No-Look VPN Configuration with Azure Pack :D

Hello All

After very long search on Google find only the Azure VPN configuration but there is no example and good explanation about how you can do it with Azure Pack.
DorukNET is COSN provider and we are preparing to offer Azure Pack in Turkey and want to clarify VPN configuration with our Fortigate expert Salih😛

Before start let me explain ISP point of view VPN properties ;

  • First you ask peer ip address
  • Second you ask phase 1 config properties like IKE version , encryption , key life time and key
  • Third you ask phase 2 config properties , encryption , key life time , network remote and local one which you will encrypt
  • Also talk about other things dead peer detection  (DPD)
  • Policy service consideration also important , mostly we do not allow any to any communication

When you login as a customer to WAP Service Management Portal, you couldn’t see every properties you need to establish VPN , mostly things are preconfigured and customer point of view there is no way to see it. Also its little hard to discover by administrator point of view but at the end we succeeded .

This article is about establish VPN between Fortinet and Microsoft NVGRE GW

Fortigate FW Version : 5.0.patch5
DorukNET WAP Customer Site Network
Provider-SiteAzure : 10.0.0.0/24
NVGRE GW Peer IP Address : xxx.yyy.zzz.50
Customer OnPremise Site Network
LocalSite-OnPremise: xxx.102.yyy.240/28
Customer Peer IP Address :Note that WAP site NVGRE GW Peer ip is not available before you create a new site-to-site setup

Lets create it
Login to WAP Service Management Portal and go to Networks and double click your already created network and click Create VPN

Screen Shot 2014-06-09 at 15.20.10
Set your remote site VPN Device ip address, here we set our Fortigate FW outsite ip address and pre-shared key
Screen Shot 2014-06-09 at 15.23.49a
As a address space you have to set remote site ip address block which you would like to communicate encrypted
Important note, WAP GUI do not allow enter single ip address as a remote
Screen Shot 2014-06-09 at 15.41.14
Next two screen WAP allow you to set limitation about VPN configuration if you needed please enter , we did not test its working or not :)Then action time , WAP send the request to VMM to create VPN configuration on NVGRE GW

Screen Shot 2014-06-09 at 15.26.39 

Succeeded

Screen Shot 2014-06-09 at 15.27.38
Check VMM site if you are provider to confirm

Screen Shot 2014-06-09 at 15.27.49
Now you will start to understand why we described article subject as a No-Look !
Now customer can not see anything more than VPN configuration is Enabled  !  No any knowledge about Phase 1 , Phase 2 configuration . Here what provider need to do, well document everything and somehow if provider have some boundaries need to automate the configuration
For example after VPN configuration enabled we can see such properties for VPN

You can see that Microsoft configure each pre-shared key as an Run-As-Account

From WAP GUI there is no way to set certificate as a auth method , actually i do not need it , no need to push Microsoft here😀

Screen Shot 2014-06-09 at 15.29.22
Routes section is easy, its remote network
Click the Advanced section , you will see the configuration of VPN but you have to understand which one is Phase1 and Phase 2 , very good , lovely
Screen Shot 2014-06-09 at 15.29.52
We find a pptx file after almost 50-100 search on Google , i know you thing maybe i m searching wrong key words , i m accepting😀
This slide actually do not equal defaults but it help us a lot but funny thing you can see that there is no timeout for key life values for Phase 2 also we discover the Phase 1 key life from this slide too also you can find it from powershell “Get-VpnS2SInterface” command

Screen Shot 2014-06-09 at 17.43.48

We used related configuration for us

Screen Shot 2014-06-09 at 15.30.34

Easy part , go to Forti , which traditionally we know everything how to configure😀

Screen Shot 2014-06-09 at 15.14.38
Phase 2
Screen Shot 2014-06-09 at 15.22.58
Rule for Forti
Screen Shot 2014-06-09 at 15.45.50
Monitor VPN Connectivity

Screen Shot 2014-06-09 at 15.33.10

Ping it or Remote it
Screen Shot 2014-06-09 at 15.59.57
Hope this article help for everyone
VM

Posted on 09/06/2014, in NVGRE GW, Uncategorized, VPN and tagged , , , , , . Bookmark the permalink. Leave a comment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: