[strongSwan] Microsoft Azure Virtual Network?

John Connett jrc at skylon.demon.co.uk
Mon Jul 30 14:37:02 CEST 2012 

On Thu, 26 Jul 2012 10:15:19 +0100, John Connett <jrc at skylon.demon.co.uk>  
wrote:
> I am attempting to use strongSwan 4.5.3-5.4.1 on openSUSE 12.1
> (x86_64) to provide an endpoint to a Microsoft Azure Virtual Network
> using the 90-day free trial preview (https://www.windowsazure.com).

Despite a private e-mail pointing me to
http://wiki.strongswan.org/projects/strongswan/wiki/AwsVpc I have had
no success in creating a tunnel between my HomeNetwork and my
CloudSubnet via a Microsoft Azure Virtual Network.

I have almost no experience configuring VPNs and would appreciate it
if anyone with greater familiarity could point me to my, possibly
obvious, errors.

 From left to right the network path is roughly as follows:

     HomeNetwork           192.168.199.0/24
     master.home           192.168.199.10    (strongSwan 5.0.0)
     router.home           192.168.199.1     (OpenWrt 10.03.1)
     VPNGatewayAddress     86.30.202.35      (skylon.dyndns.org)
     GatewaySubnet         10.4.1.0/24
     AzureGatewayIpAddress 168.63.60.212
     CloudSubnet           10.4.2.0/24
     TestNetwork           10.4.0.0/16

My router is forwarding ESP; ISAKMP (UDP 500); and IPSEC-NAT-T (UDP
4500) to the strongSwan host.  I have also added a static route from
10.4.2.0/24 to that host.  Copies of my unsuccessful ipec.conf and
ipsec.secrets files are at the end of this message.

I can capture network traffic at both my router and the strongSwan
host if that will aid diagnosis.

In the following I have attempted to convert the parts of the
Microsoft generated Cisco configuration into strongSwan equivalents.
Again, if there are obvious errors please let me know.

Many thanks
--
John Connett

==== Cisco ISR 2900 - IOS 15.0 =======================================
access-list <RP_AccessList> permit ip <SP_OnPremiseNetworkIpRange> \
     <SP_OnPremiseNetworkWildcardBits> <SP_AzureNetworkIpRange> \
     <SP_AzureNetworkWildcardBits>
crypto isakmp policy 10
     authentication pre-share
     encryption aes
     hash sha
     group 2
     lifetime 28800
     exit
crypto isakmp key <SP_PresharedKey> address <SP_AzureGatewayIpAddress>
==== strongSwan 5.0.0 ================================================
conn Azure
     leftsubnet=<SP_OnPremiseNetworkIpRange>/<Bits>
     rightsubnet=<SP_AzureNetworkIpRange>/<Bits>
     keyexchange=ikev2
     authby=psk
     ike=aes128-sha1-modp1024!
     ikelifetime=8h
======================================================================

==== Cisco ISR 2900 - IOS 15.0 =======================================
crypto ipsec transform-set <RP_IPSecTransformSet> esp-aes esp-sha-hmac
     mode tunnel
exit
==== strongSwan 5.0.0 ================================================
conn Azure
     esp=aes128-sha1!
======================================================================

==== Cisco ISR 2900 - IOS 15.0 =======================================
crypto map <RP_IPSecCryptoMap> 10 ipsec-isakmp
     set peer <SP_AzureGatewayIpAddress>
     set security-association lifetime seconds 3600
     set security-association lifetime kilobytes 102400000
     set transform-set <RP_IPSecTransformSet>
     match address <RP_AccessList>
     exit
interface <NameOfYourOutsideInterface>
     no crypto map
     crypto map <RP_IPSecCryptoMap>
     ip tcp adjust-mss 1350
     exit
==== strongSwan 5.0.0 ================================================
conn Azure
     lifetime=1h
     lifebytes=104857600000
==== Notes ===========================================================
What is the strongSwan equivalent of "set peer"?
======================================================================

==== /usr/local/etc/ipsec.conf========================================
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration
config setup
         charonstart=yes
         plutostart=no

# VPN connection
conn Azure
         left=192.168.199.10
         leftid=86.30.202.35
         leftsourceip=%config
         leftsubnet=192.168.199.0/24
         leftfirewall=yes
         lefthostaccess=yes
         right=168.63.60.212
         rightsubnet=10.4.2.0/24
         forceencaps=yes
         keyexchange=ikev2
         ike=aes128-sha1-modp1024!
         ikelifetime=8h
         esp=aes128-sha1!
         lifetime=1h
         lifebytes=104857600000
         authby=psk
         auto=start
======================================================================

==== /usr/local/etc/ipsec.secrets ====================================
86.30.202.35 168.63.60.212 : PSK "<secret>"
======================================================================

More information about the Users mailing list