[strongSwan] Microsoft Azure Virtual Network?

John Connett jrc at skylon.demon.co.uk
Thu Jul 26 11:15:19 CEST 2012


I am attempting to use strongSwan 4.5.3-5.4.1 on openSUSE 12.1
(x86_64) to provide an endpoint to a Microsoft Azure Virtual Network
using the 90-day free trial preview (https://www.windowsazure.com).

Has anyone else created a succssful connection?  If so, please can you
give me guidance on how to confugure strongSwan?  My initial
configuration will be on openSUSE (where NetworkManager is available)
but I hope to move to an OpenWrt router (Backfire 10.03.1) later.

Microsoft provide sample configurations for various devices.  The
example below is for a Cisco router.

Many thanks in anticipation
--
John Connett


======================================================================
! Microsoft Corporation
! Windows Azure Virtual Network

! This configuration template applies to Cisco ISR 2900 Series Integrated  
Services Routers running IOS 15.0.
! It configures an IPSec VPN tunnel connecting your on-premise VPN device  
with the Azure gateway.

!  
---------------------------------------------------------------------------------------------------------------------
! ACL rules
!
! Proper ACL rules are needed for permitting cross-premise network traffic.
access-list <RP_AccessList> permit ip <SP_OnPremiseNetworkIpRange>  
<SP_OnPremiseNetworkWildcardBits> <SP_AzureNetworkIpRange>  
<SP_AzureNetworkWildcardBits>

!  
---------------------------------------------------------------------------------------------------------------------
! Internet Key Exchange (IKE) configuration
!
! This section specifies the authentication, encryption, hashing,  
Diffie-Hellman, and lifetime parameters for the Phase
! 1 negotiation and the main mode security association. We have picked an  
arbitrary policy # "10" as an example. If
! that happens to conflict with an existing policy, you may choose to use  
a different policy #.
crypto isakmp policy 10
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 28800
  exit
crypto isakmp key <SP_PresharedKey> address <SP_AzureGatewayIpAddress>

!  
---------------------------------------------------------------------------------------------------------------------
! IPSec configuration
!
! This section specifies encryption, authentication, tunnel mode  
properties for the Phase 2 negotiation
crypto ipsec transform-set <RP_IPSecTransformSet> esp-aes esp-sha-hmac
  mode tunnel
  exit

!  
---------------------------------------------------------------------------------------------------------------------
! Crypto map configuration
!
! This section defines a crypto map that binds the cross-premise network  
traffic to the
! IPSec transform set and remote peer. We have picked an arbitrary ID #  
"10" as an example. If
! that happens to conflict with an existing crypto map, you may choose to  
use a different ID #.
crypto map <RP_IPSecCryptoMap> 10 ipsec-isakmp
  set peer <SP_AzureGatewayIpAddress>
  set security-association lifetime seconds 3600
  set security-association lifetime kilobytes 102400000
  set transform-set <RP_IPSecTransformSet>
  match address <RP_AccessList>
  exit

!  
---------------------------------------------------------------------------------------------------------------------
! External interface configuration
!
! This section binds to the external interface of the router so that the  
cross-premise network traffic matching the
! traffic selector defined in the crypto map will be properly encrypted  
and transmitted via the IPSec VPN tunnel. It
! also adjusts the TCPMSS value properly to avoid fragmentation
interface <NameOfYourOutsideInterface>
  no crypto map
  crypto map <RP_IPSecCryptoMap>
  ip tcp adjust-mss 1350
  exit
======================================================================




More information about the Users mailing list