How to download VPN Device Configurations from Azure

Hi everyone,

as you may know IPSec VPN Config with Azure and different Firewall / VPN Device Vendors can become very tricky.

Some devices like from Palo Alto, Barracuda, FortiNet or CheckPoint are able to autonegotiate the VPN Configurations with an Azure Virtual Network Gateway but there are also the other like from Cisco or Ubiquiti Networks.

Microsoft published a very small but amazing new feature into the Azure Virtual Network Gateway Service. It happend very silently somewhen in the last weeks.

Since that update you are able to download the VPN configuration for some of those Vendors where you need a manuel configuration. You can easily replicate or upload the configuration into you device and it will do the rest.

Let me show you how to do it.

Select the connect of your Local Network Gateway / ExpressRoute Circuit to your Virtual Network Gateway

Afterwards you click on Download Configuration.

Now you select your vendor or the generic sample

Select the device

The firmware version

And at last download the configuration

The outcome will be a file with a configuration similar to this one.

! Microsoft Corporation
! ——————————————————————————————————————————————–
! Generic configuration templates
!
! IMPORTANT: This template is for Allied Telesis AR Series VPN Routers running on Firmware Version 5.4.7 or higher.
!
! This configuration template shows all the VPN configuration parameters associated with your S2S VPN connection.
! The script you need to copy onto your Allied Telesis AR Series VPN Router (5.4.7+) to setup a RouteBased IKEv2 VPN Tunnel to Azure with VTI Support (no BGP) is found below [#10]:
! ——————————————————————————————————————————————–

! [1] Resource names
! CONNECTION NAME : This field is the name of your connection resource
! VIRTUAL NETWORK GATEWAY : The name of your Azure VPN gateway resource for the connection
! LOCAL NETWORK GATEWAY : The name of your local network gateway resource for the connection
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/Data/CONNECTION_NAME = Demo-GW01-Demo-LW01
/Data/VNG_NAME = b3b85211-0dd1-4850-87c9-1029cc4579da
/Data/LNG_NAME = Demo-LW01
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! [2] Public IP address of the Azure VPN gateway
! Active-Standby VPN gateway (single public IP address)
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/Data/VNG_GATEWAYIP = 51.144.114.218
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! Active-Active VPN gateway (A/A mode if more than one public IP is listed below)
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

/Data/VNG_GATEWAYIPS/IpAddress/IP =
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! [3] Public IP address of the on-premises VPN device
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/Data/LNG_GATEWAYIP =
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! [4] VNet address prefixes: a list of all VNet address prefixes in different formats
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

/Data/VnetSubnets/Subnet/SP_NetworkIpRange = 192.168.155.0
SP_NetworkSubnetMask = 255.255.255.0
SP_NetworkWildcardBits = 0.0.0.255
SP_NetworkCIDR = 192.168.155.0/24
SP_TunnelName = SP_TunnelName
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! [5] On-premises address prefixes: a list of all on-premises address prefixes defined in LNG
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

/Data/OnPremiseSubnets/Subnet/SP_NetworkIpRange = 172.20.100.0
SP_NetworkSubnetMask = 255.255.252.0
SP_NetworkWildcardBits = 0.0.3.255
SP_NetworkCIDR = 172.20.100.0/22
SP_TunnelName = SP_TunnelName
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! [6] Phase 1/Main Mode:
! IKE encryption algorithm
! IKE hashing algorithm
! IKE Diffie-Hellman group
! IKE SA lifetime (seconds)
! IKE SA data size (Kilobytes)
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/Data/IKE_ENCRYPTION_1 = aes256
/Data/IKE_INTEGRITY_1 = sha1
/Data/IKE_DHGROUP_1 = 2
/Data/IKE_SALIFETIME_1 = 28800
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! [7] Phase 2/Quick Mode:
! IPsec encryption algorithm
! IPsec hashing algorithm
! PFS Group (Perfect Forward Secrecy)
! IPsec SA (QMSA) lifetime (seconds)
! IPsec SA (QMSA) lifetime (kilobytes)
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/Data/IPsec_ENCRYPTION_1 = aes256
/Data/IPsec_INTEGRITY_1 = sha1
/Data/IPsec_PFSGROUP_1 = None
/Data/IPsec_SALIFETIME = 3600
/Data/IPsec_KB_SALIFETIME = 102400000
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! [8] Connection pre-shared key
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/Data/CONNECTION_PSK = Abcd1234
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! [9] BGP parameters – Azure VPN gateway
! Enable BGP
! BGP ASN for Azure VPN gateway
! BGP speaker IP address for the Azure VPN gateway
! BGP peer IP address(es)
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/Data/CONNECTION_BGP_ENABLED = False
/Data/VNG_ASN = VNG_ASN
/Data/VNG_BGPIP = VNG_BGPIP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! [10] BGP parameters – on-premises network / LNG
! BGP ASN for the on-premises network
! BGP speaker IP address for the on-premises network
!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/Data/LNG_ASN = LNG_ASN
/Data/LNG_BGPIP = LNG_BGPIP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

! ########################################################################################################
! !!! Search for “REPLACE” to find the values that require special considerations
! ########################################################################################################
! ON-PREMISES ENVIRONMENT:
!
! – AR-Series WAN/Public Interface:
! INTERFACE: ETH1
! ZONE: VPN
! IP: VPN PUBLIC IP
! ISP Default GW: x.x.x.1
!
! – A.T ONPREMISES/LOCAL ENVIRONMENT:
! INTERFACE: VLAN1
! ZONE: PRIVATE
! On-Premises Addr Range: ON-PREMISES ADDRESS RANGE (ex. 192.168.1.0/24)
! A.T MGMT/LAN Interface: 192.168.1.254
!
! – AR-Series VPN BLADE:
! TUNNEL VTI IP: ex. 192.168.2.222/32
! TUNNEL INTERFACE: tunnel0
! ISAKMP PROFILE: AZURE-ISAKMP
! IPSEC PROFILE: AZURE-IPSEC
! ISAKMP PEER: AZURE GW PUBLIC IP
!
! AZURE VNET ENVIRONMENT:
!
! – AZURE VIRTUAL NETWORK:
! – ADDRESS RANGE: AZURE ADDRESS RANGE (ex. 10.10.0.0/16)
! – AZURE GATEWAY IP: AZURE GATEWAY PUBLIC IP

! ============================================================================================
! Example – Allied Telesis AR Series VPN Router (5.4.7+) in Active/Passive Azure GW Mode, with VTI Support (No BGP Router)
! ============================================================================================

! FOLLOW THESE STEPS TO CREATE YOUR IKEv2 TUNNEL TO AZURE:

! CREATE YOUR PRIVATE ZONE, CONTAINING YOUR ON-PREMISES/LAN NETWORK
! Note: REPLACE “vlan1” and “192.168.1.254” as needed. They are used here as examples for your LAN network and LAN Host/Management IP.

zone PRIVATE
network LAN
ip subnet 172.20.100.0/22 interface vlan1
host LAN_IP
ip address 192.168.1.254
!

! Note: REPLACE “eth1” as needed. It is used here as your WAN interface.
zone PUBLIC
network WAN
ip subnet 0.0.0.0/0 interface eth1
host WAN_IP
ip address
!

! Note: REPLACE “tunnel0” as needed. It is used here to denote your VTI tunnel interface.
zone VPN
network AZURE
ip subnet 192.168.155.0/24 interface tunnel0
!

application esp
protocol 50
!
application icmp
protocol icmp
!
application isakmp
protocol udp
sport 500
dport 500
!
! Below shows you how to enable the Web-Control Feature Function, in case you have a valid feature license key (commented out)
!web-control
! action permit
! provider digitalarts
!

! THESE ARE YOUR REQUIRED FIREWALL RULES FOR YOUR AZURE CONNECTION

firewall
rule 10 permit isakmp from PUBLIC.WAN.WAN_IP to PUBLIC.WAN
rule 20 permit isakmp from PUBLIC.WAN to PUBLIC.WAN.WAN_IP
rule 30 permit esp from PUBLIC.WAN.WAN_IP to PUBLIC.WAN
rule 40 permit esp from PUBLIC.WAN to PUBLIC.WAN.WAN_IP
rule 45 permit ping from PRIVATE to PRIVATE
rule 50 permit ping from VPN.AZURE to PRIVATE.LAN
rule 60 permit ping from PRIVATE.LAN to VPN.AZURE
rule 70 permit ping from PUBLIC.WAN to PRIVATE.LAN
rule 75 permit ping from PRIVATE to PUBLIC
rule 80 permit any from PRIVATE.LAN to VPN.AZURE
rule 90 permit any from VPN.AZURE to PRIVATE.LAN
protect
!

! NAT RULE
nat
rule 10 masq any from PRIVATE to PUBLIC
enable
!

! AZURE IPSEC PROFILE
crypto ipsec profile AZURE-IPSEC-Demo-GW01-Demo-LW01
lifetime seconds 3600
transform 1 protocol esp integrity SHA1 encryption AES256
!

! AZURE ISAKMP/IKEv2 PHASE 1 PROFILE
crypto isakmp profile AZURE-IPSEC-Demo-GW01-Demo-LW01
!
crypto isakmp profile AZURE-ISAKMP-Demo-GW01-Demo-LW01
version 2
lifetime 28800
transform 1 integrity SHA1 encryption AES256 group 2
!

! AZURE ISAKMP PRE-SHARED KEY
crypto isakmp key 8 Abcd1234 address
!

! AZURE ISAKMP PEER (AZURE GATEWAY)
crypto isakmp peer address <-> profile AZURE-ISAKMP-Demo-GW01-Demo-LW01
!

! MAKE SURE YOU HAVE CONFIGURED VPN WAN INTERFACE WITH A PUBLIC IP ADDRESS. BELOW IS AN EXAMPLE
! Note: REPLACE “eth1” if already used.
! Note: REPLACE subnet prefix “/24” below by the correct prefix (offered by your ISP) for your public IP block if it’s different.

interface eth1
description external wan
ip address 84.177.215.91/24

! MAKE SURE YOU HAVE CONFIGURED YOUR VPN MANAGEMENT/LAN INTERFACE, FOR YOUR ONPREMISES NETWORK. BELOW IS AN EXAMPLE
! Note: REPLACE “vlan1” if already used
! IMPORTANT:
! Ensure that the management interface for your onPremises network, that is used by your AR-Series LAN, is listed below !
! REPLACE “192.168.1.254” as needed (Azure does not have visibility over your MGMT IP).
! In this example, my management IP is 192.168.1.254, for my onPremises LAN network 192.168.1.0/24.

interface vlan1
description Internal LAN
ip address 192.168.1.254/24

! CREATE YOUR VTI INTERFACE FOR THE ROUTEBASED TUNNEL TO AZURE:
! REPLACE “Tunnel0” to something else, if already used.
! IMPORTANT: Ensure that the local network address space for your onPremises network, that is used by your AR-Series LAN interface, is listed under “tunnel local selector” !
! –> It is essential to list this one first in the Azure Portal, under your Local Network Gateway –> Configuration–>”Address Space” blade.
! –> Following this, you must also define your VTI interface next (/32), as a second entry under the same Azure blade mentioned above.
! (LNG –> Configuration–> “Address Space”)

! IMPORTANT NOTES:
! > Your VTI Interface IP below (192.168.2.222/32) is an example. REPLACE ‘192.168.2.222/32’ with a different /32 host IP, it if this range is already used by another interface.
! > As explained above, make sure that you have also added this IP to the “LOCAL NETWORK GATEWAY” object in the Azure Portal, following your actual LAN segment. When doing so, please
! add a /32 subnet mask to it, and ensure that this IP doesn’t overlap with your on-premises address range(s).

interface Tunnel10
ip address 192.168.2.222/32
ip tcp adjust-mss 1350
tunnel source
tunnel destination
tunnel local selector 1 172.20.100.0/22
tunnel remote selector 1 192.168.155.0/24
tunnel protection ipsec profile AZURE-IPSEC-PROFILE-Demo-GW01-Demo-LW01
tunnel mode ipsec ipv4
!

! CREATE YOUR STATIC ROUTES
! Note: The 0/0 route needs to have your ISP Default GW as your Next-Hop.
! REPLACE “x.x.x.1” by your assigned ISP Default GW IP.

ip route 0.0.0.0/0 x.x.x.1 eth1
ip route 192.168.155.0/24 tunnel0
!
line con 0
line vty 0 4
!
end
!————————————————–END——————————————————-!

I hope the post was helpful and if you have any questions, don’t hesitate to ask.

Cheers,
Flo

Once MVP, always part of the MVP community! – Awarded with MVP Reconnect

Many things happen short after another. After I needed to lay down the MVP title on the 1st of July, something awesome happened last night.

Short before midnight, I got a mail from the MVP Reconnect program which invited to join the group of reconnected MVP 🙂

I’m extremely happy about and very thankful 🙂 I really loved to be part of the MVP Community and that’s the chance to be part again, even as a Microsoft employee.

 

My 1st book is ready for order “Implementing #Azure Solutions”

Hi everyone,

as many of you already know. Last year around that time I started together with Oliver Michalski (MVP Azure) and Jan-Henrik Damaschke (MVP Cloud & Datacenter Management) to write a book about implementing Azure Solutions. After one year of hart work and many struggles and even more changes because of the rapid development of Azure, the book is now ready for order via Packt and Amazon 🙂

We are very happy with the result. Hopefully you have as much fun ready than we writing the book.

Order via Amazon.com // Order via Packt

 

What this book covers
Chapter 1, Getting Started with Azure Implementation, … Within that chapter the reader will get an overview about Cloud service models, Cloud deployment models, Cloud characteristics, and Azure services.
Chapter 2, Azure Resource Manager and Tools, … Within that chapter the reader will learn all about the Azure Resource Manager and his concepts (Azure Resource Groups/ Azure Resource Tags/ Locks), The reader will also get an introduction in the working with ARM Templates area.
Chapter 3, Deploying and Synchronizing Azure Active Directory, … Within that chapter the reader will get an overview about the deployment, management and functionalities of Azure Active Directory and its relation to a Microsoft Azure Subscription.
Chapter 4, Implementing Azure Networks, … Within that chapter the reader will learn how networking in Azure works, how to plan Azure network components and how to deploy the different network components within Azure.
Chapter 5, Implementing and Securing Storage Accounts, … Within that chapter the reader will learn all about Azure Storage Management and his concepts (Blob / Table / Queue / File). The reader will also get some basic storage configurations.
Chapter 6, Planning and Deploying Virtual Machines in Azure, … Within that chapter the reader will learn the difference between the Azure Virtual Machine types, the common use cases for the different types and how to deploy Virtual Machines.
Chapter 7, Implementing Cloud Services, … Within that chapter the reader will learn all about Azure Cloud Services, the Cloud Service architecture, Azure Cloud Service vs. Azure App Services and how to create your first Cloud Service.
Chapter 8, Exploring and Implementing Containers, … Within that chapter the reader will learn the basic knowledge about the Azure Container Service area and how to create your first container service. The reader also learns the necessary steps for working with the service afterwards.
Chapter 9, Securing an Azure Environment, … Within that chapter the reader will learn all about Azure Security concepts (Identity Management with Azure AD / Role based Access Control / Azure Storage security) and the Azure Security Center.
Chapter 10, Best Practices, … Based on a common use case and migration scenario, the reader will get a basic overview how classic applications and services can be placed in the Microsoft Cloud ecosystem and which tools can be used for the migration.

Speaking at Cloud & Datacenter Conference Germany

Hey everybody,

this week I got a mail from Carsten Rachfahl the inventor and host of the Cloud & Datacenter Conference Germany. The CDC is one of the biggest IT Conferences in Germany and Carsten offered me a Speaker slot at his conference 🙂

I’m so proud that I match Carsten’s high quality standards and will be able to share some knowledge about Microsoft Azure. The topic I’m speaking about isn’t completely clear yet but I think it will be Microsoft Azure ExpressRoute and Azure Networking. 🙂