en-US
search-icon

Knowledge Base

Configure a Site to Site Route Based (Tunnel Interface) VPN between SonicWall and Windows Azure

Description

This article covers how to configure a site to site route based (tunnel interface) VPN between SonicWall and Windows Azure.
Windows Azure is a cloud computing platform and infrastructure, created by Microsoft, for building, deploying and managing applications and services through a global network of Microsoft-managed data centers. Among other things, Windows Azure provides site to site VPN connectivity between on-premises networks and virtual networks hosted in the cloud. Windows Azure supports Dynamic (route-based) and Static Routing (policy-based) site to site VPN.  For authentication, only Pre-shared Key (PSK) is currently supported.  It does not yet support certificate based site to site VPN.
Image
This article describes how to configure a Tunnel Interface VPN (referred in the Windows Azure Management Portal as dynamic-routing VPN) between SonicWall and Windows Azure.

Resolution

Configuration Task list

 

Windows Azure configuration

Windows Azure configuration

1. Create Virtual Network

Log in to the Windows Azure Management Portal.
Navigate to the Networks page.
In the bottom left-hand corner of the screen, click New.

Image

In the navigation pane, click Networks, and then click Virtual Network. Click Custom Create to begin the configuration wizard.

Image

On the Virtual Network Details page, enter the following information, and then click the next arrow on the lower right.

Name - Name your virtual network.
Affinity Group - Select an affinity group from the drop-down if you already created one, or create a new one.
Region - Select a region. This option only appears if you create a new affinity group.
Affinity Group Name - Name the new affinity group. This option only appears if you create a new affinity group.

Image

2. Configure SonicWall Network

On the DNS Servers and VPN Connectivity page, enable check box Configure site-to-site VPN.
For the purpose of this article we skip entering the DNS server name or the IP address.

Under LOCAL NETWORK:

either select a network (if it has been created already)
or select Specify a New Local Network. Local network here means the network behind SonicWall.
?
Click on the right arrow to proceed to the next page.

Image

On the Site-To-Site Connectivity page, enter the following information and then click the next arrow.

Name - The name you want to call your local network site. Local network here stands for the network behind SonicWall.
VPN Device IP Address - This is the WAN IPv4 address of the SonicWall. SonicWall cannot be located behind a NAT device.
Address Space, including Starting IP and CIDR (Address Count): This is the internal network behind the SonicWall.
Add address space:  These are
for additional networks behind SonicWall.
Click on the right arrow to proceed to the next page.

Image

3. Configure Virtual Network Address

On the Virtual Network Address Spaces page, enter the virtual network in the cloud and then click the checkmark on the lower right to configure your network. Address space must be a private address range, specified in CIDR notation 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 (as specified by RFC 1918).

ADDRESS SPACE: Enter network ID (private address range) under STARTING IP and click CIDR in the upper right corner to select the subnet bit.
add subnet: You could further subnet the Address Space entered above. We skip this step for this article.
add gateway subnet: This will be automatically populated based on the address space entered above. 
Microsoft runs a gateway service to enable cross-premises connectivity. To this end, they require 2 IP addresses from the virtual network to enable routing between the physical premises and the cloud. At least a /29 subnet must be specified from which they can pick IP addresses for setting up routes.

Image

After clicking the check mark, your virtual network will begin to create. When your virtual network has been created, you will see Created listed under Status on the networks page in the Management Portal.


Image
View Configuration

We have created a virtual network in the cloud and specified the remote network (SonicWall network). To view the configuration, under the NAME column, click on the name of the virtual network (in this case MyCloud) to open the dashboard. Click on CONFIGURE at the top to view the following information:


Image

4. Create Virtual Network Gateway

Click on DASHBOARD.
Click on CREATE GATEWAY at the bottom of the page and you will be prompted to select either Static Routing or Dynamic Routing.
Click on Dynamic Routing.


Image
When prompted to confirm the gateway creation, click on YES. It may take about 15 minutes depending on your connection for the gateway to be created.


Image
Once the gateway has been created, you will be able to see the public facing IPv4 address of your virtual network under GATEWAY IP ADDRESS. This IP address must be entered under IPsec Primary Gateway Name or Address in the SonicWall.

Image

After Gateway creation, this page has the following new options:

DELETE GATEWAY - Will delete the gateway
CONNECT - This initiates the VPN connection.
MANAGE KEY - This will display the auto-generated pre-shared key (PSK).  This has to be entered in the SonicWall VPN policy.

Image


SonicWall Configuration

5. Create a Tunnel Interface VPN

Login to the SonicWall management UI.

Navigate to the VPN | Settings page.
Create the following VPN policy:

The IPsec Primary Gateway Name or Address must be the GATEWAY IP ADDRESS displayed on the Virtual Network page of the Azure management portal.

Image

We have selected IKEv2 Mode under Exchange because for Dynamic site to site VPN, Windows Azure supports only IKEv2. For more information about the Proposals supported in Windows Azure, see About VPN Devices for Virtual Network


Image
Image

6. Create Address Object for Virtual Network

Navigate to the Network | Address Objects page
Create the following address object for the remote Azure network.


Image
7. Create a static route policy

Navigate to the Network | Routing page.
Create the following route:

Image

Make sure the check box Auto-add Access Rules is enabled to auto-create access rules from LAN (or other zones) to VPN and from VPN to LAN (or other zones).


8. Testing

Now that we have completed the configuration on both sides, it is time to initiate the VPN connection.

In the Windows Azure management portal, navigate to Networks and click on your virtual network to go to its Dashboard page.  At the bottom of this page, click on CONNECT.

Image

If all goes well, on the SonicWall side, the VPN will show as connected almost immediately.

Image

However, it takes a while for the VPN tunnel to show as connected in the Azure Management Portal. Perhaps pinging a host from a VM in the cloud to a host behind the SonicWall will force the portal to show the VPN as established. For creating a VM, see How to Custom Create a Virtual Machine. Once the tunnel is established, the portal will look like this:

Image

To test traffic flow from the SonicWall side to the Azure cloud, perform either of these:

1. Try to establish an RDP connection to a VM in the cloud on port 3389 from a host behind SonicWall.
2. Try to ping a VM in the cloud from a host behind SonicWall. Note: by default a VM in the Azure cloud will have inbound ICMP blocked by Windows Firewall and needs to be enabled using this command:
netsh advfirewall firewall add rule name="All ICMP V4" protocol=icmpv4:any,any dir=in action=allow


Resolution for SonicOS 6.5 and Later

SonicOS 6.5 was released September 2017. This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 and later firmware.

Configuration Task list

 

Windows Azure configuration

Windows Azure configuration

1. Create Virtual Network

Log in to the Windows Azure Management Portal.
Navigate to the Networks page.
In the bottom left-hand corner of the screen, click New.

Image

In the navigation pane, click Networks, and then click Virtual Network. Click Custom Create to begin the configuration wizard.

Image

On the Virtual Network Details page, enter the following information, and then click the next arrow on the lower right.

Name - Name your virtual network.
Affinity Group - Select an affinity group from the drop-down if you already created one, or create a new one.
Region - Select a region. This option only appears if you create a new affinity group.
Affinity Group Name - Name the new affinity group. This option only appears if you create a new affinity group.

Image

2. Configure SonicWall Network

On the DNS Servers and VPN Connectivity page, enable check box Configure site-to-site VPN.
For the purpose of this article we skip entering the DNS server name or the IP address.

Under LOCAL NETWORK:

either select a network (if it has been created already)
or select Specify a New Local Network. Local network here means the network behind SonicWall.
?
Click on the right arrow to proceed to the next page.

Image

On the Site-To-Site Connectivity page, enter the following information and then click the next arrow.

Name - The name you want to call your local network site. Local network here stands for the network behind SonicWall.
VPN Device IP Address - This is the WAN IPv4 address of the SonicWall. SonicWall cannot be located behind a NAT device.
Address Space, including Starting IP and CIDR (Address Count): This is the internal network behind the SonicWall.
Add address space:  These are
for additional networks behind SonicWall.
Click on the right arrow to proceed to the next page.

Image

3. Configure Virtual Network Address

On the Virtual Network Address Spaces page, enter the virtual network in the cloud and then click the checkmark on the lower right to configure your network. Address space must be a private address range, specified in CIDR notation 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 (as specified by RFC 1918).

ADDRESS SPACE: Enter network ID (private address range) under STARTING IP and click CIDR in the upper right corner to select the subnet bit.
add subnet: You could further subnet the Address Space entered above. We skip this step for this article.
add gateway subnet: This will be automatically populated based on the address space entered above. 
Microsoft runs a gateway service to enable cross-premises connectivity. To this end, they require 2 IP addresses from the virtual network to enable routing between the physical premises and the cloud. At least a /29 subnet must be specified from which they can pick IP addresses for setting up routes.

Image

After clicking the check mark, your virtual network will begin to create. When your virtual network has been created, you will see Created listed under Status on the networks page in the Management Portal.


Image
View Configuration

We have created a virtual network in the cloud and specified the remote network (SonicWall network). To view the configuration, under the NAME column, click on the name of the virtual network (in this case MyCloud) to open the dashboard. Click on CONFIGURE at the top to view the following information:


Image

4. Create Virtual Network Gateway

Click on DASHBOARD.
Click on CREATE GATEWAY at the bottom of the page and you will be prompted to select either Static Routing or Dynamic Routing.
Click on Dynamic Routing.


Image
When prompted to confirm the gateway creation, click on YES. It may take about 15 minutes depending on your connection for the gateway to be created.


Image
Once the gateway has been created, you will be able to see the public facing IPv4 address of your virtual network under GATEWAY IP ADDRESS. This IP address must be entered under IPsec Primary Gateway Name or Address in the SonicWall.

Image

After Gateway creation, this page has the following new options:

DELETE GATEWAY - Will delete the gateway
CONNECT - This initiates the VPN connection.
MANAGE KEY - This will display the auto-generated pre-shared key (PSK).  This has to be entered in the SonicWall VPN policy.

Image


SonicWall Configuration

5. Create a Tunnel Interface VPN

Login to the SonicWall management UI.

Navigate to the VPN | Settings page.
Create the following VPN policy:

The IPsec Primary Gateway Name or Address must be the GATEWAY IP ADDRESS displayed on the Virtual Network page of the Azure management portal.

Image

We have selected IKEv2 Mode under Exchange because for Dynamic site to site VPN, Windows Azure supports only IKEv2. For more information about the Proposals supported in Windows Azure, see About VPN Devices for Virtual Network


Image
Image

6. Create Address Object for Virtual Network

Navigate to the Network | Address Objects page
Create the following address object for the remote Azure network.


Image
7. Create a static route policy

Navigate to the Network | Routing page.
Create the following route:

Image

Make sure the check box Auto-add Access Rules is enabled to auto-create access rules from LAN (or other zones) to VPN and from VPN to LAN (or other zones).


8. Testing

Now that we have completed the configuration on both sides, it is time to initiate the VPN connection.

In the Windows Azure management portal, navigate to Networks and click on your virtual network to go to its Dashboard page.  At the bottom of this page, click on CONNECT.

Image

If all goes well, on the SonicWall side, the VPN will show as connected almost immediately.

Image

However, it takes a while for the VPN tunnel to show as connected in the Azure Management Portal. Perhaps pinging a host from a VM in the cloud to a host behind the SonicWall will force the portal to show the VPN as established. For creating a VM, see How to Custom Create a Virtual Machine. Once the tunnel is established, the portal will look like this:

Image

To test traffic flow from the SonicWall side to the Azure cloud, perform either of these:

1. Try to establish an RDP connection to a VM in the cloud on port 3389 from a host behind SonicWall.
2. Try to ping a VM in the cloud from a host behind SonicWall. Note: by default a VM in the Azure cloud will have inbound ICMP blocked by Windows Firewall and needs to be enabled using this command:
netsh advfirewall firewall add rule name="All ICMP V4" protocol=icmpv4:any,any dir=in action=allow