Changes

Setting up a Site-to-Site IPsec Tunnel between Teltonika Networks and Microsoft Azure (view source)

Revision as of 00:23, 28 May 2024

2,381 bytes added ,  28 May
no edit summary
Line 12: Line 12:  
----
 
----
   −
Log into the Azure portal, search for "Virtual Network Gateways" and click on "Create".
+
Log into the Azure portal, search for "Virtual Network Gateways" and click on '''Create'''.
 
<br> </br>
 
<br> </br>
 
[[File:VNGW_01.png|600px|center]]
 
[[File:VNGW_01.png|600px|center]]
Line 56: Line 56:  
[[File:VNGW_07.png|600px|center]]   
 
[[File:VNGW_07.png|600px|center]]   
   −
Click on "Review + create", check that the network gateway has the parameters as shown below, and click on the "Create" button to finish.
+
Click on '''Review + create''', check that the network gateway has the parameters as shown below, and click on the '''Create''' button to finish.
 
<br> </br>
 
<br> </br>
 
[[File:VNGW_08.png|600px|center]]
 
[[File:VNGW_08.png|600px|center]]
Line 62: Line 62:  
===Create a local network Gateway===
 
===Create a local network Gateway===
 
----
 
----
In the search bar, look for "Local Network Gateways" and click on "Create".
+
In the search bar, look for "Local Network Gateways" and click on '''Create'''.
 
<br> </br>
 
<br> </br>
 
[[File:VNGW_09.png|600px|center]]
 
[[File:VNGW_09.png|600px|center]]
Line 84: Line 84:  
[[File:VNGW_11.png|600px|center]]
 
[[File:VNGW_11.png|600px|center]]
   −
Verify the configuration and click on "Create" to finish.
+
Verify the configuration and click on '''Create''' to finish.
 
<br> </br>
 
<br> </br>
 
[[File:VNGW_12.png|600px|center]]
 
[[File:VNGW_12.png|600px|center]]
Line 111: Line 111:  
* '''Use Azure Private IP Address:''' Unchecked.
 
* '''Use Azure Private IP Address:''' Unchecked.
 
* '''IPsec/IKE policy:''' Custom.
 
* '''IPsec/IKE policy:''' Custom.
* '''IKE Phase 1:''' Encryption: AES256 ; Integrity/PRF: SHA1 ; DH Group: DHGroup2
+
* '''IKE Phase 1:''' Encryption: AES256 , Integrity/PRF: SHA1 , DH Group: DHGroup2.
* '''IKE Phase 2:''' Encryption: AES256 ; IPsec Integrity: SHA1 ; PFS Group: None
+
* '''IKE Phase 2:''' Encryption: AES256 , IPsec Integrity: SHA1 , PFS Group: None.
 
* '''IPsec SA lifetime in KiloBytes:''' 0.
 
* '''IPsec SA lifetime in KiloBytes:''' 0.
 
* '''IPsec SA lifetime in seconds:''' 10800.
 
* '''IPsec SA lifetime in seconds:''' 10800.
Line 135: Line 135:  
'''Note:''' the tag field can be leaved empty.
 
'''Note:''' the tag field can be leaved empty.
 
<br> </br>
 
<br> </br>
Check that the parameters match and click on "Create"
+
Check that the parameters match and click on '''Create'''.
 
<br> </br>
 
<br> </br>
 
[[File:VNGW_18.png|600px|center]]
 
[[File:VNGW_18.png|600px|center]]
Line 144: Line 144:  
Log into the router via WebUI.
 
Log into the router via WebUI.
 
<br> </br>
 
<br> </br>
In case you don’t have a public IP address on the WAN interface, you can enable the Dynamic DNS service as explained here [[DDNS Configuration Examples]]
+
In case you don’t have a public IP address on the WAN interface, you can enable the Dynamic DNS service as explained here: [[DDNS Configuration Examples]]
 
<br> </br>
 
<br> </br>
 
'''Path:''' WebUI >  Services > Dynamic DNS.
 
'''Path:''' WebUI >  Services > Dynamic DNS.
Line 156: Line 156:  
===IPsec configuration===
 
===IPsec configuration===
 
----
 
----
 +
Locate the following path: WebUI > Services > IPsec ; and a new instance:
 +
<br> </br>
 +
[[File:TN_IPSEC01.png|600px|center]]
 +
<br> </br>
 +
[[File:TN_IPsec02.png|600px|center]]
 +
<br> </br>
 +
[[File:TN_IPsec03.png|600px|center]]
 +
<br> </br>
 +
[[File:TN_IPsec04.png|600px|center]]
 +
 +
'''Note:''' in this example, we use DH Group equals to MODP1024 which is the same to Group 2 as selected on the platform.
 +
<br> </br>
 +
[[File:TN_IPsec05.png|600px|center]]
    
==Check Site to Site Communication==
 
==Check Site to Site Communication==
 +
If you followed the configuration steps, you should see that the Site to Site connection has been successfully established.
 +
<br> </br>
 +
 +
'''Instance details'''
 +
* '''Enable:''' On.
 +
* '''Authentication method:''' Pre-shared key.
 +
* '''Pre-shared key:''' Your pre-shared key.
 +
* '''Local Identifier:''' Empty.
 +
* '''Remote Identifier:''' Empty.
 +
 +
'''General Settings'''
 +
* '''Mode:''' Start.
 +
* '''Type:''' Tunnel.
 +
* '''Default route:''' off.
 +
* '''Local Subnet:''' The router local network(s).
 +
* '''Remote Subnet:'''The virtual network you want to reach in your Virtual environment hosted in Azure.
 +
* '''Key Exchange:'''IKEv2
 +
 +
'''Advanced Settings'''
 +
* '''Dead peer detection:''' On.
 +
* '''DPD action:''' Restart.
 +
* '''DPD delay:''' 45.
 +
* '''Leave all the other advanced settings as default.'''
 +
 +
'''Proposal Settings'''
 +
* '''Phase 1:''' Encryption: AES256 , Authentication: SHA1 , DH Group: MODP1024.
 +
* '''Phase 2:''' Encryption: AES256 , Hash: SHA1 , PFS Group: No PFS.
 +
* '''Force crypto Proposal:''' off.
 +
* '''lifetimes''' Empty.
 +
 +
<br> </br>
 +
[[File:TN_IPsec06.png|600px|center]]
 +
<br> </br>
 +
You can also check in the Azure platform that the connection has been established:
 +
<br> </br>
 +
[[File:TN_IPsec07.png|600px|center]]
 +
<br> </br>
 +
Check connectivity between the router LAN and a VM inside the Azure virtual network you may have:
 +
<br> </br>
 +
[[File:TN_IPsec08.png|600px|center]]
 +
<br> </br>
 +
Test connectivity from a host in the router’s LAN to the VM:
 +
<br> </br>
 +
[[File:TN_IPsec09.png|600px|center]]
 +
<br> </br>
 +
Connect to the VM in Azure, test connectivity to the Router’s LAN interface.
 +
<br> </br>
 +
[[File:TN_IPsec10.png|600px|center]]
 +
 +
==See Also==
 +
* [[Dynamic DNS]] - general information on the DDNS service.
 +
* [[DDNS Configuration Examples]] - additional examples for different DDNS providers.
 +
 +
==External links==
 +
* https://www.noip.com
 +
* https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal
Retrieved from "https://wiki.teltonika-networks.com/view/Special:MobileDiff/125917"

Navigation menu