Azure Site-to-Site IPSec VPN connection with Citrix NetScaler (CloudBridge)

An Azure Site-to-Site VPN gateway connection is used to connect on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device located on-premises that has an externally facing public IP address assigned to it.

In this example, I am going to use Citrix CloudBridge feature of a NetScaler. The Citrix CloudBridge works in a pair, one at each end of a link, to accelerate traffic over the link. The transformations done by the sender are reversed by the receiver. One CB virtual appliance  can handle many links, so you do not have to dedicate a pair to each connection. You need just one CB virtual appliance per site to handle traffic to and from Azure datacenter to on-premises datacenter. In a Citrix CloudBridge Connector tunnel, IPSec ensures:

  • Data integrity
  • Data origin authentication
  • Data confidentiality (encryption)
  • Protection against replay attacks

The below exercise creates a IPSec tunnel between 66.128.x.x (On-prem) to 168.63.x.x (Azure).

Basic Requirements:

  • Make sure that the public IPv4 address for your VPN device is not located behind a NAT firewall
  • Make sure you have correct NSG rules are configured for you to access on-premises VM from Azure VM or vise-versa.

IP Address Requirements:

IP address of the CloudBridge Connector tunnel end point (CB Appliance) in the on-premises side 66.128.x.x
IP address of the CloudBridge Connector tunnel end point in the Azure VPN Gateway 168.63.x.x
Datacenter Subnet, the traffic of which is to traverse the CloudBridge Connector tunnel 10.120.0.0/23
Azure Subnet, the traffic of which is to traverse the CloudBridge Connector tunnel 10.10.0.0/22

Citrix NetScaler Settings

IPSec profile CB_Azure_IPSec_Profile IKE version = v1

Encryption algorithm = AES

Hash algorithm = HMAC SHA1

CloudBridge Connector tunnel CB_Azure_Tunnel Remote IP = 168.63.x.x

Local IP= 66.128.x.x (SNIP)

Tunnel protocol = IPSec

IPSec profile= CB_Azure_IPSec_Profile

Policy based route CB_Azure_Pbr Source IP range = Subnet in the datacenter =10.120.0.0-10.120.1.254

Destination IP range =Subnet in Azure =10.10.0.1 – 10.10.3.254

IP Tunnel = CB_Azure_Tunnel

Azure VPN Gateway Settings

Public IP Address of the Azure VPN Gateway 168.63.x.x
Local Network On-prem Network VPN Device IP address = 66.128.x.x (SNIP)

On-prem Subnet =10.120.0.0/24

Virtual Network CloudBridge Tunnel in Azure Side Address Space of the Azure vNET= 10.10.0.0/22

Trusted Subnet within the vNET = 10.10.0.1/24

Untrusted Subnet within the vNET = 10.10.1.1/24

Gateway Subnet=10.10.2.0/24

Region Australia East
VPN Type Route-based
Connection Type Site-to-site (IPsec)
Gateway Type VPN
Shared key Sample Shared Key DkiMgMdcbqvYREEuIvxsbKkW0FOyDiLM

Configuration of Citrix NetScaler CloudBridge Feature

Step1: Create IPSec Profile

add ipsec profile CB_Azure_IPSec_Profile –psk  DkiMgMdcbqvYREEuIvxsbKkW0FOyDiLM  -ikeVersion v1 –lifetime 31536000

Note: DkiMgMdcbqvYREEuIvxsbKkW0FOyDiLM is also used in the Azure VPN connection.

Step2: Create IPSec Tunnel

add iptunnel CB_Azure_Tunnel 168.63.x.x 255.255.255.255 66.128.x.x –protocol IPSEC –ipsecProfileName CB_Azure_IPSec_Profile

Step3: Create PBR Rule

add pbr CB_Azure_Pbr -srcIP 10.120.0.0-10.120.1.255 –destIP 10.10.0.0-10.10.3.255 –ipTunnelCB_Azure_Tunnel

Step4: Apply Settings

apply pbrs

You can configure NetScaler using GUI as well. here is an example.

  1. Access the configuration utility by using a web browser to connect to the IP address of the NetScaler appliance in the datacenter.
  2. Navigate to System > CloudBridge Connector.
  3. In the right pane, under Getting Started, click Create/Monitor CloudBridge.
  4. Click Get Started> In the CloudBridge Setup pane, click Microsoft Windows Azure.
  5. In the Azure Settings pane, in the Gateway IP Address* field, type the IP address of the Azure gateway. The CloudBridge Connector tunnel is then set up between the NetScaler appliance and the gateway. In the Subnet (IP Range)* text boxes, specify a subnet range (in Azure cloud), the traffic of which is to traverse the CloudBridge Connector tunnel. Click Continue.
  6. In the NetScaler Settings pane, from the Local Subnet IP* drop-down list, select a publicly accessible SNIP address configured on the NetScaler appliance. In Subnet (IP Range)* text boxes, specify a local subnet range, the traffic of which is to traverse the CloudBridge Connector tunnel. Click Continue.
  7. In the CloudBridge Setting pane, in the CloudBridge Name text box, type a name for the CloudBridge that you want to create.
  8. From the Encryption Algorithm and Hash Algorithm drop-down lists, select the AES and HMAC_SHA1 algorithms, respectively. In the Pre Shared Security Key text box, type the security key.
  9. Click Done.

Configuration of an IPSec Site-to-Site VPN in the Azure Subscription 

Step1: Connect to Azure Subscription

Login-AzureRmAccount

Get-AzureRmSubscription

Select-AzureRmSubscription -SubscriptionName “99ebd-649c-466a-a670-f1a611841”

Step2: Create Azure Resource Group in your region

New-AzureRmResourceGroup -Name TestRG1 -Location “Australia East”

Step3: Create vNET and Subnets

$subnet1 = New-AzureRmVirtualNetworkSubnetConfig -Name “Tursted” -AddressPrefix 10.10.0.0/24

$subnet2 = New-AzureRmVirtualNetworkSubnetConfig -Name “UnTursted” -AddressPrefix 10.10.1.0/24

$subnet3 = New-AzureRmVirtualNetworkSubnetConfig -Name “GatewaySubnet” -AddressPrefix 10.10.2.0/24

$vnet=New-AzureRmVirtualNetwork -Name TestVNet1 -ResourceGroupName TestRG1 -Location “Australia East” -AddressPrefix 10.10.0.0/22 -Subnet $subnet1, $subnet2, $subnet3

Set-AzureRmVirtualNetwork -VirtualNetwork $vnet

Step4: Create On-premises Network

New-AzureRmLocalNetworkGateway -Name Site2 -ResourceGroupName TestRG1 -Location “Australia East” -GatewayIpAddress “66.128.x.x” -AddressPrefix “10.120.0.0/24”

New-AzureRmLocalNetworkGateway -Name Site2 -ResourceGroupName TestRG1 -Location “East US” -GatewayIpAddress “23.99.221.164” -AddressPrefix @(“10.120.0.0/24”,”10.120.1.0/24”)

Step5: Request a Public IP Address

$gwpip= New-AzureRmPublicIpAddress -Name gwpip -ResourceGroupName TestRG1 -Location “Australia East” -AllocationMethod Dynamic

Step6: Create Gateway IP Address

$vnet = Get-AzureRmVirtualNetwork -Name TestVNet1 -ResourceGroupName TestRG1

$subnet = Get-AzureRmVirtualNetworkSubnetConfig -Name “GatewaySubnet” -VirtualNetwork $vnet

$gwipconfig = New-AzureRmVirtualNetworkGatewayIpConfig -Name gwipconfig1 -SubnetId $subnet.Id -PublicIpAddressId $gwpip.Id

Step7: Create VPN Gateway

New-AzureRmVirtualNetworkGateway -Name VNet1GW -ResourceGroupName TestRG1 -Location “Australia East” -IpConfigurations $gwipconfig -GatewayType Vpn -VpnType RouteBased -GatewaySku VpnGw1

Step8: Extract public IP address of the VPN Gateway

Get-AzureRmPublicIpAddress -Name GW1PublicIP -ResourceGroupName TestRG1

Step9: Create VPN Connection

$gateway1 = Get-AzureRmVirtualNetworkGateway -Name VNet1GW -ResourceGroupName TestRG1

$local = Get-AzureRmLocalNetworkGateway -Name Site2 -ResourceGroupName TestRG1

New-AzureRmVirtualNetworkGatewayConnection -Name VNet1toSite2 -ResourceGroupName TestRG1 -Location “East US” -VirtualNetworkGateway1 $gateway1 -LocalNetworkGateway2 $local -ConnectionType IPsec -RoutingWeight 10 -SharedKey “ DkiMgMdcbqvYREEuIvxsbKkW0FOyDiLM”

Step10: verify Connection

Get-AzureRmVirtualNetworkGatewayConnection -Name MyGWConnection -ResourceGroupName MyRG

How to configure site to site VPN using Forefront TMG 2010

To configure site to site VPN using Forefront TMG 2010, you must meet following prerequisites:
Windows Server 2012 Step by Step

  • An user account to authenticate VPN
  • Routable public IP in both sides
  • Create site to site rules in both TMG server
  • For secure VPN using EAP authentication, import computer certificate in both TMG server.

To create a user account for the remote site gateway:

  • On the Forefront TMG server, click Start, point to Administrative Tools, and then click Computer Management.
  • In the Computer Management console, in the tree, click System Tools, click Local Users and Groups, and then click Users.
  • In the details pane, right-click the applicable user, and then click Properties.
  • On the Dial-in tab, under Remote Access Permission (Dial-in or VPN), select Allow access.

12 

An example of site to site VPN:

image

To Create Site to Site VPN Rule in TMG server:

  • In the Forefront TMG Management console, in the tree, click Remote Access Policy (VPN).
  • In the details pane, click the Remote Sites tab.
  • In the Create VPN Site-to-Site Connection wizard, follow the on-screen instructions, On the Welcome page, in the Site-to-Site network name text box, you must type the exact name of the remote network’s gateway. 34

    56

     78

    Add a range of IP addresses for remote site clients. If you don’t have load balancer then click next otherwise type the IP address of load balancer.

    910

    Create a network rule in next steps that include source and protocol type ad click next, click next.

     1112

     1314

    1815

    Apply Changes. Click ok. View rules applied in firewall.

     1617 

    To view a summary of the VPN site-to-site network configuration, right click the selected network, and then click Site-to-Site Summary under the Remote Sites tab.

     19

    Repeat similar steps in remote sites to complete site to site VPN.

    To import Certificates in TMG server:

    Click on System>Select TMG server>Click on Install Server Certificate as shown in picture and follow the prompt.

    20

    To complete the EAP configuration:
    1. On the Forefront TMG computer, click Start, click Administrative Tools, and then click Routing and Remote Access.
    2. In the Routing and Remote Access MMC snap-in, select the Network Interfaces node.
    3. When you applied the changes to the Forefront TMG configuration, a demand dial interface with the same name you gave the network was created. Select this demand dial interface, and then click Properties.
    4. On the Security tab, the advanced custom settings option should be selected. Click Settings to open Advanced Security Settings.
    5. Select the EAP you will be using, and then click Properties to configure EAP according to your EAP provider.

    To check site-to-site VPN connectivity:

    1. In the Forefront TMG Management console, in the tree, click the Monitoring node.
    2. In the details pane, on the Sessions tab, verify whether your VPN session is listed. The site-to-site VPN session has the following properties:
      • Session Type shows VPN Site-to-Site.
      • Client Host Name shows the remote VPN server’s public IP address (if the session was initiated by the local VPN server, this field will be empty).
      • Client IP shows the IP address assigned for the VPN session.
      • Application Name shows that this is a VPN connection and displays the protocol used for the connection. Application Name is not displayed by default. To add it, right-click one of the column headings in the Sessions tab, and click Application Name.

       

    3. To create a session filter that displays only site-to-site VPN sessions:
      1. On the Tasks tab, click Edit Filter.
      2. In the Edit Filter dialog box, in Filter by, select Session Type. In Condition, select Equals; and in Value, select VPN Remote Site.
      3. Click Add To List, and then click Start Query. You must click Start Query to save the filter.

     

     

    Share Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

  • Relevant Articles:

    How to configure L2TP/IPSec VPN using Forefront TMG 2010

    Windows 7: L2TP IPSec VPN dialler

    How to Configure Back-to-Back Firewall with Perimeter (DMZ) Topology—–Step by Step Guide

    Install Forefront TMG SP1

    How to configure reverse proxy using Forefront TMG 2010— step by step

How to configure L2TP/IPSec VPN using Forefront TMG 2010

Pre-requisites:

  1. Windows Active Directory and DNS
  2. DHCP server or range of free IP addresses
  3. Enterprise Root CA
  4. Forefront TMG is a member server.
  5. Computer certificate installed in TMG server
  6. Public IP assigned in external NIC of TMG server

Configure L2TP/IPSec VPN

1. open the Forefront TMG Management Console. Click Forefront TMG (Array Name) in the left pane.

2.In the left pan click on Remote Access Policy>Click on Configure Address Assignment method. You will be presented with Remote Access Policy Property. Now follow the screenshots.

1 2

3. Add a range of IP addresses (Example:10.10.11.1-10.10.11.255) to be assigned by TMG server or assign internal DHCP server.

5

 3

4. Check MSCHAPv2 Authentication and Check Enable EAP

4  

5. Apply Changes. OK.

6

6. In the left pan click on Remote Access Policy, in the task pan>click on configure VPN Client Access. You will be presented with VPN Clients property. Check enable on general Tab.

7

7. In the Group Tab, Add Windows AD groups you allowed to access VPN.

8

8. In the Protocol Tab, Check Enable L2TP/IPSec

9

9. In the User mapping, Check enable User Mapping and provide internal domain name.

10 11

10. Click Apply and ok. Apply changes.

6

11.In the left pan click on Networking, Click network Rules Tab. From the task pan, run new Create Network Rules wizard. Create new network rules allowing VPN client access from external network to internal network. Select route relation between external and internal network.

12

12.  In the left pan right click on Firewall Policy>Click New>Click new access Policy. Follow the screenshots.

13 14 15 16 17 18 19

13. Apply changes.

14. make sure you allow remote access in AD user Dial-in property.

image

15. Now create a dialler in Windows 7 machine shown below link. Log on to that machine using domain credentials and test VPN.

Relevant Articles:

How to configure L2TP IPSec VPN using ISA Server

Windows 7: L2TP IPSec VPN dialler

Share this Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine