Tags

, , , , ,

Recently I am trying to build Site 2 Site IPSEC VPN with Azure VPN gateway and Meraki MX firewall. Meraki start supporting (27th May 2019) IKEv2 in their beta firmware MX 15.13 but it’s not stable.

Please check https://community.meraki.com/t5/Security-SD-WAN/Azure-VPN-IKEv2-intermittent/m-p/47688#M12029 and https://community.meraki.com/t5/Security-SD-WAN/IKEv2-support-on-MX-devices/m-p/48333#M12197

Azure Policy Based VPN gateway (IKEv1) is ok but it only suppotrs one Site 2 Site VPN tunnel.

To overcome the issue; I have created one Ubuntu Server which works as VPN gateway and added User-defined route to route all VPN traffic via Ubuntu Server.

A. Azure Configuration

1. Create a virtual machine. I my case I have created VM with Ubuntu 18.04 LTS with following specification

ipsecvpn_1.PNG

2. After creating VM go to VM > Networking > Network Interface and Enable IP forwarding settings

ipsecvpn_2.PNG

3. From NSG make sure UDP/500 and UDP/4500 has been allowed.

4. Create Route Table. 192.168.100.0/24 is the remote subnet and 10.0.0.9 is the IP address of Ubuntu Server.

ipsecvpn_3.PNG

5. Make sure you associate it with existing network/VNET

ipsecvpn_4.PNG

B. Ubuntu Configuration

1. Update your repository indexes and install strongswan:

$ apt update && sudo apt upgrade -y
$ apt install strongswan -y

2. Set the following kernel parameters:

$ cat >> /etc/sysctl.conf << EOF
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
EOF
$ sysctl -p /etc/sysctl.conf

3. Edit the global configuration file with this command:

$ sudo vi /etc/ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file
# basic configuration

config setup
        charondebug="all"
        uniqueids=yes
        strictcrlpolicy=no

conn %default
        ikelifetime=1440m
        rekeymargin=3m
        keyingtries=%forever
        keyexchange=ikev1
        authby=secret
        dpdaction=restart
        dpddelay=30

conn doublebay
        left=%defaultroute
        leftsubnet=10.0.0.0/16
        leftid=20.xxx.xxx.28 #Azure VM Public IP
        leftfirewall=yes
        right=203.xxx.xxx.242 #Remote Meraki MX IP
        rightsubnet=192.168.100.0/24
        rightid=203.xxx.xxx.242
        auto=add
        ike=aes256-sha1-modp1024
        esp=aes256-sha1
        keyexchange=ikev1

4. Set IPSEC Preshared Key:

$ sudo vi /etc/ipsec.secrets
# VMPublicIP   MXPublicIP
20.xxx.xxx.28 203.xxx.xxx.242 : PSK "YourPreSharedKey!"

5. Set the service to start on boot:

$ sudo systemctl enable strongswan

6. Start the VPN:

$ sudo ipsec restart

7. Start the VPN tunnel

$ sudo ipsec up doublebay

8. Get the status of the tunnel

$ sudo ipsec status
root@VPNSERVER-IPESC:/home/fakrul# ipsec status
Security Associations (3 up, 0 connecting):
   doublebay[31]: ESTABLISHED 21 minutes ago, 10.0.0.9[20.xxx.xxx.28]...203.xxx.xxx.242[203.54.176.242]
   doublebay{19}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c063a2cd_i c826258f_o
   doublebay{19}:   10.0.0.0/16 === 192.168.100.0/24

 

C. Meraki Configuration

1. Setup non-meraki VPN

ipsecvpn_5.PNG

2. I am using the following IPSEC policies

ipsecvpn_6.PNG