This document describes how to connect to your Ecessa device with the Microsoft Azure Site-to-Site VPN Connection. To create an IPSec VPN connection between a remote location and Microsoft Azure, you will need to create individual resource objects within Azure for the virtual network, the remote and local endpoints and finally, create and apply them to a Connection object to finalize the configuration on Azure. Once all that has been done, you will need to configure the Ecessa device.
The diagram below describes all of the different components that you’ll need to get this site-to-site VPN set up correctly. First you create the virtual network, the network that will be accessed through the VPN. Second, you’ll create the VPN gateway, which generates a public IP address for Azure’s virtualized environment. After that we create the local gateway, which is essentially the remote peer IP. Finally, we create the VPN connection.
We will start our configuration with Azure.
- Create a virtual network
To create a VNet in the Resource Manager deployment model by using the Azure portal, follow the steps below. The screenshots are provided as examples.
- From a browser, navigate to the Azure portal and sign in with your Azure account.
- Click New. In the Search the marketplace field, type 'Virtual Network'. Locate Virtual Network from the returned list and click to open the Virtual Network blade.
- Near the bottom of the Virtual Network blade, from the Select a deployment model list, select Resource Manager, and then click Create.
- On the Create virtual network blade, configure the VNet settings. When you fill in the fields, the red exclamation mark will become a green check mark when the characters entered in the field are valid.
- The Create virtual network blade looks similar to the following example. There may be values that are auto-filled. If so, replace the values with your own.
- Create the gateway subnet
The virtual network gateway uses a gateway subnet that contains the IP addresses that are used by the VPN gateway services. When you create a gateway subnet, it must be named 'GatewaySubnet'. If you name it something else, your connection configuration fails.
The size of the gateway subnet that you specify depends on the VPN gateway configuration that you want to create. While it is possible to create a gateway subnet as small as /29, we recommend that you create a larger subnet that includes more addresses by selecting /27 or /28. Using a larger gateway subnet allows for enough IP addresses to accommodate possible future configurations.
- In the portal, navigate to the virtual network for which you want to create a virtual network gateway.
- In the Settings section of your VNet blade, click Subnets to expand the Subnets blade.
- On the Subnets blade, click +Gateway subnet at the top. This will open the Add subnet blade.
- The Name for your subnet will automatically be filled in with the value 'GatewaySubnet'. This value is required in order for Azure to recognize the subnet as the gateway subnet. Adjust the auto-filled Address range values to match your configuration requirement.
- Click OK at the bottom of the blade to create the subnet.
- Create the VPN gateway
- On the left side of the portal page, click + and type 'Virtual Network Gateway' in search. In Results, locate and click Virtual network gateway. At the bottom of the Virtual network gateway blade, click Create. This opens the Create virtual network gateway blade.
- On the Create virtual network gateway blade, fill in the values for your virtual network gateway.
- Name: Name your gateway. This is not the same as naming a gateway subnet. It's the name of the gateway object you are creating.
- Gateway type: Select VPN. VPN gateways use the virtual network gateway type VPN.
- VPN type: Select the VPN type that is specified for your configuration. Most configurations require a Route-based VPN type.
- SKU: Select the gateway SKU from the dropdown. The SKUs listed in the dropdown depend on the VPN type you select.
- Location: You may need to scroll to see Location. Adjust the Location field to point to the location where your virtual network is located. If the location is not pointing to the region where your virtual network resides, the virtual network will not appear in the next step 'Choose a virtual network' dropdown.
- Virtual network: Choose the virtual network to which you want to add this gateway. Click Virtual network to open the Choose a virtual network blade. Select the VNet. If you don't see your VNet, make sure the Location field is pointing to the region in which your virtual network is located.
- Create public IP address: This blade creates a public IP address object to which a public IP address will be dynamically assigned. Click Public IP address to open the Choose public IP address blade. Click +Create New to open the Create public IP address blade. Input a name for your public IP address. Click OK to save your changes to this blade. The IP address is dynamically assigned when the VPN gateway is created. VPN Gateway currently only supports Dynamic Public IP address allocation. However, this does not mean that the IP address changes after it has been assigned to your VPN gateway. The only time the Public IP address changes is when the gateway is deleted and re-created. It doesn't change across resizing, resetting, or other internal maintenance/upgrades of your VPN gateway.
- Subscription: Verify that the correct subscription is selected.
- Resource group: This setting is determined by the Virtual Network that you select.
- Don't adjust the Location after you've specified the previous settings.
- Verify the settings. You can select Pin to dashboard at the bottom of the blade if you want your gateway to appear on the dashboard.
- Click Create to begin creating the gateway. The settings will be validated and you'll see the "Deploying Virtual network gateway" tile on the dashboard. Creating a gateway can take up to 45 minutes. You may need to refresh your portal page to see the completed status.
- After the gateway is created, view the IP address that has been assigned to it by looking at the virtual network in the portal. The gateway will appear as a connected device. You can click the connected device (your virtual network gateway) to view more information.
- Create the local network gateway
The local network gateway typically refers to your on-premises location. You give the site a name by which Azure can refer to it, then specify the IP address of the on-premises VPN device to which you will create a connection. You also specify the IP address prefixes that will be routed through the VPN gateway to the VPN device. The address prefixes you specify are the prefixes located on your on-premises network. If your on-premises network changes, you can easily update the prefixes.
- In the portal, from All resources, click +Add. In the Everything blade search box, type Local network gateway, then click to search. This will return a list. Click Local network gateway to open the blade, then click Create to open the Create local network gateway blade.
- On the Create local network gateway blade, specify a Name for your local network gateway object.
- Specify a valid public IP address for the VPN device or virtual network gateway to which you want to connect.
- This is the public IP address of the VPN device that you want to connect to. It cannot be behind NAT and has to be reachable by Azure. Use your own values, not the values shown in the screenshot.
- Address Space refers to the address ranges for the network that this local network represents. You can add multiple address space ranges. Make sure that the ranges you specify here do not overlap with ranges of other networks that you want to connect to. Azure will route the address range that you specify to the on-premises VPN device IP address. Use your own values here, not the values shown in the screenshot.
- For Subscription, verify that the correct subscription is showing.
- For Resource Group, select the resource group that you want to use. You can either create a new resource group, or select one that you have already created.
- For Location, select the location that this object will be created in. You may want to select the same location that your VNet resides in, but you are not required to do so.
- Click Create to create the local network gateway.
Configure your Ecessa VPN
Site-to-Site connections to an on-premises network require a VPN device, in this case it will be an Ecessa VPN. When configuring the Ecessa VPN, you need the following:
- A shared key. This is the same shared key that you specify when creating your Site-to-Site VPN connection. In our examples, we use a basic shared key. We recommend that you generate a more complex key to use.
- The Public IP address of your virtual network gateway. You can view the public IP address by using the Azure portal, PowerShell, or CLI. To find the Public IP address of your VPN gateway using the Azure portal, navigate to Virtual network gateways, then click the name of your gateway.
After you’ve collected this information, we can begin configuring the Ecessa device for this Site-to-Site VPN.
First name the VPN and choose IKEv2 for the Connection Type.
Then you will configure the WAN IPs of the local Ecessa and the remote Azure virtual gateway, the LANs on both ends, the Shared Secret and the Encryption Options as seen in the picture below:
Create the VPN connection
Create the Site-to-Site VPN connection between your virtual network gateway and your on-premises Ecessa device.
- Locate your virtual network gateway.
- Click Connections. At the top of the Connections blade, click +Add to open the Add connection blade.
- On the Add connection blade, Name your connection.
- For Connection type, select Site-to-site(IPSec).
- For Virtual network gateway, the value is fixed because you are connecting from this gateway.
- For Local network gateway, click Choose a local network gateway and select the local network gateway that you want to use.
- For Shared Key, the value here must match the value that you are using for your local on-premises VPN device. In the example, we used 'myfavoritepassword', but you can (and should) use something more complex. The important thing is that the value you specify here must be the same value that you specified when configuring your VPN device.
- The remaining values for Subscription, Resource Group, and Location are fixed.
- Click OK to create your connection. You'll see Creating Connection flash on the screen.
- When the connection is complete, it appears in the Connections blade of the virtual network gateway.
Verify the VPN connection
In the Azure portal, you can view the connection status of a Resource Manager VPN Gateway by navigating to the connection. The following steps show one way to navigate to your connection and verify.
In the Azure portal, click All resources and navigate to your virtual network gateway.
On the blade for your virtual network gateway, click Connections. You can see the status of each connection.
Click the name of the connection that you want to verify to open Essentials. In Essentials, you can view more information about your connection. The Status is 'Succeeded' and 'Connected' when you have made a successful connection.
Link with information
Follow the link below and make sure to generate all the components