Connecting NG Firewall To Azure VPN Gateway via IPsec IKEv2
Overview
You can connect your NG Firewall networks to your Microsoft Azure networks using IPsec VPN tunnels. This is possible using either the Azure VPN Gateway or the NG Firewall for Azure public cloud. This article describes configuring an IPsec tunnel using IKEv2 between NG Firewall and the Azure VPN Gateway.
Azure VPN Gateway Configuration
Create a Virtual Network Gateway
In your Azure Management Portal create a Virtual Network Gateway type of resource. This resource represents the Azure side of the VPN tunnel.
Configure the following essential parameters:
Gateway type: VPN
VPN type: Route-based
Virtual network: Select an existing network or create one
Gateway subnet address range: Select the subnet in your Azure virtual network that you want to participate in the VPN tunnel.
Public IP address: Select an existing public IP address or create one. This IP address is the Azure endpoint of the VPN tunnel.
Create a local network gateway
In your Azure Management Portal create a Local Network Gateway type of resource. This resource represents the NG Firewall side of the VPN tunnel.
Configure the following essential parameters:
Name: A name to help you identify the tunnel endpoint.
IP address: The Internet IP address of your NG Firewall gateway.
Address space: The local subnet behind your NG Firewall that you want to participate in the VPN tunnel.
Add a connection
A connection sets up the tunnel with your remote Untangle NG Firewall. In the virtual network gateway settings, go to Connections and add a connection.
Configure the following essential parameters:
Name: The name of your tunnel.
Connection type: Site-to-site (IPsec)
Virtual network gateway: Select the Virtual network gateway you created in the first step.
Local network gateway: Select the Local network gateway you created in the previous step.
Shared key (PSK): Enter a private key that must be shared with the remote IPsec gateway.
IKE Protocol: IKEv2
NG Firewall IPsec Configuration
Add an IPsec Tunnel
Log in to your NG Firewall gateway. In the IPsec Tunnels tab, click add to configure a tunnel with your Azure VPN Gateway.
Configure the following essential parameters:
Connection Type: Tunnel
IKE Version: IKEv2
Connect Mode: Always Connected
Interface: Your external interface
Remote Host: The Internet IP address of your Azure VPN Gateway
Local Identifier: The Internet IP address of your NG Firewall host
Remote Identifier: The Internet IP address of your Azure VPN Gateway
Full Tunnel Mode Negotiation: disabled (unless the Azure device is to process all traffic from NG Firewall)
Local Source IP Address: leave blank
Local Network: The local subnets you want to add to the VPN tunnel
Remote Source IP Address: leave blank
Remote Network: The remote subnets in your Azure virtual network that you want to add to the VPN tunnel
Shared Secret: The shared key value you entered into the Azure VPN Connection.
Verify the Connection
After you configure the tunnel on both gateways you can view the connection status. If the tunnels connect, the status shows Connected (Azure) or Active (NG Firewall). If the local network configuration is correct, you can ping between hosts on the internal networks.
Note: Ensure that your Azure Network security groups do not prevent access from the remote networks behind your NG Firewall.
Follow
Comments
0 comments
Please sign in to leave a comment.