How to connect multiple On-Premise sites to Azure and connect Virtual Networks?

Question

I would like to be able to setup multiple Azure Virtual Networks, connect them together and also allow multiple On-Premises VPN routers to connect in to those Virtual Networks. Below is how I plan on setting up the networks.

Datacenter Virtual Network: 172.16.250.0/24 address space 172.16.250.0/25 subnet-1 172.16.250.128/29 gateway -> Point-to-Site Connectivity: 10.0.253.0/24 -> Site-to-Site Connectivity: Datacenter Local Network: 10.0.250.0/24

Headquarters Virtual Network: 172.16.0.0/24 address space 172.16.0.0/25 subnet-1 172.16.0.128/29 gateway -> Site-to-Site Connectivity: Headquarters Local Network: 10.0.0.0/24

Region1 Virtual Network: 172.16.1.0/24 address space 172.16.1.0/25 subnet-1 172.16.1.128/29 gateway -> Site-to-Site Connectivity: Region1 Local Network: 10.0.1.0/24

So with this I want the Datacenter, Headquarters and Regional Virtual Networks to be connected. I then need for on-premise VPN routers to connect to the Headquarters and Regional Virtual Networks. How can I 1) get the VN's to talk to each other and 2) I have Cisco 881 routers and I'm using the following configs from Azure.

! Microsoft Corporation
! Windows Azure Virtual Network

! This configuration template applies to Cisco ISR 2900 Series Integrated Services Routers running IOS 15.1.
! It configures an IPSec VPN tunnel connecting your on-premise VPN device with the Azure gateway.

! ---------------------------------------------------------------------------------------------------------------------
! ACL rules
! 
! Proper ACL rules are needed for permitting cross-premise network traffic.
! You should also allow inbound UDP/ESP traffic for the interface which will be used for the IPSec tunnel.
access-list 101 permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.0.255

! ---------------------------------------------------------------------------------------------------------------------
! Internet Key Exchange (IKE) configuration
! 
! This section specifies the authentication, encryption, hashing, and Diffie-Hellman group parameters for the Phase
! 1 negotiation and the main mode security association. 
crypto ikev2 proposal azure-proposal
  encryption aes-cbc-256 aes-cbc-128 3des
  integrity sha1
  group 2
  exit

crypto ikev2 policy azure-policy
  proposal azure-proposal
  exit

crypto ikev2 keyring azure-keyring
  peer 104.215.95.202
    address 104.215.95.202
    pre-shared-key 
    exit
  exit

crypto ikev2 profile azure-profile
  match address local interface 
  match identity remote address 104.215.95.202 255.255.255.255
  authentication remote pre-share
  authentication local pre-share
  keyring azure-keyring
  exit

! ---------------------------------------------------------------------------------------------------------------------
! IPSec configuration
! 
! This section specifies encryption, authentication, tunnel mode properties for the Phase 2 negotiation
crypto ipsec transform-set azure-ipsec-proposal-set esp-aes 256 esp-sha-hmac
 mode tunnel
 exit

! ---------------------------------------------------------------------------------------------------------------------
! Crypto map configuration
!
! This section defines a crypto profile that binds the cross-premise network traffic to the IPSec transform
! set and remote peer.  We also bind the IPSec policy to the virtual tunnel interface, through which 
! cross-premise traffic will be transmitted.  We have picked an arbitrary tunnel id "1" as an example. If
! that happens to conflict with an existing virtual tunnel interface, you may choose to use a different id.
crypto ipsec profile vti
  set transform-set azure-ipsec-proposal-set
  set ikev2-profile azure-profile
  exit

int tunnel 1
  ip address 169.254.0.1 255.255.255.0
  ip tcp adjust-mss 1350
  tunnel source 
  tunnel mode ipsec ipv4
  tunnel destination 104.215.95.202
  tunnel protection ipsec profile vti
  exit

ip route 172.16.0.0 255.255.255.0 tunnel 1

Are there any configurations that need to be added or removed from this template to get the On-Premises VPN working?

Thanks for your help!

Answer 1

How can I get the VN's to talk to each other

You will need to create VNet-to-VNet VPN tunnels, this can be done by doing the following:

1. In the Azure portal, create all the VNets you want, add the subnets to the VNets and the corresponding local networks in your LAN.
2. Create Gateways for the VNets using Dynamic Routing VPN, Static Routing VPN will not work.
3. Connect the VPN gateways to each other first, and then connect you LAN to ease the troubleshooting process if needed.

This is all very well documented here: Configure a VNet-to-VNet connection in the Azure Portal and here too VNet-to-VNet: Connecting Virtual Networks in Azure across Different Regions

Are there any configurations that need to be added or removed from this template to get the On-Premises VPN working?

You're in luck, you're device is supported with the Azure site-to-site VPN using dynamic routing, to insure that you can successfully connect your LAN to Azure, I would recommend going over the details in this page: About VPN devices for site-to-site virtual network connections

Unfortunately, I'm not an expert when it comes to Cisco routers, I will be unable to review the configuration you posted, but I can help you by providing the general guidelines to connect Azure to you VPN device:

1. Once you setup the VNets using the steps above, Azure will be smart enough to create a script that you can download and use to setup your local VPN device.
2. Read the manuals of you creating a VPN Dynamic tunnel from Cisco: http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/46242-lan-to-lan-vpn-client.html
3. Take a look at the Azure VPN samples for Cisco: https://msdn.microsoft.com/library/azure/dn133800.aspx?f=255&MSPPError=-2147217396#BKMK_ISRDynamic

I hope those are enough to help you, if not, I'm sure someone else with more experience in Cisco will be able to help you figure this out.

Answer 2

Okay, so I've made some progress. I've gotten my on-premises equipment to connect up to Azure, I also have my virtual networks in Azure connecting to each other, but if I put a VM in one VNet and another in a different VNet I can not ping across the VNets. Also I can't ping anything in the Azure VNets from the on-premises device.

So here's how it's all currently setup.

Virtual Networks
VNet-DataCenter: 172.16.250.0/24

• Local Networks: LNet-to-Headquarters (10.0.0.0/24), LNet-to-Region1 (10.0.1.0/24)

VNet-Headquarters: 172.16.0.0/24

• Local Networks: LNet-Headquarters (10.0.0.0/24), LNet-int-Headquarters (10.0.250.0/24, 10.0.1.0/24)

VNet-Region1: 172.16.1.0/24

• Local Networks: LNet-Region1 (10.0.1.0/24), LNet-int-Region1 (10.0.250.0/24, 10.0.0.0/24)

I have a VM in VNet-Headquarters and one in VNet-DataCenter, but I can't ping either machine.

I used the following article as a reference. How to configure routing between Azure virtual networks?

Any help is appreciated!

Answer 3

Okay, I've rebuilt the entire network and again placed two VMs within two of the VNs, but still they can't ping anything, not even their local gateways. So here's the setup.

I have three VNs created:

• VNet 1 - 10.0.250.0/24
• VNet 2 - 10.0.0.0/24
• VNet 3 - 10.0.1.0/24

I have four LNs created:

• LNet 1 - 10.0.0.0/24
• LNet 2 - 10.0.1.0/24
• LNet 3 - 10.0.250.0/24, 10.0.1.0/24
• LNet 4 - 10.0.250.0/24, 10.0.0.0/24

VNet 1 has two LNs attached to it, LNet 1 and LNet 2
VNet 2 has one LN attached to it, LNet 3
VNet 3 has one LN attached to it, LNet 4

VNet 1 has a VM in it with the IP 10.0.250.4.
VNet 2 has a VM in it with the IP 10.0.0.4.

I can not ping either VM from the other VM, so 10.0.0.4 can not ping 10.0.250.4 and visa versa.

Thanks!!

Answer 4

Pinging VMs in Azure is blocked at the Windows Firewall level, ensure you turn off the firewall on each VM during testing, once successful you can configure them to allow ICMP. Alternatively, check for connectivity using RDP instead (assuming it is enabled)