vpn watchguard - azure
DESCRIPTION
VPN Watchguard - AzureVPN Watchguard - AzureVPN Watchguard - AzureTRANSCRIPT
-
9/8/2014 Knowledge Articles & Software
https://na10.salesforce.com/articles/Article/Configure-a-VPN-connection-to-a-Windows-Azure-virtual-network/p 1/9
Configure a VPN connection to a Windows Azure virtual network
Question How can I configure a VPN connection between an XTM device and a Microsoft Windows Azure virtualnetwork?
Answer When you configure a virtual network with Azure, you have the option to establish a VPN from yourlocal area network to the Azure virtual network. Follow the steps in the subsequent sections toconfigure a Branch Office VPN to the Azure Virtual Network.
If you need to connect your Windows Azure network to more than one Firebox or XTM device,see the article Configure a VPN between a Windows Azure network and multiple Firebox orXTM devices.
Microsoft offers a similar function with the new Microsoft Azure Pack, a server application set you caninstall on your local server. A VPN connection to Microsoft Azure Pack requires IKEv2, and is notcurrently supported for use with WatchGuard devices. We recommend you continue to use yourgateway firewall device, such as an XTM or Firebox device, for Site-to-Site VPN connectivity.
Before you Begin
To correctly configure your Windows Azure virtual network, follow the instructions from Microsofthere: http://msdn.microsoft.com/library/azure/dn133795.aspx.
In step 2 of the Microsoft procedure to Start the Gateway (after you click CREATE GATEWAY),select Static Routing. WatchGuard devices do not support Branch Office VPN configurations that havedynamic tunnel identifiers.
Stop at Step 4, and follow the instructions in the next section of this article to gather the requiredinformation to configure the VPN connection.
Collect Gateway, Shared Key, and VPN Subnet Information
To establish a VPN connection from your local network to the Azure virtual network, you need to gathercertain pieces of information about the virtual network from the Windows Azure Management Portal.
This configuration template has the information you must collect:
Local Gateway ID:
Remote Gateway ID:
Shared Key:
Local Network IP Address:
Remote Network IP Address:
Save this information in a text file or some other location that allows copy+paste, because thisinformation must match exactly in the branch office VPN configuration for the VPN to work. Use thesteps below to collect the required information. Then you can paste this information from yourconfiguration template to the VPN configuration on the XTM device.
To get the required information from the Windows Azure Management Portal:
1. Browse to manage.windowsazure.com.2. Log in with your Windows Live account.
The Windows Azure Management Portal appears.3. On the left sidebar, select NETWORKS.
-
9/8/2014 Knowledge Articles & Software
https://na10.salesforce.com/articles/Article/Configure-a-VPN-connection-to-a-Windows-Azure-virtual-network/p 2/9
The networks page appears.
4. Click LOCAL NETWORKS.The public and private IP addresses for your local network appear.
5. Record the ADDRESS SPACE as the Local Network IP Address in your text file.6. Record the VPN GATEWAY ADDRESS as the Local Gateway ID in your text file.7. Click VIRTUAL NETWORKS.
The list of virtual networks appear.
8. In the NAME column, click the name of your virtual network.The Virtual Network dashboard appears.
9. Record the IP address in the GATEWAY IP ADDRESS column as the Remote Gateway ID inyour text file.
10. At the bottom of the page, click the Manage Key icon.The Manage Shared Key pop-up appears.
11. Click the icon next to the string of characters in the MANAGE SHARED KEY text box.
12. Copy this key and paste it to your text file. You must copy this text exactly as it appears, withno spaces or other characters before or after it.
13. At the top of the page, next to DASHBOARD, click CONFIGURE.14. Scroll down to the ADDRESS SPACE section.
15. Record the network IP address in the ADDRESS SPACE column as the Remote NetworkIP Address in your text file.
16. Check the text file to make sure you have all the required network information.For the example screen shots shown in this example, the collected information so far is:
Local Gateway ID: 203.0.113.2
-
9/8/2014 Knowledge Articles & Software
https://na10.salesforce.com/articles/Article/Configure-a-VPN-connection-to-a-Windows-Azure-virtual-network/p 3/9
Remote Gateway ID: 137.117.8.190
Shared Key: YtGDhe9d7I6iKAyWISMyjR0M5Oge7vBu
Local Network IP Address: 10.0.1.0/24
Remote Network IP Address: 10.50.0.0/16
17. Add these settings to your text file. These are standard VPN settings for Windows Azure.
Phase 1 Settings:Mode: MainNAT-Traversal: YesIKE Keepalive: NoDead-Peer Detection: YesAll other values should be left as default unless otherwise indicated.Phase 1 Transform: SHA1-AES (256-bit)Key Group: Diffe-Hellman Group 2Phase 2 SettingsPFS: NoIPSec Proposal: ESP-AES-SHA1
Configure the XTM Device
In WatchGuard System Manager, use Policy Manager to configure the branch office VPN gateway andtunnel on the XTM device.
To add a branch office VPN gateway in Policy Manager:
1. Select VPN > Branch office Gateways.The Gateways dialog box appears.
2. Click Add.The New Gateway dialog box appears.
-
9/8/2014 Knowledge Articles & Software
https://na10.salesforce.com/articles/Article/Configure-a-VPN-connection-to-a-Windows-Azure-virtual-network/p 4/9
3. In the Gateway Name text box, type a name to identify this gateway in Policy Manager.4. In the Use Pre-Shared Key text box, paste the shared key you copied from the Azure
Management Portal.5. In the Gateway Endpoints section, click Add.
The New Gateway Endpoints dialog box appears.
-
9/8/2014 Knowledge Articles & Software
https://na10.salesforce.com/articles/Article/Configure-a-VPN-connection-to-a-Windows-Azure-virtual-network/p 5/9
6. In the Local Gateway section, type the external IP address of the XTM device.For this example, the local gateway IP address is 203.0.113.2. This should also match thelocal gateway IP address you recorded from the Windows Azure Management Portal.
7. In the Remote Gateway section, from the External Interface drop-down list, select theexternal interface to use.
8. In the Remote Gateway section, type the VPN Gateway ID for Azure in the two IP Addresstext boxes.This is the Remote Gateway ID you recorded in the text file. For this example, the remotegateway IP address is 137.117.8.190.
9. Click OK to add the gateway endpoint settings.10. Click the Phase 1 Settings tab.
-
9/8/2014 Knowledge Articles & Software
https://na10.salesforce.com/articles/Article/Configure-a-VPN-connection-to-a-Windows-Azure-virtual-network/p 6/9
11. In the Transform Settings list, select the Phase1 Transform SHA1-3DES.12. Click Edit.
The Phase 1 Transform dialog box appears.13. From the Encryption drop-down list, select AES (256-bit)
14. Click OK to save the change to the transform.The Phase 1 Transform in the list now says SHA1-AES (256-b it).
-
9/8/2014 Knowledge Articles & Software
https://na10.salesforce.com/articles/Article/Configure-a-VPN-connection-to-a-Windows-Azure-virtual-network/p 7/9
15. Click OK to save the new gateway.
Next, you add the branch office VPN tunnel in Policy Manager. Here, you define the tunnel routesbetween the local and remote networks. If you want to access to more than one remote IP subnetthrough the VPN tunnel, you must add a tunnel route to each remote subnet from each local subnetthat must access it.
To add the branch office VPN tunnel:
1. Select VPN > Branch Office Tunnels.2. Click Add.
The New Tunnel dialog box appears.
-
9/8/2014 Knowledge Articles & Software
https://na10.salesforce.com/articles/Article/Configure-a-VPN-connection-to-a-Windows-Azure-virtual-network/p 8/9
3. In the Tunnel Name text box, type a name to identify the tunnel in Policy Manager.4. From the Gateway drop-down list, select the gateway you just created.5. In the Addresses tab, click Add to add a new tunnel route between the private networks at
each site.The Tunnel Route Settings dialog box appears.
6. In the Local text box, type the network IP address of the trusted network on the XTM device.For this example, the local trusted network IP address is 10.0.1.0/24
7. In the Remote text box, type the network IP address of the address space for your Azurevirtual network.
8. Click OK to add the new tunnel route.9. If you want to enable VPN access to another remote subnet, repeat steps 2-8 to add another
tunnel route from the local subnet to the other remote subnet.10. Click OK to add the new tunnel.11. Click Close to close the Branch Office IPSec Tunnels dialog box.12. Save the configuration to the XTM device.
From WatchGuard System Manager, you can launch Firebox System Manager to see the status ofyour branch office VPN tunnel. For more information,
-
9/8/2014 Knowledge Articles & Software
https://na10.salesforce.com/articles/Article/Configure-a-VPN-connection-to-a-Windows-Azure-virtual-network/p 9/9
WatchGuard System Manager v11.8.x and higher Help VPN Tunnel StatusWatchGuard System Manager v11.6.x - 11.7.x Help VPN Tunnel Status
For more information about branch office VPN Phase 1 tunnel settings, see:
WatchGuard System Manager v11.8.x and higher Help Configure Mode and Transforms(Phase 1 Settings)WatchGuard System Manager v11.6.x - 11.7.x Help Configure Mode and Transforms(Phase 1 Settings)
For more information about branch office VPN Phase 2 tunnel settings, see:
WatchGuard System Manager v11.8.x and higher Help Configure Phase 2 SettingsWatchGuard System Manager v11.6.x - 11.7.x Help Configure Phase 2 Settings
For VPN troubleshooting tips, see:
WatchGuard System Manager v11.8.x and higher Help Troubleshoot Branch Office VPNTunnelsWatchGuard System Manager v11.6.x - 11.7.x Help Troubleshoot Branch Office VPNTunnels
Attachments