Multi-site VPN configuration between Local Network and different versions of Windows Azure

Multi-site VPN configuration between Local Network and different versions of Windows Azure
When we mention the term Azure, we are not a stranger to the current topic. We all know that Azure is divided into domestic and international versions, but the difference between the two Azure is growing, whether on the portal interface or in terms of functions, the international version of Azure is always larger than the domestic version of Azure. We will not talk much about the functions. Today we will introduce it, introduction to multi-site VPN configuration between local and domestic Azure and international Azure. We will use windows server2012R2 to install RRAS as a local vpn device, we need to confirm some problems before deployment; 1. when enabling site-to-site vpn on Azure, we need to create a dynamic routing gateway; 2. A prerequisite for Windowsserver2012R2 as a VPN device is that it must use an independent company's Internet IP address and dual network card, and the server cannot be placed behind a NAT or firewall device. For details, refer to the following connection;

Https://msdn.microsoft.com/zh-cn/library/azure/dn636917.aspx

3. For more information about VPn devices currently supported by Azure, see:

Https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-about-vpn-devices? Cdn = disable

Our environment starts. For details, see;

We show that all three sites need to be interconnected over the network. However, in terms of architecture, AuzreUS's site is located in the United States. We do not recommend that you directly connect AuzreUS to a local network, because of the unstable network architecture, the network data from Azureus to the local device will be forwarded through the Azurecn gateway;

Environment Introduction:

The subnet planned for the local network is:

192.168.6.0/24

The subnet planned by AzureCN is

10.10.1.0/24

The subnet planned by AzureUS is:

172.16.1.0/24

RRAS Server Configuration:

Internal: 192.168.6.150

External: 124.17.10.206

First, we need to place a windows2012r2 server in the local environment. This server is mainly used to build a VPN Service (vpn gateway) with windowsazure, the VPN Server cannot be placed inside the firewall and needs to be placed outside the firewall. Therefore, we configure a dual Nic for the vpn gateway server.

We can deploy this environment in three steps; the order does not matter:

1. Connect the local network with AzureCN

2. interconnect the network between AzureCN and AzureUS

3. Connect AzureUS to a local network

Therefore, we first need to install and configure the RRAS server from the first step. Next, we apply for a 21 vianet version of windows azure. The specific application steps will not be described much again.

Next, create a network. Click

First, add the local network:

A local network is a local network other than a non-Azure virtual network, and a azure network is a virtual network. We add a local network.

To define the local network name, we first need to add the network of 192.168.6.0 so that we can define the name and Internet IP address (VPN device address)

Defines the address space. We define/24-bit,

Local Network created

Create a virtual network and define the virtual network name. In the Chinese version, Azure network is named AzureCN.

Select, configure the site-to-site connection, and then select the local network we just created

Then, define the virtual network space of AzureCN according to the wizard;

Add a gateway subnet at the same time;

Once again, we need to note that we cannot define a 24-bit subnet, because when creating a vpn, we need to add a subnet gateway, and the subnet gateway must also be in the same subnet as the subnet, of course, we can define multiple address spaces. In multiple address spaces, we only need to add a subnet gateway. Because in the same virtual network, all address spaces are interconnected by default. After the virtual network is created, click to enter the virtual network;

Click Create gateway ---- select Dynamic Route Gateway

Start to create a gateway. the creation process is long. Please wait.

After the gateway is created, view the virtual network configuration file. Here, I use powershell to operate it;

Download

All operations must be performed using powershell. For specific operations, you must first download and install azure powershell, and then download and import the corresponding subscription;

Download two subscription files;

Http://manage.windowsazure.com/publishsettings

Http://manage.windowsazure.cn/publishsettings

Import and subscribe to azure powershell.

Import-azurepublishsettings"c:\xxxxxxxx"

If you have multiple subscriptions, You need to select the default subscription.

Select-azuresubpipeline-SubscriptionName "add account name"-Default

In our international version of azure, if you need to view the vnet (Virtual Network Configuration File) configuration file, we need to use powershell to view

Get-azurevnetconfig|fl

Of course, you can also view and export files. For specific commands, see:

To modify the configuration file of vnetconfig, use the following command to update the configuration file locally:

Set-AzureVNetConfig-ConfigurationPath "c: \ AzNets. netcfg"

Query the vnetconfig configuration file and export it to the local device.

Get-AzureVNetConfig-ExportToFile "c: \ AzNets. netcfg"

Next, if we need to connect to the local network, we need to download the vpn device script, and then run and configure it on the local RRAS server;

Before downloading the VPN device script, we need to modify the shared key. Because the system's built-in key is inconvenient for us to judge, we can modify the shared key to custom

First, check that the virtual network is the default shared key of the local network Internal_Local under AzureCN.

Get-AzureVNetGatewayKey-VNetName"AzureCN"-LocalNetworkSiteName"Internal_Local"

Set-AzureVNetGatewayKey-VNetName"AzureCN"-LocalNetworkSiteName"Internal_Local"-sharedkeyABC123DE45

After modification, we continue to view the shared key definition results

Get-AzureVNetGatewayKey-VNetName"AzureCN"-LocalNetworkSiteName"Internal_Local"

Next, download the vpn device script and run it on the RRAS server.

Select the vpn device type

After downloading the script, check the script content of the device;

After confirmation, we changed the downloaded vpn device script to ps1, and then run it under powershell on the rras server.

The script program of the vpn device is successfully executed. The last error can be ignored;

Then we can enable remote and remote access to view the configuration information;

 

By checking the configuration, we can confirm that the vpn is connected. We can also check on the portal and create a vm on AzureCN to facilitate the test of interconnectivity between networks.

After the creation, we log on to the internal address of the RRAS Server ping under AzureCN-VM.

If you need to test the accuracy of network connectivity, we recommend that you enable or disable the ICMP echo of the firewalls at both ends.

First, we can see that the AzureCN-VM address is 10.10.1.4.

Then ping the Azurecn-VM on the RRAS server.

Next we need to configure the network between AuzreCN and AzureUS, so we need to apply for an international version of Azure,

Then, register an international version of Azure account. We found that the pages of the previous international version of azure are similar to those of 21 vianet, and now the azure version is quite different.

Similarly, we create a network (Virtual Network-classic)

Define the address space and subnet;

,

Click Create and create

Click to enter the Auzreus virtual network, and click Create VPN connection.

Create a network from the site to the site, and then define the local site;

The local site on Azureus needs to be defined as the virtual network of AzureCN, So we click the local site

Define the virtual network information of Azurecn on AzureUS

Then select create gateway now, and then define the gateway configuration and subnet configuration information.

After confirming the information, click OK to start creating a gateway and creating a gateway.

Gateway created

After the creation, we also use powershell to view the current Virtual Network Configuration

Next, we will set a shared key for the channel between AuzreCN and AzureUS;

We need to set the shared key for the virtual network: Group AzureUS and Region network: 07E0920C_AzureCN_Local

First, check the default shared key.

Get-AzureVNetGatewayKey-VNetName"GroupGroupAzureUS"-LocalNetworkSiteName"07E0920C_AzureCN_Locall"

Next, modify the shared key to a custom key.

Set-AzureVNetGatewayKey-VNetName"GroupGroupAzureUS"-LocalNetworkSiteName"07E0920C_AzureCN_Locall"-sharedkeyBey0d101

View the modified results.

Get-AzureVNetGatewayKey-VNetName"GroupGroupAzureUS"-LocalNetworkSiteName"07E0920C_AzureCN_Locall"

At the same time we create a AZUREUS-VM on AzureUS for ease of testing

Select the new vm type

Define VM information, and then click Create

Vm creation and creation completed

Next we will go back to AzureCN to add the virtual network of AzureUS as a local network.

Open the AzureCN network --- local network --- New --- add local network

We add and define the local network name as AzureUS_Local, and then add the virtual network gateway address on AzureUS.

Add the subnet address of the AzureUS Network

Added

Next, let's check the AzureCN virtual network configuration.

Get-azurevnetconfig|fl

Of course, you can also view and export files. For specific commands, see:

To modify the configuration file of vnetconfig, use the following command to update the configuration file locally:

Set-AzureVNetConfig-ConfigurationPath "c: \ AzNets. netcfg"

Query the vnetconfig configuration file and export it to the local device.

Get-AzureVNetConfig-ExportToFile "c: \ AzNets. netcfg"

 

We found that the local network has been added, but the last connection to the local network is only connected to Internal_Local, not Auzreus_local, so we need to export and modify the virtual network configuration file, and then import

Get-Azurevnetconfgi-ExportTofile"d:\azurecn.netcfg"

After the download, modify the configuration file. Add the following to connect to the local network according to the format:

After adding

Save the changes, and then use powershlel to update the virtual network configuration.

Set-AzureVNetConfig-ConfigurationPath"d:\azurecn.netcfg"

Then, run the command to view the updated virtual network configuration.

get-azurevnetconfig|fl

Next, we need to set the shared key for the local network AzureUS_Local under the virtual network AzureCN

Note: The shared key must be set to the same as the shared key of the local AzureCN_Local network under AzureUS.

First, check the default shared key.

Get-AzureVNetGatewayKey-VNetName"AzureCN"-LocalNetworkSiteName"AzureUS_Local"

Next we need to set the shared key:

Set-AzureVNetGatewayKey-VNetName"AzureCN"-LocalNetworkSiteName"AzureUS_Local"-sharedkeyBey0d101

View the modified shared key

Get-AzureVNetGatewayKey-VNetName"AzureCN"-LocalNetworkSiteName"AzureUS_Local"

Next, view the vpn status on the portal page.

At the same time, we can view the vpn status under AzureUS.

Next, we ping the address in AzureUS-VM in AzureCN-VM under AzureCN.

Note: Remember to Disable ICMP echo in the firewall or disable the firewall.

The network between AzureCN and AzureUS is connected.

The network between AzureUS and AzureCN is interconnected.

Next is the last step. We want to connect the AzureUS network with the local RRAS network, so we need to add the RRAS network to the AzureUS as the local network;

Go to the AzureUS virtual network and click site and site configuration.

Then click Add:

Select site to site, and click Local Site

Then define the site name and the subnet and vpn device gateway address of the local server.

Click "OK" to add the local network and add it. Then we can see the local site on AzureUS. The reason is that it cannot be accessed locally, so we need to confirm the AzureUS local virtual network configuration;

Get-Azurevnetconfig|fl

We can see that the added local network is automatically added to the local network by default.

Therefore, we do not need to modify the AzureUS virtual network configuration file, but we still want to modify the common key of Internal_Local in the local network of Azureus during the configuration period. Remember that, the shared key cannot conflict with other shared keys.

First, check the default shared key of the local network Internal_Local under Azureus in the virtual network.

Get-AzureVNetGatewayKey-VNetName"GroupGroupAzureUS"-LocalNetworkSiteName"07E0920C_Internal_Local"

Therefore, we need to define the shared key.

Set-AzureVNetGatewayKey-VNetName"GroupGroupAzureUS"-LocalNetworkSiteName"07E0920C_Internal_Local"-sharedkeyA1B2C3D4E5

View the modified custom information

Get-AzureVNetGatewayKey-VNetName"GroupGroupAzureUS"-LocalNetworkSiteName"07E0920C_Internal_Local"

After setting this, We Need To summarize that three different sharing keys are set for this time;

An ABC123DE45 from AzureCN to the local RRAS Service

Bey0d101 between AzureCN and AzureUS

AzureUS to a local RRAS server with A1B2C3D4E5

The next step is to configure the AzureUS vpn script. We just need to change the configuration information by downloading the latest VPN device script from AzureCN.

First download the vpn script on AzureCN

Select vpn device type information

Open the vpn device script after the download.

The preceding content is the same. We need to modify the following port information.

The content we need to modify is the information in the red box. We need to change the IP address, subnet information, and shared key to

#AddandconfigureS2SVPNinterfaceAdd-VpnS2SInterface-ProtocolIKEv2-AuthenticationMethodPSKOnly-NumberOfTries3-ResponderAuthenticationMethodPSKOnly-Name139.217.25.71-Destination139.217.25.71-IPv4Subnet@("10.10.1.0/24:100")-SharedSecretABC123DE45Set-VpnServerIPsecConfiguration-EncryptionTypeMaximumEncryptionSet-VpnS2Sinterface-Name139.217.25.71-InitiateConfigPayload$false-Force#SetS2SVPNconnectiontobepersistentbyeditingtherouter.pbkfile(requiredadminpriveleges)Set-PrivateProfileString$env:windir\System32\ras\router.pbk"139.217.25.71""IdleDisconnectSeconds""0"Set-PrivateProfileString$env:windir\System32\ras\router.pbk"139.217.25.71""RedialOnLinkFailure""1"#RestarttheRRASserviceRestart-ServiceRemoteAccess#Dial-intoAzuregatewayConnect-VpnS2SInterface-Name139.217.25.71

We modify the AzureUS information. First, we confirm the AzureUS virtual network configuration information.

Confirm that the information is modified as follows: we only need to search for the information to be modified, and then replace all the information;

However, we need to manually change the network information subnet and shared key.

Most importantly, do not forget to modify the subnet and shared key.

Content after replacement:

#AddandconfigureS2SVPNinterfaceAdd-VpnS2SInterface-ProtocolIKEv2-AuthenticationMethodPSKOnly-NumberOfTries3-ResponderAuthenticationMethodPSKOnly-Name104.208.29.43-Destination104.208.29.43-IPv4Subnet@("172.16.1.0/24:100")-SharedSecretA1B2C3D4E5Set-VpnServerIPsecConfiguration-EncryptionTypeMaximumEncryptionSet-VpnS2Sinterface-Name104.208.29.43-InitiateConfigPayload$false-Force#SetS2SVPNconnectiontobepersistentbyeditingtherouter.pbkfile(requiredadminpriveleges)Set-PrivateProfileString$env:windir\System32\ras\router.pbk"104.208.29.43""IdleDisconnectSeconds""0"Set-PrivateProfileString$env:windir\System32\ras\router.pbk"104.208.29.43""RedialOnLinkFailure""1"#RestarttheRRASserviceRestart-ServiceRemoteAccess#Dial-intoAzuregatewayConnect-VpnS2SInterface-Name104.208.29.43

After the modification, we save the modified information and run the update locally on the RRAS server using powershell.

Similarly, we need to change the vpn device script extension to ps1;

Before executing the script, we need to check the Routing and Remote Access Service Status of the script execution.

There is only one network interface: the network interface from AzureCN to the local network

After confirming the preceding information, run the script.

The error message can be ignored.

After execution, we can view the route and remote access again. We can see that the network interface from RRAS to AzureUS has been added successfully.

After confirming the above information, we can view the AzureUS vpn status again.

Then, view the vpn status of AzureCN.

For this, we can fully confirm that the networks of the three sites are interconnected.

We finally use the vm for testing

Ping the Local AzureCN and AzureUS and then ping the Local and AzureUS from AzureCN.

Finally, we ping Local and AzureCN from AzureUS.

Finally, we can use tracert to check how the route goes.

First, tracert to local and Azureus on AzureCN

Tracert to local and AzureCN on AzureUS

At last, we can check from local to Azureus and azurecn.

Note: If the site-to-site vpn configuration, we need to understand a problem;

Confirm through static routing,

When accessing the azure network locally, you need to direct the gateway of the local user machine to the internal address of the RRAS server so that local users can access the Azure network.

We can confirm through static routing;

When the local network accesses the azure network, you can use the default route settings. When the target network is azure, the local gateway goes out, routes it, jumps to the local RRAS server, and then goes to the azure network.

When accessing other networks locally, it will directly access the network through the local gateway;

For example

The two NICs of the rras server are internal: 192.168.6.150 external: 106.39.102.185.

Azure Virtual Network: 10.10.1.0/24 vm: 10.10.1.4

Local server: 192.168.6.140 if you need to access the Internet, the gateway can be set to 192.168.6.1. When you access the azure network, we need to set the gateway to 192.168.6.150 (pointing to the internal address of the RRAS server)

Summary:

When the local server (192.168.6.140) accesses the azure 10.10.1.0/24 network, it determines through static routing that the access destination address is 10.10.1.0/24; therefore, the access path is 192.168.6.1 ----> 192.168.6.150 ----> 10.10.1.0/24 (Static Routing must be configured on the network device)

When the local server (192.168.6.140) accesses a non-azure network or other networks, it determines through static routing that the access destination address does not include the Azure Network: 10.10.1.0/24 but accesses other networks; therefore, the access path is 192.168.6.1 ----> to the egress to access other networks (Static Routing needs to be configured on the network device)