How to Configure Route-based IPsec VPN to Azure (BGP over IKEv2/IPSec)

Zyxel_Stanley
Zyxel_Stanley Posts: 1,377  Zyxel Employee
100 Answers 1000 Comments Friend Collector Seventh Anniversary
edited June 2022 in VPN

Azure Multi-Site connection

This type of connection is a variation of the Site-to-Site connection. You create more than one VPN connection from your virtual network gateway, typically connecting to multiple on-premises sites. When working with multiple connections, you must use a Route-based VPN type (known as a dynamic gateway when working with classic VNets). Because each virtual network can only have one VPN gateway, all connections through the gateway share the available bandwidth. This is often called a "multi-site" connection.

Before you begin

Before you begin configuration, verify that you have the following:

  1. -You have a Azure virtual network that was created using the Resource Manager deployment model
  2. -The virtual network gateway for your VNet is RouteBased. If you have a PolicyBased VPN gateway, you must delete the virtual network gateway and create a new VPN gateway as RouteBased.
  3. -None of the address ranges of each local network sites overlap for any of the VNets that this VNet is connecting to.
  4. -An externally facing public IPv4 IP address for each ZyWALL device. The IP address cannot be located behind a NAT. This is requirement.

Here the configuration steps on Azure portal, 

1.   Create a virtual network (VNet)

1.       From a browser, navigate to the Azure portal and sign in with your Azure account.

2.       Click Create a resource. In the Search the marketplace field, type 'virtual network'. Locate Virtual network from the returned list and click to open the Virtual Network page.

3.       Near the bottom of the Virtual Network page, from the Select a deployment model list, select Resource Manager, and then click Create. This opens the 'Create virtual network' page.


2.   Create the gateway subnet

The virtual network gateway use specific subnet called gateway subnet. It’s part of the virtual network IP address space that you specify when creating your virtual network. It contains IP addresses that the virtual network gateway resources and services use.

1.       In the portal, navigate to the virtual network for which you want to create a virtual network gateway.

2.       In the Settings section of your VNet page, click Subnets to expand the Subnets page.

3.       On the Subnets page, click +Gateway subnet at the top to open the Add subnet page.


4. The Name for your subnet is automatically filled in with the value 'GatewaySubnet'. The GatewaySubnet value is required in order for Azure to recognize the subnet as the gateway subnet. Adjust the auto-filled Address range values to match your configuration requirements.


5. To create the subnet, click OK at the bottom of the page.

3.   Create the VPN gateway

1. On the left side of the portal page, click + and type 'Virtual Network Gateway' in search. In Results, locate and click Virtual network gateway.

2. At the bottom of the 'Virtual network gateway' page, click Create. This opens the Create virtual network gateway page.

3. On the Create virtual network gateway page, specify the values for your virtual network gateway.


        · Name: Vnet1GW

        · Gateway type: VPN

        · VPN type: select the Route-based VPN type

        · SKU: VpnGw1

        BGP is supported on Azure VpnGw1, VpnGw2, VpnGw3, Standard and HighPerformance SKU. Basic SKU is NOT supported. Here you need to select VpnGw1 at least.

        · Virtual network: Click Virtual network/Choose a virtual network to open the Choose a virtual network page. Select VNet1.

        · Public IP address: This setting specifies the public IP address object that gets associated to the VPN gateway.

                -Leave Create new selected.

                 -In the text box, type a Name for your public IP address. For this exercise, use VNet1GWIP.

        · Check the Configure BGP ASN option and type in the ASN number. The following ASNs are reserved by Azure for both internal and external peerings:

         · Public ASNs: 8074, 8075, 12076

         · Private ASNs: 65515, 65517, 65518, 65519, 65520

        · Location: select the location same as your VNet

4. Click Create to begin creating the VPN gateway.

After the gateway is created. On the left side of the portal page, click All resources and click into the virtual network gateway to view more information. The Public IP address will show on the right side.

4.   Obtain the Azure BGP Peer IP address

You need to obtain the BGP Peer IP address of this VPN Gateway. This address is needed to configure on your ZyWALL as the BGP neighbor.

Open the Configuration page of your Azure VPN Gateway to get it.


5.   Create the local network gateway

The local network gateway typically refers to your on-premises location. You give the site a name by which Azure can refer to it, then specify the IP address of the on-premises ZyWALL device to which you will create a connection.

1.       In the portal, click +Create a resource.

2.       In the search box, type Local network gateway, then press Enter to search. This will return a list of results. Click Local network gateway, then click the Create button to open the Create local network gateway page.

3.       On the Create local network gateway page, specify the values for your local network gateway.

The most important part is the address space list. Here the BGP peer ip address of your ZyWALL, usually the ip address of VTI tunnel interface. In this example, it’s 10.1.254.1/32

Check Configure BGP settings and type in the BGP ASN of your ZyWALL.

BGP peer IP address: Type in the IP address of your VTI interface on ZyWALL. In this example is 10.1.254.1


6.   Create the VPN connection

1.       Navigate to and open the page for your virtual network gateway.

2.       On the page for VNet1GW, click Connections. At the top of the Connections page, click +Add to open the Add connection page.


3.      On the Add connection page, configure the values for your connection. Select Site-to-site (IPSec) as connection type.

Type in the Shared key(PSK) which you need configure the same value as the Pre-Shared Key in the VPN gateway settings page of your ZyWALL. 

Note: Pre-shared key must be at least 8 to 32 characters.


7.   Enable BGP on Azure VPN Connection

1.       Navigate to and open the page for the Azure VPN connection created.

2.       Click Configuration to open configuration page

3.       Enable BGP and then click Save


After finishing the VPN configure on the Azure portal. Then you can configure the related VPN settings on your ZyWALL.

----------------------

Here the configuration steps on your ZyWALL,

1.  Create the VPN Gateway Rule (Phase 1)

On ZyWALL Web GUI, go to CONFIGURATION > VPN > IPSec VPN > VPN

Gateway, click Add to create a VPN Gateway rule.

On the Add VPN Gateway page, specify the values for your virtual network gateway.


·         Enable: check the Enable box to activate this rule

·         Name: “Azure” as the rule name in this example

·         IKE Version: IKEv2

·         Peer Gateway Address: select static address and fill in Public IP address of Azure virtual network gateway in the Primary field

·         Pre-Shared Key: fill in the Shared Key(PSK) of Azure VPN connection


·         SA Life Time: 28800 seconds

·         Encryption algorithm: keep the default value, AES128

·         Authentication algorithm: keep the default value, SHA1

·         Key Group: keep the default value, DH2

2.  Create the VPN Connection Rule (Phase 2)

On ZyWALL Web GUI, go to CONFIGURATION > VPN > IPSec VPN > VPN

Connection, click Add to create a VPN Connection rule.

On the Add VPN Connection page, specify the values for your virtual network gateway.


·         Enable: check the Enable box to active this rule

·         Name: “Azure” as the rule name in this example

·         TCP MSS: 1379 Bytes

·         Application Scenario: select VPN Tunnel Interface for route-based VPN

·         VPN Gateway: select “Azure”

·         SA Life Time: 3600 seconds

·         Encryption algorithm: select AES256

·         Authentication algorithm: keep the default value, SHA1

·         PFS: select none

Note: The Phase 2 Encryption algorithm should select as AES256 only to full compatible with Azure VPN gateway.

3.  Create VTI Interface

On ZyWALL Web GUI, go to CONFIGURATION > Network > Interface > VTI, click Add to create a VTI interface


·         Interface Name: vti0

·         Zone: IPSec_VPN

·         vpn-rule: Azure

·         IP Address: 10.1.245.1

·         Subnet Mask: 255.255.255.252

4.  Create Static Routes for BGP peer

On ZyWALL Web GUI, go to CONFIGURATION > Network > Routing > Static Route.

Add route to Gateway Subnet of Azure, in this example is 10.0.0.0/29

This is the route for TCP connection of BGP to the Azure BGP peer IP address.


5.  Configure BGP

On ZyWALL Web GUI, go to CONFIGURATION > Network > Routing > BGP

1.       Type in the BGP ASN of this site

2.       Type in the Router ID of this ZyWALL. Usually it will be the IP address of lan interface of your ZyWALL.


3.       Add the Azure BGP peer as the neighbor Type in the Azure BGP peer IP address Type in the BGP ASN of Azure VNet Enable eBGP Multihop

Select the VTI interface as the source of BGP packet sent between peer


4.       Add the router entries that want to advertise to the Azure BGP peer


Reference: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-bgp-overview

Tagged: