windows azure virtual network with between regions
DESCRIPTION
Windows Azure Virtual Network with between regions http://kentablog.cluscore.com/2013/10/windows-azurevpn.htmlTRANSCRIPT
Windows Azure Virtual Network with between regions
Japan Windows Azure User GroupKentaro Aoki
@kekekekentaOctober 24, 2013
Virtual Networks
2
vn-asia-gw.cloudapp.net(207.46.134.21)
vn-us-gw.cloudapp.net(168.61.66.238)
vn-asia(10.20.0.0/16)
vn-asia-vmUbuntu VM10.20.0.5
GATEWAY(static routing)207.46.137.55
vn-us(10.10.0.0/16)
vn-us-gwUbuntu VPN GW
10.10.0.4
vn-us-vmUbuntu VM10.10.0.5
internet
Windows AzureEast Asia
Windows AzureWest US
GATEWAY(static routing)168.61.64.182
vn-asia-gwUbuntu VPN GW
10.20.0.4
Using Network Address Translation
3
vn-asia-gw.cloudapp.net(207.46.134.21)
vn-us-gw.cloudapp.net(168.61.66.238)
vn-asia(10.20.0.0/16)
vn-asia-vmUbuntu VM10.20.0.5
GATEWAY(static routing)207.46.137.55
vn-us(10.10.0.0/16)
vn-us-gwUbuntu VPN GW
10.10.0.4
vn-us-vmUbuntu VM10.10.0.5
internet
Windows AzureEast Asia
Windows AzureWest US
GATEWAY(static routing)168.61.64.182
vn-asia-gwUbuntu VPN GW
10.20.0.4NAT (Masquerading)
NAT (Masquerading)
Virtual Network Settings
4
Windows AzureEast Asia
Windows AzureWest US
VPN Configurations for the vn-asia-gw (1)
• Create New Virtual Machine from Azure Portal– Ubuntu Server 12.04 LTS
• Install IP-Sec Software on Ubuntu– $sudo apt-get install openswan
• Setup IP-Sec Nat-Traversal– $sudo vi /etc/ipsec.conf
• Config setup
• protostack=netkey
• nat_traversal=yes
• virtual_private=%v4:10.20.0.0/16
• oe=off
• include /etc/ipsec.d/*.conf
5
VPN Configurations for the vn-asia-gw (2)
• Setup VPN Information– $sudo vi /etc/ipsec.d/azure-us.conf
• conn azure-us• authby=secret• auto=start• type=tunnel• left=10.20.0.4• leftsubnet=10.20.0.0/16• leftnexthop=%defaultroute• right=168.61.64.182• rightsubnet=10.10.0.0/16• ike=aes128-sha1-modp1024• esp=aes128-sha1• pfs=no
6
VPN Configurations for the vn-asia-gw (3)
• Setup Secret Key– $sudo vi /etc/ipec.secrets
• 10.20.0.4 168.61.64.182 : PSK "krOurXxXX6…XXX“
• Enable ipv4 forwarding– $sudo vi /etc/sysctl.conf
• net.ipv4.ip_forward=1
– $sudo sysctl -p /etc/sysctl.conf
• Enable IP-Sec– $sudo service ipsec restart
7
VPN Configurations for the vn-asia-gw (4)
• Setup Firewall for SSH
– $sudo ufw allow proto tcp to any port 22
• Setup Firewall for IP-Sec NAT Traversal
– $sudo ufw allow proto udp to any port 500
– $sudo ufw allow proto udp to any port 4500
• Enable ipv4 forwarding for NAT
– $sudo vi /etc/default/ufw
• DEFAULT_FORWARD_POLICY="ACCEPT“
8
VPN Configurations for the vn-asia-gw (5)
• Setup NAT Rule– $sudo vi /etc/ufw/before.rules (add following rule to the top)
• # nat Table rules
• *nat
• :POSTROUTING ACCEPT [0:0]
• # Forward traffic from eth1 through eth0.
• -A POSTROUTING -s 10.10.0.0/16 -o eth0 -j MASQUERADE
• # don't delete the 'COMMIT' line or these nat table rules won't be processed
• COMMIT
9
VPN Configurations for the vn-asia-gw (6)
• Enable ufw (aka iptables)
– $sudo ufw disable && sudo ufw enable
10
Ping through the VPN tunnel
11
Windows AzureEast Asia
Windows AzureWest US
Articles
• VPN connection in the region between the Windows Azure
– http://kentablog.cluscore.com/2013/10/windows-azurevpn.html
• Research ed.
– http://kentablog.cluscore.com/2013/10/creating-site-to-site-vpn-with-regions.html
12