156
edits
Changes
Setting up a Site-to-Site IPsec Tunnel between Teltonika Networks and Microsoft Azure (view source)
Revision as of 01:06, 4 June 2024
, 4 June→Check Site to Site Communication
==Summary==
<p style="color:red">The information on this page is updated in accordance with the [https://wiki.teltonika-networks.com/view/FW_%26_SDK_Downloads'''00.07.07.1'''] firmware version .</p>
=Introduction=
==Prerequisite==
A site-to-site connection using an IPsec tunnel between Teltonika devices and an Azure Virtual Network Gateway is a secure method to link two separate networks over the internet. This setup ensures that data transmitted between the on-premises network, managed by Teltonika routers, and the Azure cloud environment is encrypted and secure.
If You have trouble seeing any of the settings, be sure to enable "'''Advanced mode'''"
[[File:Networking rutos manual webui basic advanced mode 75.gif|none|border|center|class=tlt-border]]
=Topology=
[[File:VNGW_TN_Topology.png|none|border|center|class=tlt-border|600px]]
=Prerequisite=
The user needs an Azure account with an active subscription.
The user needs an Azure account with an active subscription.
=Azure Platform=
==Create a VPN Gateway on the Azure Platform==
Log into the Azure portal, search for "Virtual Network Gateways" and click on '''Create'''.
Log into the Azure portal, search for "Virtual Network Gateways" and click on '''Create'''.
[[File:VNGW_01.png|600px|center]]
[[File:VNGW_01.png|none|border|left|class=tlt-border|600px]]
Use the information and images below as reference to complete the settings:
Use the information and images below as reference to complete the settings:
'''Projects details'''
'''Projects details'''
* '''Suscription:''' Your suscription.
* '''Suscription:''' Your suscription.
* '''Generation:''' Generation2 (mandatory).
* '''Generation:''' Generation2 (mandatory).
* '''Virtual Network:''' Select or create a new one.
* '''Virtual Network:''' Select or create a new one.
* '''Gateway Subnet Address Range:''' 10.1.1.0/24 (if using Virtual Network default configuration).
'''Public IP address'''
'''Public IP address'''
* '''Configure BGP:''' Disabled.
* '''Configure BGP:''' Disabled.
====Create a Virtual Network====
[[File:VNGW_02.png|none|border|left|class=tlt-border|600px]]
[[File:VNGW_03.png|none|border|left|class=tlt-border|600px]]
[[File:VNGW_04.png|none|border|left|class=tlt-border|600px]]
===Create a Virtual Network===
----
----
In case you do not have previously created a virtual network, click on the blue URL link to create one and use the default settings as shown in the image below:
In case you do not have previously created a virtual network, click on the blue URL link to create one and use the default settings as shown in the image below:
====Finish the VPN gateway configuration====
[[File:VNGW_05.png|none|border|left|class=tlt-border|600px]]
===Finish the VPN gateway configuration===
----
----
After finishing the previous configuration, you can continue with the tags. This section is not mandatory; therefore, we’ll leave it as default.
After finishing the previous configuration, you can continue with the tags. This section is not mandatory; therefore, we left it as default and clicked on '''Review + create''' to check that the network gateway has the parameters shown below, and then click on the '''Create''' button to finish the configuration.
[[File:VNGW_06.png|none|border|left|class=tlt-border|600px]]
[[File:VNGW_08.png|600px|center]]
==Create a local network Gateway==
In the search bar, look for "Local Network Gateways" and click on '''Create'''.
In the search bar, look for "Local Network Gateways" and click on '''Create'''.
[[File:VNGW_09.png|600px|center]]
[[File:VNGW_07.png|none|border|left|class=tlt-border|600px]]
Fill in the configuration fields accordingly and add the remote router address space (LAN network) and the FQDN if the router does not have a public IP address on its WAN interface.
'''Fill in the configuration fields accordingly and add the remote router address space (LAN network) and the FQDN if the router does not have a static public IP address on its WAN interface.
'''
'''Projects details'''
'''Projects details'''
* '''Name:''' toRegion.
* '''Name:''' toRegion.
* '''Endpoint:''' FQDN.
* '''Endpoint:''' FQDN.
* '''FQDN:''' the fully qualified domain name of the router's remote connection.
* '''FQDN:''' The fully qualified domain name of the router's remote connection.
* '''Address Space:''' The router's LAN network(s)
* '''Address Space:''' The router's LAN network(s)
* '''Configure BGP settings:''' No.
* '''Configure BGP settings:''' No.
[[File:VNGW_10.png|600px|center]]
[[File:VNGW_08.png|none|border|left|class=tlt-border|600px]]
[[File:VNGW_11.png|600px|center]]
[[File:VNGW_09.png|none|border|left|class=tlt-border|600px]]
Verify the configuration and click on '''Create''' to finish.
Verify the configuration and click on '''Create''' to finish.
===Create a connection===
[[File:VNGW_10.png|none|border|left|class=tlt-border|600px]]
==Create a connection==
Search for "Connections" and create a new one:
Search for "Connections" and create a new one:
[[File:VNGW_13.png|600px|center]]
[[File:VNGW_11.png|none|border|left|class=tlt-border|600px]]
Complete the connection settings using the information and images below as reference:
'''Complete the connection settings using the information and images below as reference:'''
'''Projects details'''
'''Projects details'''
* '''Suscription:''' Your suscription.
* '''Suscription:''' Your suscription.
* '''Virtual network gateway:''' Vnet1GW.
* '''Virtual network gateway:''' Vnet1GW.
* '''Local network gateway:''' toRegion.
* '''Local network gateway:''' toRegion.
* '''IKE Protocol:''' IKEv2.
* '''Shared Key(PSK):''' Your Pre-shared key (It must match the one in the router IPsec configuration).
* '''Use Azure Private IP Address:''' Unchecked.
* '''Use Azure Private IP Address:''' Unchecked.
* '''IPsec/IKE policy:''' Custom.
* '''IPsec/IKE policy:''' Custom.
* '''Ingress NAT Rules:''' 0 selected.
* '''Ingress NAT Rules:''' 0 selected.
* '''Egress NAT Rules:''' 0 selected.
* '''Egress NAT Rules:''' 0 selected.
[[File:VNGW_14.png|600px|center]]
[[File:VNGW_12.png|none|border|left|class=tlt-border|600px]]
[[File:VNGW_15.png|600px|center]]
[[File:VNGW_16.png|600px|center]]
[[File:VNGW_13.png|none|border|left|class=tlt-border|600px]]
[[File:VNGW_14.png|none|border|left|class=tlt-border|600px]]
'''Note:''' You can use different crypto proposals; however, you must ensure that they match on the router.
'''Note:''' You can use different crypto proposals; however, you must ensure that they match on the router.
===DDNS configuration===
Click on '''Review + Create''', then verify the configuration and click on '''Create''' to finish.
[[File:VNGW_15.png|none|border|left|class=tlt-border|600px]]
=Teltonika Device Configuration=
==DDNS configuration==
Log into the router via WebUI.
Log into the router via WebUI.
In case you don’t have a public IP address on the WAN interface, you can enable the Dynamic DNS service as explained here: [[DDNS Configuration Examples]]
In case you don’t have a static public IP address on the WAN interface, you can enable the Dynamic DNS service as explained here: [[DDNS Configuration Examples]]
'''Path:''' WebUI > Services > Dynamic DNS.
'''Path:''' WebUI > Services > Dynamic DNS.
[[File:TN_DDNS.png|600px|center]]
'''Note:''' On devices other than the RUTX series, you will need to download the DDNS service from the Package Manager.
[[File:TN_DDNS.png|none|border|left|class=tlt-border|600px]]
After finishing the configuration, you should get the public IP address of the created domain.
After finishing the configuration, you should get the public IP address of the created domain.
[[File:TN_DDNS02.png|none|border|left|class=tlt-border|600px]]
[[File:TN_IPsec05.png|600px|center]]
==IPsec configuration==
Locate the following path: '''WebUI > Services > IPsec''' ; and a new instance:
'''Instance details'''
'''Instance details'''
* '''Enable:''' On.
* '''Enable:''' On.
* '''Authentication method:''' Pre-shared key.
* '''Authentication method:''' Pre-shared key.
* '''Pre-shared key:''' Your pre-shared key.
* '''Pre-shared key:''' Your pre-shared key (must match the pre-shared key configured in the Azure platform's IPsec settings).
* '''Local Identifier:''' Empty.
* '''Local Identifier:''' Empty.
* '''Remote Identifier:''' Empty.
* '''Remote Identifier:''' Empty.
* '''Default route:''' off.
* '''Default route:''' off.
* '''Local Subnet:''' The router local network(s).
* '''Local Subnet:''' The router local network(s).
* '''Remote Subnet:'''The virtual network you want to reach in your Virtual environment hosted in Azure.
* '''Remote Subnet:''' The virtual network you want to access remotely hosted in your virtual environment in Azure.
* '''Key Exchange:'''IKEv2
* '''Key Exchange:''' IKEv2
'''Advanced Settings'''
'''Advanced Settings'''
* '''DPD action:''' Restart.
* '''DPD action:''' Restart.
* '''DPD delay:''' 45.
* '''DPD delay:''' 45.
* '''Leave all the other advanced settings as default.'''
* '''Leave all other advanced settings as default..'''
'''Proposal Settings'''
'''Proposal Settings'''
* '''Phase 2:''' Encryption: AES256 , Hash: SHA1 , PFS Group: No PFS.
* '''Phase 2:''' Encryption: AES256 , Hash: SHA1 , PFS Group: No PFS.
* '''Force crypto Proposal:''' off.
* '''Force crypto Proposal:''' off.
* '''lifetimes''' Empty.
* '''lifetimes:''' Empty.
[[File:TN_IPSEC01.png|none|border|left|class=tlt-border|600px]]
[[File:TN_IPsec02.png|none|border|left|class=tlt-border|600px]]
[[File:TN_IPsec03.png|none|border|left|class=tlt-border|600px]]
[[File:TN_IPsec04.png|none|border|left|class=tlt-border|600px]]
'''Note:''' in this example, we use DH Group equals to MODP1024 which is the same to Group 2 selected on the Azure platform.
[[File:TN_IPsec05.png|none|border|left|class=tlt-border|600px]]
=Check Site to Site Communication=
If you followed the configuration steps, you should see that the Site to Site connection has been successfully established.
[[File:TN_IPsec06.png|none|border|left|class=tlt-border|600px]]
You can also check in the Azure platform that the connection has been established:
You can also check in the Azure platform that the connection has been established:
[[File:TN_IPsec07.png|600px|center]]
[[File:TN_IPsec07.png|none|border|left|class=tlt-border|600px]]
Check connectivity between the router LAN and a VM inside the Azure virtual network you may have:
Check connectivity between the router LAN and a VM inside the Azure virtual network you may have:
[[File:TN_IPsec08.png|600px|center]]
[[File:TN_IPsec08.png|none|border|left|class=tlt-border|600px]]
Test connectivity from a host in the router’s LAN to the VM:
Test connectivity from a host in the router’s LAN to the VM:
[[File:TN_IPsec09.png|600px|center]]
[[File:TN_IPsec09.png|none|border|left|class=tlt-border|600px]]
Connect to the VM in Azure, test connectivity to the Router’s LAN interface.
Connect to the VM in Azure, test connectivity to the Router’s LAN interface.
==See Also==
[[File:TN_IPsec10.png|none|border|left|class=tlt-border|600px]]
=See Also=
* [[Dynamic DNS]] - general information on the DDNS service.
* [[Dynamic DNS]] - general information on the DDNS service.
* [[DDNS Configuration Examples]] - additional examples for different DDNS providers.
* [[DDNS Configuration Examples]] - additional examples for different DDNS providers.
=External links=
* https://www.noip.com
* https://www.noip.com
* https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal
* https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal