Windows Azure Virtual Network with between regions http://kentablog.cluscore.com/2013/10/windows-azurevpn.html

1. Windows Azure Virtual Network
with between regions
Japan Windows Azure User Group
Kentaro Aoki
@kekekekenta
October 24, 2013

2. Virtual Networks
Windows Azure
East Asia
Windows Azure
West US
vn-asia-gw.cloudapp.net
(207.46.134.21)
vn-us-gw.cloudapp.net
(168.61.66.238)
vn-asia
(10.20.0.0/16)
vn-us
(10.10.0.0/16)
vn-asia-vm
Ubuntu VM
10.20.0.5
GATEWAY
(static routing)
207.46.137.55
vn-us-gw
Ubuntu VPN GW
10.10.0.4
vn-us-vm
Ubuntu VM
10.10.0.5
internet
vn-asia-gw
Ubuntu VPN GW
10.20.0.4
GATEWAY
(static routing)
168.61.64.182
2

3. Using Network Address Translation
Windows Azure
East Asia
Windows Azure
West US
vn-asia-gw.cloudapp.net
(207.46.134.21)
vn-us-gw.cloudapp.net
(168.61.66.238)
vn-asia
(10.20.0.0/16)
vn-us
(10.10.0.0/16)
vn-asia-vm
Ubuntu VM
10.20.0.5
GATEWAY
(static routing)
207.46.137.55
vn-us-gw
Ubuntu VPN GW
10.10.0.4
internet
vn-asia-gw
Ubuntu VPN GW
NAT (Masquerading)
10.20.0.4
vn-us-vm
Ubuntu VM
10.10.0.5
NAT (Masquerading)
GATEWAY
(static routing)
168.61.64.182
3

4. Virtual Network Settings
Windows Azure
East Asia
Windows Azure
West US
4

5. VPN Configurations for the vn-asia-gw (1)
•
Create New Virtual Machine from Azure Portal
– Ubuntu Server 12.04 LTS
•
Install IP-Sec Software on Ubuntu
– $sudo apt-get install openswan
•
Setup IP-Sec Nat-Traversal
– $sudo vi /etc/ipsec.conf
• Config setup
•
protostack=netkey
•
nat_traversal=yes
•
virtual_private=%v4:10.20.0.0/16
•
oe=off
• include /etc/ipsec.d/*.conf
5

6. VPN Configurations for the vn-asia-gw (2)
•
Setup VPN Information
– $sudo vi /etc/ipsec.d/azure-us.conf
• conn azure-us
•
authby=secret
•
auto=start
•
type=tunnel
•
left=10.20.0.4
•
leftsubnet=10.20.0.0/16
•
leftnexthop=%defaultroute
•
right=168.61.64.182
•
rightsubnet=10.10.0.0/16
•
ike=aes128-sha1-modp1024
•
esp=aes128-sha1
•
pfs=no
6

7. VPN Configurations for the vn-asia-gw (3)
• Setup Secret Key
– $sudo vi /etc /ipec.secrets
• 10.20.0.4 168.61.64.182 : PSK "krOurXxXX6…XXX“
• Enable ipv4 forwarding
– $sudo vi /etc /sysctl.conf
• net.ipv4.ip_forward=1
– $sudo sysctl -p /etc /sysctl.conf
• Enable IP-Sec
– $sudo service ipsec restart
7

8. VPN Configurations for the vn-asia-gw (4)
• Setup Firewall for SSH
– $sudo ufw allow proto tcp to any port 22
• Setup Firewall for IP-Sec NAT Traversal
– $sudo ufw allow proto udp to any port 500
– $sudo ufw allow proto udp to any port 4500
• Enable ipv4 forwarding for NAT
– $sudo vi /etc /default/ufw
• DEFAULT_FORWARD_POLICY="ACCEPT“
8

9. VPN Configurations for the vn-asia-gw (5)
• Setup NAT Rule
– $sudo vi /etc /ufw/before.rules (add following rule to the top)
• # nat Table rules
• *nat
• :POSTROUTING ACCEPT [0:0]
• # Forward traffic from eth1 through eth0.
• -A POSTROUTING -s 10.10.0.0/16 -o eth0 -j MASQUERADE
• # don't delete the 'COMMIT' line or these nat table rules won't be
processed
• COMMIT
9

10. VPN Configurations for the vn-asia-gw (6)
• Enable ufw (aka iptables)
– $sudo ufw disable && sudo ufw enable
10

11. Ping through the VPN tunnel
Windows Azure
East Asia
Windows Azure
West US
11

12. Articles
• VPN connection in the region between the Windows Azure
– http://kentablog.cluscore.com/2013/10/windows-azurevpn.html
• Research ed.
– http://kentablog.cluscore.com/2013/10/creating-site-to-sitevpn-with-regions.html
12