Configuring a Site-to-Site IPSec Tunnel to Azure


In order to establish a Site-To-Site IPSec VPN connection between your Azure server and Perimeter 81 network, please follow the steps below:


1. Create Gateway Subnet

  1. In your Azure Management portal, navigate to the Virtual networks 
  2. Click the name of the Virtual Network to which you'd like to create a gateway.
  3. Under the Settings section of your VNet page, click Subnets.
  4. Click + Gateway subnet (the name of the subnet is filled in with the value 'GatewaySubnet' by default).
  5. Adjust the auto-filled Address range values to match your configuration requirements.

2. Create Virtual Network Gateway

  1. On the left side of the portal page, click + and type Virtual Network Gateway in search line.
  2. Locate and click Virtual network gateway.
  3. Click Create.
  4. Fill in the fields according to the following:
    • Name: Your gateway name. 
    • Region/Location: Your virtual network location.
    • Gateway type: Select VPN.
    • VPN type: Select Route-based.
    • SKU: Select the gateway SKU from the dropdown. The SKUs listed in the dropdown depend on the VPN you select.
    • Virtual network: Choose the virtual network to which you want to add this gateway. Click Virtual
      network to open the Choose a virtual network page. Select the VNet. If you don't see your VNet, make sure the Location/Region field is pointing to the region in which your virtual network is located.
    • Gateway subnet address range: You will only see this setting if you did not previously create a gateway subnet for your virtual network. If you previously created a valid gateway subnet, this field will not appear.
    • Public IP address: This specifies the public IP address object that's associated to the
      VPN gateway. The public IP address is dynamically assigned to this object when the VPN gateway is created.
    • Enable active-active mode: Disabled.
    • Configure BGP ASN: Disabled.
    • Click Review+create to begin creating the VPN gateway.
      It can take up to 45 minutes for the task to be completed.

3. Create Local Network Gateway

  1. In the portal, click + Create a resource.
  2. In the search box type Local network gateway,image10.png
    Click Local network gateway, then click the Create button to open the Create local network
    gateway page.
  3. Fill in the fields according to the following:
    • Name: Your gateway name. 
    • IP address: This is the public IP address of the VPN device that you want Azure to connect to. Specify a valid public IP address. If you don't have the IP address right now, you can use the values shown in the example, but you'll need to go back and replace your placeholder IP address with the public IP address of your VPN device (otherwise, Azure will not be able to connect).
    • Address Space: Insert here you Perimeter 81  (make sure that the ranges you specify here do not overlap with ranges of other networks that you want to connect to).
    • Subscription: Verify that the correct subscription is showing.
    • Resource Group: Select the resource group that you want to use. You can either create a new resource group, or select one that you have already created.
    • Location: Select a location that this object will be created in.
      You may want to select the location in which your Virtual Network resides, however it is not a requirement.
    • SKU: Select the gateway SKU from the dropdown. The SKUs listed in the dropdown depend on the VPN you select.

      Click Create at the bottom of the page to create the local network gateway.

3. Create the IPSEC tunnel connection

  1. Open your virtual network gateway page.
  2. On the sidebar, click All resources
    Click the Local network gateway you created. Once it opens, go to Settings click Connections and then +Add.
  3. Fill in the fields according to the following:
    • Name: Your connection name. 
    • Connection type: Select Site-to-site (IPSec).
    • Virtual network gateway: Since you are connecting from this gateway this value (the IP you received from Azure) is fixed.
    • Local network gateway: The local network gateway (your Perimeter 81 network address) which you have just created is the fixed value.
    • Shared Key: the value here must match the value that you are using for your local on-premises
      VPN device.
    • The remaining values for Subscription, Resource Group, and Location are fixed as well.
      Click OK to create your connection.

4. Perimeter 81 Settings

  1. Open your Perimeter 81 Management Platform and go to the Network tab.image12.png
  2. Go to the gateway in your network from which you want to create the tunnel to Azure, click the 3 dots besides it and press Add Tunnel.
  3. Choose IPSec Site-2-Site Tunnel and click Continue.
  4. Fr
    b. Click on the 3 dots and press "Add Tunnel"
    c. Name - Set name for the Tunnel
    d. Shared Secret - Put the same Shared secret you set in Azure
    e. "Public IP" and "Remote ID" - put Azure "Virtual network gateway" Public IP address
    f. In "Perimeter 81 Gateway Proposal Subnets" Choose Any or Specific Subnet"
    g. In "Remote Gateway Proposal Subnets" put your Azure VNet subnet
    h. Advanced Settings:
  • IKE Version - V2
  • IKE Lifetime - 8h
  • Tunnel Lifetime - 1h
  • Dead Peer Detection Delay - 10s
  • Dead Peer Detection Timeout - 30s
  • Encryption (Phase 1) - aes256
  • Integrity (Phase 1) - sha1
  • Deffie-Hellman Groups (Phase 1) - 2
  • Encryption (Phase 2) - aes256
  • Integrity (Phase 2) - sha1
  • Deffie-Hellman Groups (Phase 1) - 2
    i. Press "Add Tunnel"

5. Verify the VPN connection

  1. In Azure click "All Resources"
  2. Click on "Virtual network gateway"
  3. Go to "Connections"
  4. Click on your connection
  5. In Overview check that the "Status" is "Connected"
0 out of 0 found this helpful



Please sign in to leave a comment.