[strongSwan] Microsoft Azure Virtual Network?
John Connett
jrc at skylon.demon.co.uk
Thu Jul 26 11:15:19 CEST 2012
I am attempting to use strongSwan 4.5.3-5.4.1 on openSUSE 12.1
(x86_64) to provide an endpoint to a Microsoft Azure Virtual Network
using the 90-day free trial preview (https://www.windowsazure.com).
Has anyone else created a succssful connection? If so, please can you
give me guidance on how to confugure strongSwan? My initial
configuration will be on openSUSE (where NetworkManager is available)
but I hope to move to an OpenWrt router (Backfire 10.03.1) later.
Microsoft provide sample configurations for various devices. The
example below is for a Cisco router.
Many thanks in anticipation
--
John Connett
======================================================================
! Microsoft Corporation
! Windows Azure Virtual Network
! This configuration template applies to Cisco ISR 2900 Series Integrated
Services Routers running IOS 15.0.
! It configures an IPSec VPN tunnel connecting your on-premise VPN device
with the Azure gateway.
!
---------------------------------------------------------------------------------------------------------------------
! ACL rules
!
! Proper ACL rules are needed for permitting cross-premise network traffic.
access-list <RP_AccessList> permit ip <SP_OnPremiseNetworkIpRange>
<SP_OnPremiseNetworkWildcardBits> <SP_AzureNetworkIpRange>
<SP_AzureNetworkWildcardBits>
!
---------------------------------------------------------------------------------------------------------------------
! Internet Key Exchange (IKE) configuration
!
! This section specifies the authentication, encryption, hashing,
Diffie-Hellman, and lifetime parameters for the Phase
! 1 negotiation and the main mode security association. We have picked an
arbitrary policy # "10" as an example. If
! that happens to conflict with an existing policy, you may choose to use
a different policy #.
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
exit
crypto isakmp key <SP_PresharedKey> address <SP_AzureGatewayIpAddress>
!
---------------------------------------------------------------------------------------------------------------------
! IPSec configuration
!
! This section specifies encryption, authentication, tunnel mode
properties for the Phase 2 negotiation
crypto ipsec transform-set <RP_IPSecTransformSet> esp-aes esp-sha-hmac
mode tunnel
exit
!
---------------------------------------------------------------------------------------------------------------------
! Crypto map configuration
!
! This section defines a crypto map that binds the cross-premise network
traffic to the
! IPSec transform set and remote peer. We have picked an arbitrary ID #
"10" as an example. If
! that happens to conflict with an existing crypto map, you may choose to
use a different ID #.
crypto map <RP_IPSecCryptoMap> 10 ipsec-isakmp
set peer <SP_AzureGatewayIpAddress>
set security-association lifetime seconds 3600
set security-association lifetime kilobytes 102400000
set transform-set <RP_IPSecTransformSet>
match address <RP_AccessList>
exit
!
---------------------------------------------------------------------------------------------------------------------
! External interface configuration
!
! This section binds to the external interface of the router so that the
cross-premise network traffic matching the
! traffic selector defined in the crypto map will be properly encrypted
and transmitted via the IPSec VPN tunnel. It
! also adjusts the TCPMSS value properly to avoid fragmentation
interface <NameOfYourOutsideInterface>
no crypto map
crypto map <RP_IPSecCryptoMap>
ip tcp adjust-mss 1350
exit
======================================================================
More information about the Users
mailing list