tlt-border|600px]] |
| + | |
| + | |
| + | [[File:TN_IPsec03.png|none|border|left|class=tlt-border|600px]] |
| + | |
| + | |
| + | [[File:TN_IPsec04.png|none|border|left|class=tlt-border|600px]] |
| + | |
| + | '''Note:''' in this example, we use DH Group equals to MODP1024 which is the same to Group 2 selected on the Azure platform. |
| + | |
| + | |
| + | [[File:TN_IPsec05.png|none|border|left|class=tlt-border|600px]] |
| + | |
| + | =Check Site to Site Communication= |
| + | If you followed the configuration steps, you should see that the Site to Site connection has been successfully established. |
| + | |
| + | [[File:TN_IPsec06.png|none|border|left|class=tlt-border|600px]] |
| + | |
| + | |
| + | You can also check in the Azure platform that the connection has been established: |
| + | |
| + | |
| + | [[File:TN_IPsec07.png|none|border|left|class=tlt-border|600px]] |
| + | |
| + | |
| + | Check connectivity between the router LAN and a VM inside the Azure virtual network you may have: |
| + | |
| + | |
| + | [[File:TN_IPsec08.png|none|border|left|class=tlt-border|600px]] |
| + | |
| + | |
| + | Test connectivity from a host in the router’s LAN to the VM: |
| + | |
| + | |
| + | [[File:TN_IPsec09.png|none|border|left|class=tlt-border|600px]] |
| + | |
| + | |
| + | Connect to the VM in Azure, test connectivity to the Router’s LAN interface. |
| + | |
| + | [[File:TN_IPsec10.png|none|border|left|class=tlt-border|600px]] |
| | | |
− | ===IPsec configuration=== | + | =See Also= |
| + | * [[Dynamic DNS]] - general information on the DDNS service. |
| + | * [[DDNS Configuration Examples]] - additional examples for different DDNS providers. |
| | | |
− | ==Check Site to Site Communication== | + | =External links= |
| + | * https://www.noip.com |
| + | * https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal |