• About

blog.alam.rocks

blog.alam.rocks

Tag Archives: Azure

Setup a Site to Site IPsec VPN With Strongswan & Meraki MX (IKEv1)

27 Monday May 2019

Posted by Fakrul Alam in My Work, Tutorial

≈ Leave a comment

Tags

Azure, Azure VPN Gateway, IKEv1, Meraki, Site2Site VPN, StrongSwan

Recently I am trying to build Site 2 Site IPSEC VPN with Azure VPN gateway and Meraki MX firewall. Meraki start supporting (27th May 2019) IKEv2 in their beta firmware MX 15.13 but it’s not stable.

Please check https://community.meraki.com/t5/Security-SD-WAN/Azure-VPN-IKEv2-intermittent/m-p/47688#M12029 and https://community.meraki.com/t5/Security-SD-WAN/IKEv2-support-on-MX-devices/m-p/48333#M12197

Azure Policy Based VPN gateway (IKEv1) is ok but it only suppotrs one Site 2 Site VPN tunnel.

To overcome the issue; I have created one Ubuntu Server which works as VPN gateway and added User-defined route to route all VPN traffic via Ubuntu Server.

A. Azure Configuration

1. Create a virtual machine. I my case I have created VM with Ubuntu 18.04 LTS with following specification

ipsecvpn_1.PNG

2. After creating VM go to VM > Networking > Network Interface and Enable IP forwarding settings

ipsecvpn_2.PNG

3. From NSG make sure UDP/500 and UDP/4500 has been allowed.

4. Create Route Table. 192.168.100.0/24 is the remote subnet and 10.0.0.9 is the IP address of Ubuntu Server.

ipsecvpn_3.PNG

5. Make sure you associate it with existing network/VNET

ipsecvpn_4.PNG

Continue reading →

Configure Express Route and Site-to-Site coexisting connections

04 Saturday May 2019

Posted by Fakrul Alam in My Work, Tutorial

≈ 1 Comment

Tags

Azure, Express Route, IPSEC, Meraki

 

We can now configure Express Route and Site-To-Site VPN connection that coexist. Can configure Site-to-Site VPN as a secure failover path for ExpressRoute, or use Site-to-Site VPNs to connect to sites that are not connected through ExpressRoute.

There are some limitation and restriction; for details please check:

https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-coexist-resource-manager

In this example I already have VPN Gateway configured with /24 Gateway Subnet

 

az-1

Now will create a New VPN Gateway for IPSEC

Step 1: Get the VNET, Gateway Subnet details

$vnet = Get-AzVirtualNetwork -Name SEGResourceGroup-vnet -ResourceGroupName SEGResourceGroup
$subnet = Get-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -VirtualNetwork $vnet

Step 2: New Public IP address and assign it to VPN gateway

$gwpip= New-AzPublicIpAddress -Name SEG-GatewayVPNPublicIP -ResourceGroupName SEGResourceGroup -Location australiaeast -AllocationMethod Dynamic
$gwipconfig = New-AzVirtualNetworkGatewayIpConfig -Name SEG-GatewayVPNPublicIPConfig -SubnetId $subnet.Id -PublicIpAddressId $gwpip.Id

Step 3: Now create site-to-site VPN gateway

New-AzVirtualNetworkGateway -Name SEG-GatewayVPN -ResourceGroupName SEGResourceGroup -Location australiaeast -IpConfigurations $gwipconfig -GatewayType Vpn -VpnType RouteBased -GatewaySku Standard

Verify the VPN Gateway configuration. Important things to check:

GatewayType: VPN

VPNType: RouteBased

VPNClientConfiguration: IkeV2

az-2.PNG

Step 4: Create the Local Network Gateway Continue reading →

Azure Site 2 Site VPN [AZ Scripts]

19 Tuesday Dec 2017

Posted by Fakrul Alam in My Work

≈ Leave a comment

Tags

Azure, Sophos

This tutorial is ow how to do site 2 site vpn with on prem data center.

VNet Name: MyVnet
VnetName = MyVNet
ResourceGroup = MyRG
Location = Australia East
AddressSpace = 10.11.0.0/16
SubnetName = DefaultSubnet
Subnet = 10.11.0.0/24
GatewaySubnet = 10.11.255.0/27
LocalNetworkGatewayName = RemoteVPNSite
LNG Public IP =
LocalAddrPrefix = 192.168.1.0/24
GatewayName = MyVNetGW
PublicIP = MyVNetGWIP
VPNType = RouteBased
GatewayType = Vpn
ConnectionName = MyVNettoRemoteSite

1. Create a resource group

az group create --name MyRG --location australiaeast

2. Create a virtual network

az network vnet create --name MyVNet --resource-group MyRG --address-prefix 10.11.0.0/16 --location australiaeast --subnet-name Subnet1 --subnet-prefix 10.11.0.0/24

3. Create the gateway subnet

az network vnet subnet create --address-prefix 10.11.255.0/27 --name GatewaySubnet --resource-group MyRG --vnet-name MyVNet

4. Create the local network gateway

az network local-gateway create --gateway-ip-address 110.145.123.123 --name RemoteVPNSite --resource-group MyRG --local-address-prefixes 192.168.1.0/24

5. Request a Public IP address

az network public-ip create --name MyVNetGWIP --resource-group MyRG --allocation-method Dynamic

6. Create the VPN gateway

az network vnet-gateway create --name MyVNetGW --public-ip-address MyVNetGWIP --resource-group MyRG --vnet MyVNet --gateway-type Vpn --vpn-type RouteBased --sku VpnGw1 --no-wait

List of IPsec/IKE policy supported by Azure: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-compliance-crypto or you can try:

az network vpn-connection ipsec-policy add --connection-name MyVNettoRemoteSite --dh-group DHGroup14 --ike-encryption AES256 --ike-integrity SHA256 --ipsec-encryption AES256 --ipsec-integrity SHA256 --pfs-group None --resource-group MyRG --sa-lifetime 3600 --sa-max-size 102400000

7. Create the VPN connection

az network vpn-connection create --name MyVNettoRemoteSite -resource-group MyRG --vnet-gateway1 MyVNetGW -l australiaeast --shared-key abc123 --local-gateway2 RemoteVPNSite

I have issue peering with Sophos XG Firewall with firmware version SFOS 16.05.8 MR-8. But SFOS_17.0.2_MR-2.SF300-116 fix the issue.

fakrul@Azure:~$ az network vpn-connection show --resource-group MyResourceGroup --name MyVirtualNetworkConnection --output table
ConnectionStatus ConnectionType EgressBytesTransferred IngressBytesTransferred Location Name ProvisioningState ResourceGroup ResourceGuid SharedKey
------------------ ---------------- ------------------------ ------------------------- ------------- -------------------------- ------------------- --------------- ------------------------------------ -----------
Connected IPsec 17247 6340 australiaeast MyVirtualNetworkConnection Succeeded MyResourceGroup 80f504f6-ed42-400c-a69c-1a270a7fefba abc123
fakrul@Azure:~$ az network vpn-connection list --resource-group MyResourceGroup --output table
ConnectionType Location Name ProvisioningState ResourceGroup ResourceGuid RoutingWeight
---------------- ------------- -------------------------- ------------------- --------------- ------------------------------------ ---------------
IPsec australiaeast MyVirtualNetworkConnection Succeeded MyResourceGroup 80f504f6-ed42-400c-a69c-1a270a7fefba
IPsec australiaeast MyVNettoRemoteSite Succeeded MyResourceGroup 698a2b4d-ca71-4834-a576-8cb7ae077b2c 10

Sophos Profile:

Capture


					

Social

  • View rapappu’s profile on Twitter
  • View fakrulalam’s profile on LinkedIn
  • View fakrul’s profile on GitHub
  • View FakrulAlamPappu’s profile on Google+
  • View fakrulalam’s profile on Flickr

Twitter Updates

  • #sydeny #summer https://t.co/4FhMTbgG1g 1 week ago
  • RT @protocoljournal: The August 2022 issue of IPJ is ready. Head over to protocoljournal.org for your copy! https://t.co/c0dfwBQAuu 3 weeks ago
  • RT @teamcymru: Take The first step toward clarity, visibility, and reducing external asset related risks With our free Attack Surface Asses… 3 weeks ago
  • RT @akanygren: Have you been working with tech for years and want an overview of #IPv6? I've been working on an open source "Inessential I… 1 month ago
  • blog.lastpass.com/2022/11/notice… 2 months ago
  • #bdnog15 CfP is now open bdnog.org/bdnog15/cfp.php #bdnog #bangladesh #nog #networkoperatorsgroup 2 months ago
  • RT @Cloudflare: Today we’re introducing Cloudflare Radar’s route leak data and API so that anyone can get information about route leaks acr… 2 months ago
  • Battling Zimbabwe fall short as Bangladesh win in chaotic final-over finish espncricinfo.com/series/icc-men… #t20 #worldcup #bangladeh 3 months ago
  • RT @vince2_: With the team @Free_1337, we have developed a Netflow/IPFIX collector and visualizer. It is available at https://t.co/6XtpOtm9… 6 months ago
  • RT @openbsdnow: Effective Shell effective-shell.com 7 months ago
  • RT @nocontextfooty: https://t.co/PU0JeRSrbD 7 months ago
  • smallstep.com/blog/if-openss… 7 months ago
  • github.com/tldr-pages/tldr 9 months ago
  • How to properly interpret a traceroute or MTR | APNIC Blog blog.apnic.net/2022/03/28/how… 9 months ago
  • #dayandnight #Newcastle #beachlife https://t.co/LaKATcEsFY 10 months ago
Follow @rapappu

Tags

antismap antivirus automation Azure bangladesh BASH BASH Script BDCERT bgp bind ccsp centos CentOS mirror CERT CISA cisco Cyber Security ddos dhaka dhakacom DNS DNSSEC GSM intrusion detectoin system Intrusion prevention system ips IPv6 ISACA junos linux Looking Glass lxc lxc profile lxd mailqueue mailscanner Mail Server mailwatch Meraki mikrotik monitor mpls MPLS L3 VPN mysql My Work network network management nginx NSD observium OpenVPN perl PHP ping postfix Proxy PTA python RANCID Reading RPKI Shell Script sms sms server SNMP SSH Tutorial ubuntu Ubuntu Mirror Server Virtual Box vispan vmware websvn Youtube hack খামাখা

Blog at WordPress.com.

  • Follow Following
    • blog.alam.rocks
    • Join 27 other followers
    • Already have a WordPress.com account? Log in now.
    • blog.alam.rocks
    • Customize
    • Follow Following
    • Sign up
    • Log in
    • Report this content
    • View site in Reader
    • Manage subscriptions
    • Collapse this bar
 

Loading Comments...