Changes

5,770 bytes added , 4 June

Line 1: Line 1: −

=~~=Summary==~~

+

The information on this page is updated in accordance with the [https://wiki.teltonika-networks.com/view/FW_%26_SDK_Downloads'''00.07.07.1'''] firmware version .

−

~~This article will guide you through configuring a '''Site-to-Site IPsec Tunnel''' between Teltonika routers/gateways and Microsodt Azure VPN gateway.~~

+

=Introduction=

−

==Prerequisite==

+

A site-to-site connection using an IPsec tunnel between Teltonika devices and an Azure Virtual Network Gateway is a secure method to link two separate networks over the internet. This setup ensures that data transmitted between the on-premises network, managed by Teltonika routers, and the Azure cloud environment is encrypted and secure.

+

If You have trouble seeing any of the settings, be sure to enable "'''Advanced mode'''"

+

[[File:Networking rutos manual webui basic advanced mode 75.gif|none|border|center|class=tlt-border]]

+

=Topology=

+

+

=Prerequisite=

The user needs an Azure account with an active subscription.

−

==Azure Platform==

+

=Azure Platform=

+

==Create a VPN Gateway on the Azure Platform==

+

Log into the Azure portal, search for "Virtual Network Gateways" and click on '''Create'''.

+

−

~~===Create a VPN Gateway on the Azure Platform===~~

−

~~----~~

−

~~Log into the Azure portal, search for "Virtual Network Gateways" and click on "Create".~~

−

~~ ~~

−

~~[[File:VNGW_01.png|450px|center]]~~

−

~~ ~~

Use the information and images below as reference to complete the settings:

−

~~ ~~

+

'''Projects details'''

* '''Suscription:''' Your suscription.

Line 29: Line 40:

* '''Generation:''' Generation2 (mandatory).

* '''Virtual Network:''' Select or create a new one.

+

* '''Gateway Subnet Address Range:''' 10.1.1.0/24 (if using Virtual Network default configuration).

'''Public IP address'''

−

* '''Public IP address:''' Create new ~~one~~.

+

* '''Public IP address:''' Create new.

* '''Public IP address name:''' Vnet1GWpip.

* '''Assigment:''' Static.

Line 37: Line 49:

* '''Configure BGP:''' Disabled.

−

~~ ~~

−

~~[[File:VNGW_02.png|600px|center]]~~

−

~~ ~~

−

~~[[File:VNGW_03.png|600px|center]]~~

−

~~ ~~

−

~~[[File:VNGW_04.png|600px|center]]~~

−

====Create a Virtual Network====

+

+

+

+

===Create a Virtual Network===

----

−

In case you do not have a previously created virtual network, click on the blue URL link to create one:

+

In case you do not have previously created a virtual network, click on the blue URL link to create one and use the default settings as shown in the image below:

−

~~ ~~

−

~~[[File:VNGW_06.png|600px|center]]~~

−

====Finish the VPN gateway configuration====

+

+

===Finish the VPN gateway configuration===

----

−

After finishing the previous configuration, you can continue with the tags. This section is not mandatory; therefore, ~~we’ll leave~~ it as default.

+

After finishing the previous configuration, you can continue with the tags. This section is not mandatory; therefore, we left it as default and clicked on '''Review + create''' to check that the network gateway has the parameters shown below, and then click on the '''Create''' button to finish the configuration.

−

~~ ~~

−

~~[[File:VNGW_07.png|600px|center]]~~

−

~~Click on "Review + create", check that the network gateway has the parameters as shown below, and click on the "Create" button to finish.~~

+

−

~~ ~~

−

[[File:~~VNGW_08~~.png|600px~~|center~~]]

−

===Create a local network Gateway===

+

==Create a local network Gateway==

−

~~----~~

+

−

In the search bar, look for "Local Network Gateways" and click on "Create".

+

In the search bar, look for "Local Network Gateways" and click on '''Create'''.

−

~~ ~~

+

−

[[File:~~VNGW_09~~.png|600px~~|center~~]]

+

−

~~ ~~

+

−

Fill in the configuration fields accordingly and add the remote router address space (LAN network) and the FQDN if the router does not have a public IP address on its WAN interface.

+

'''Fill in the configuration fields accordingly and add the remote router address space (LAN network) and the FQDN if the router does not have a static public IP address on its WAN interface.

+

'''

'''Projects details'''

Line 76: Line 89:

* '''Name:''' toRegion.

* '''Endpoint:''' FQDN.

−

* '''FQDN:''' ~~the~~ fully qualified domain name of the router's remote connection.

+

* '''FQDN:''' The fully qualified domain name of the router's remote connection.

* '''Address Space:''' The router's LAN network(s)

* '''Configure BGP settings:''' No.

−

~~ ~~

−

~~[[File:VNGW_100.png|600px|center]]~~

−

~~ ~~

−

~~[[File:VNGW_110.png|600px|center]]~~

−

Verify the configuration and click on "Create" to finish.

+

−

[[File:~~VNGW_12~~.png|600px~~|center~~]]

+

+

Verify the configuration and click on '''Create''' to finish.

+

+

==Create a connection==

−

~~===Create a connection===~~

−

~~----~~

Search for "Connections" and create a new one:

−

~~ ~~

−

~~[[File:VNGW_13.png|600px|center]]~~

−

==Teltonika ~~device~~ configuration==

+

+

'''Complete the connection settings using the information and images below as reference:'''

+

'''Projects details'''

+

* '''Suscription:''' Your suscription.

+

* '''Resource Group:''' Your resource group.

+

'''Instance details'''

+

* '''Connection type:''' Site-to-Site (IPsec).

+

* '''Name:''' SiteToSite.

+

* '''Region:''' Your prefered Region (It must match the one selected above).

+

'''Virtual network Gateway'''

+

* '''Virtual network gateway:''' Vnet1GW.

+

* '''Local network gateway:''' toRegion.

+

* '''Shared Key(PSK):''' Your Pre-shared key (It must match the one in the router IPsec configuration).

+

* '''Use Azure Private IP Address:''' Unchecked.

+

* '''IPsec/IKE policy:''' Custom.

+

* '''IKE Phase 1:''' Encryption: AES256 , Integrity/PRF: SHA1 , DH Group: DHGroup2.

+

* '''IKE Phase 2:''' Encryption: AES256 , IPsec Integrity: SHA1 , PFS Group: None.

+

* '''IPsec SA lifetime in KiloBytes:''' 0.

+

* '''IPsec SA lifetime in seconds:''' 10800.

+

* '''Use policy based traffic selector:''' Disable.

+

* '''DPD timeout in seconds:''' 45.

+

* '''Connection mode''' Default or ResponderOnly.

+

'''NAT Rules Associations'''

+

* '''Ingress NAT Rules:''' 0 selected.

+

* '''Egress NAT Rules:''' 0 selected.

+

+

+

+

'''Note:''' You can use different crypto proposals; however, you must ensure that they match on the router.

+

Click on '''Review + Create''', then verify the configuration and click on '''Create''' to finish.

+

+

=Teltonika Device Configuration=

+

==DDNS configuration==

+

Log into the router via WebUI.

+

In case you don’t have a static public IP address on the WAN interface, you can enable the Dynamic DNS service as explained here: [[DDNS Configuration Examples]]

+

'''Path:''' WebUI > Services > Dynamic DNS.

+

'''Note:''' On devices other than the RUTX series, you will need to download the DDNS service from the Package Manager.

+

+

After finishing the configuration, you should get the public IP address of the created domain.

+

+

==IPsec configuration==

+

Locate the following path: '''WebUI > Services > IPsec''' ; and a new instance:

+

'''Instance details'''

+

* '''Enable:''' On.

+

* '''Authentication method:''' Pre-shared key.

+

* '''Pre-shared key:''' Your pre-shared key (must match the pre-shared key configured in the Azure platform's IPsec settings).

+

* '''Local Identifier:''' Empty.

+

* '''Remote Identifier:''' Empty.

+

'''General Settings'''

+

* '''Mode:''' Start.

+

* '''Type:''' Tunnel.

+

* '''Default route:''' off.

+

* '''Local Subnet:''' The router local network(s).

+

* '''Remote Subnet:''' The virtual network you want to access remotely hosted in your virtual environment in Azure.

+

* '''Key Exchange:''' IKEv2

+

'''Advanced Settings'''

+

* '''Dead peer detection:''' On.

+

* '''DPD action:''' Restart.

+

* '''DPD delay:''' 45.

+

* '''Leave all other advanced settings as default..'''

+

'''Proposal Settings'''

+

* '''Phase 1:''' Encryption: AES256 , Authentication: SHA1 , DH Group: MODP1024.

+

* '''Phase 2:''' Encryption: AES256 , Hash: SHA1 , PFS Group: No PFS.

+

* '''Force crypto Proposal:''' off.

+

* '''lifetimes:''' Empty.

+

+

+

+

+

'''Note:''' in this example, we use DH Group equals to MODP1024 which is the same to Group 2 selected on the Azure platform.

+

+

=Check Site to Site Communication=

+

If you followed the configuration steps, you should see that the Site to Site connection has been successfully established.

+

+

You can also check in the Azure platform that the connection has been established:

+

+

Check connectivity between the router LAN and a VM inside the Azure virtual network you may have:

+

+

Test connectivity from a host in the router’s LAN to the VM:

+

+

Connect to the VM in Azure, test connectivity to the Router’s LAN interface.

−

=~~==DDNS configuration===~~

+

−

==~~=IPsec configuration===~~

+

=See Also=

+

* [[Dynamic DNS]] - general information on the DDNS service.

+

* [[DDNS Configuration Examples]] - additional examples for different DDNS providers.

−

==~~Check Site~~ to ~~Site Comminication==~~

+

=External links=

+

* https://www.noip.com

+

* https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal

Adevis

Administrators

156

edits

Namespaces

Variants

Views

More

Search

Changes

Setting up a Site-to-Site IPsec Tunnel between Teltonika Networks and Microsoft Azure (view source)

Revision as of 01:06, 4 June 2024

Navigation menu

Personal tools

NAVIGATION

Tools

Categories