I would like to be able to setup multiple Azure Virtual Networks, connect them together and also allow multiple On-Premises VPN routers to connect in to those Virtual Networks. Below is how I plan on setting up the networks.
Datacenter Virtual Network: 172.16.250.0/24 address space 172.16.250.0/25 subnet-1 172.16.250.128/29 gateway -> Point-to-Site Connectivity: 10.0.253.0/24 -> Site-to-Site Connectivity: Datacenter Local Network: 10.0.250.0/24
Headquarters Virtual Network: 172.16.0.0/24 address space 172.16.0.0/25 subnet-1 172.16.0.128/29 gateway -> Site-to-Site Connectivity: Headquarters Local Network: 10.0.0.0/24
Region1 Virtual Network: 172.16.1.0/24 address space 172.16.1.0/25 subnet-1 172.16.1.128/29 gateway -> Site-to-Site Connectivity: Region1 Local Network: 10.0.1.0/24
So with this I want the Datacenter, Headquarters and Regional Virtual Networks to be connected. I then need for on-premise VPN routers to connect to the Headquarters and Regional Virtual Networks. How can I 1) get the VN's to talk to each other and 2) I have Cisco 881 routers and I'm using the following configs from Azure.
! Microsoft Corporation
! Windows Azure Virtual Network
! This configuration template applies to Cisco ISR 2900 Series Integrated Services Routers running IOS 15.1.
! It configures an IPSec VPN tunnel connecting your on-premise VPN device with the Azure gateway.
! ---------------------------------------------------------------------------------------------------------------------
! ACL rules
!
! Proper ACL rules are needed for permitting cross-premise network traffic.
! You should also allow inbound UDP/ESP traffic for the interface which will be used for the IPSec tunnel.
access-list 101 permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.0.255
! ---------------------------------------------------------------------------------------------------------------------
! Internet Key Exchange (IKE) configuration
!
! This section specifies the authentication, encryption, hashing, and Diffie-Hellman group parameters for the Phase
! 1 negotiation and the main mode security association.
crypto ikev2 proposal azure-proposal
encryption aes-cbc-256 aes-cbc-128 3des
integrity sha1
group 2
exit
crypto ikev2 policy azure-policy
proposal azure-proposal
exit
crypto ikev2 keyring azure-keyring
peer 104.215.95.202
address 104.215.95.202
pre-shared-key
exit
exit
crypto ikev2 profile azure-profile
match address local interface
match identity remote address 104.215.95.202 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring azure-keyring
exit
! ---------------------------------------------------------------------------------------------------------------------
! IPSec configuration
!
! This section specifies encryption, authentication, tunnel mode properties for the Phase 2 negotiation
crypto ipsec transform-set azure-ipsec-proposal-set esp-aes 256 esp-sha-hmac
mode tunnel
exit
! ---------------------------------------------------------------------------------------------------------------------
! Crypto map configuration
!
! This section defines a crypto profile that binds the cross-premise network traffic to the IPSec transform
! set and remote peer. We also bind the IPSec policy to the virtual tunnel interface, through which
! cross-premise traffic will be transmitted. We have picked an arbitrary tunnel id "1" as an example. If
! that happens to conflict with an existing virtual tunnel interface, you may choose to use a different id.
crypto ipsec profile vti
set transform-set azure-ipsec-proposal-set
set ikev2-profile azure-profile
exit
int tunnel 1
ip address 169.254.0.1 255.255.255.0
ip tcp adjust-mss 1350
tunnel source
tunnel mode ipsec ipv4
tunnel destination 104.215.95.202
tunnel protection ipsec profile vti
exit
ip route 172.16.0.0 255.255.255.0 tunnel 1
Are there any configurations that need to be added or removed from this template to get the On-Premises VPN working?
Thanks for your help!