Knowledge Base

 
Reset Search
 

 

Article

NCOS: Cradlepoint to Azure Site-to-Site VPN Tunnel

« Go Back

Information

 
Content

NCOS: Cradlepoint to Azure Site-to-Site VPN Tunnel

Products Supported: All AERxxxx series and all IBRxxx series

Products NOT Supported: the IBR350, all CBA series, and the MBR1400v2

Click here to identify your router.

Extended Enterprise License (EEL) will also be required to use BGP, click here for more information.

NCOS Version: 6.3.3 or greater - for information on upgrading NCOS Versions, click here.


Quick Links

Summary

Configuration

Use Cases

Troubleshooting

Related Articles


Summary

Microsoft Azure is a cloud compute vendor that allows customers to create a VPN tunnel to a private virtual network in the cloud. This will allow direct encrypted private access to Azure resources in the cloud. Azure supports three different types of VPN connectivity; Point-to-Site, Site-to-Site and ExpressRoute. Within Site-to-Site Azure supports both PolicyBased and RouteBased VPN tunnels. This article will focus on creating a Site-to-Site RouteBased VPN tunnel from a Cradlepoint device to Microsoft Azure.

Please see the following Microsoft Azure documentation link for Getting Started and Overview on VPN Gateways.

Please see the following Microsoft Azure documentation link for specifics on VPN devices and their supported configuration. Please note while Cradlepoint is not yet in the validated list of VPN devices they still function at a VPN device.

Minimum Requirements:

  • Supported Cradlepoint device running NetCloud OS v6.3.3 or greater.
    • Includes support for route based VTI tunnel
    • Includes support for IKEv2
  • Static public WAN IP address on the Cradlepoint device (Azure does not support dynamic addresses).

NOTE: This article example uses static IP routing across the VTI VPN tunnel. Microsoft Azure also supports BGP for dynamic routing across the tunnel if desired, but is not covered here.


Configuration

Configuration Difficulty: Intermediate

Microsoft Azure VPN Tunnel Configuration

Follow the steps in the following Azure documentation link to create the VPN tunnel using the Azure portal and Resource Manager deployment.

  • Step 1: Create a new Azure Virtual Network
    • Give the network any name.
    • Create a new total Address Space (this is the private network within the Azure cloud).
    • Give the Subnet a name.
    • Create a new Subnet (this is the actual subnet for the virtual network you are creating).
    • Pick a Azure Subscription for billing purposes of the tunnel.
    • Create a new Resource group or use an existing one.
    • Select a location closest to you.
User-added image
  • Step 2: Add a GatewaySubnet to your new Virtual Network
    • Specify an address range for the GatewaySubnet that is within the total address space created in previous step.
User-added image
User-added image
  • Step 3: Create a new Virtual Network Gateway
    • Give the gateway any name.
    • Select VPN as the Gateway type.
    • Select Route-Based as the VPN type.
    • Under SKU select the appropriate SKU from the drop down list. See Azure documentation for the SKU sizing guide on number of tunnels and bandwidth supported for each.
    • Select the Virtual Network created in Step 1.
    • Select a Public IP address.
    • Pick a Azure Subscription for billing purposes of the tunnel.
    • Select a location closest to you.
User-added image
  • Step 4: Create a new Local Network Gateway
    • Give the local gateway any name.
    • Enter the public static IP address of the Cradlepoint device.
    • Add all of the address ranges that will be accessed across the VPN tunnel to the Cradlepoint.
    • Pick a Azure Subscription for billing purposes of the tunnel.
    • Select use an existing ResourceGroup and specify the same one from Step 1.
    • Select a location closest to you.
User-added image
  • Step 5: Create a new VPN Connection
    • Give the connection any name.
    • Select Site-to-Site (IPsec) from the Connection type drop down menu.
    • Select the local network gateway created in Step 4.
    • Specify a Shared key (PSK).
User-added image

Cradlepoint VPN Tunnel Configuration

IPSec Tunnel
  • Step 1: Log into the router's Setup Page. For help with logging in please click here.
  • Step 2: Click on NETWORKING tab, Select Tunnels menu, and then select IPSec VPN.
  • Step 3: Click Add to create a new tunnel.
  • Step 4: Configure the IPSec tunnel settings and click Next.
    • Give the Tunnel Name a unique name (no spaces).
    • Select VTI-Tunnel in the drop down menu.
    • Select IKEv2 IKE Version in the drop down menu.
    • Ensure the Mobike is checked.
    • Select Pre-Shared Key Authentication Mode in the drop down menu.
    • Enter a Pre-Shared Key
    • Select On Demand from the drop down menu.
    • Ensure Enable Tunnel box is checked.
User-added image
  • Step 5: Configure Locate Gateway and Local VTI Configuration and click Next.
    • Leave Local Gateway WAN binding as default any.
    • Enter 169.254.0.2 as the Local virtual address.
      • TIP: This IP address is just for the directly connected VTI tunnel. It does not have to be routable. You should be able to use any 169.254.x.x address.
    • Enter 255.255.255.0 as the Local subnet.
User-added image
  • Step 6: Configure Remote Gateway and Remote VTI Configuration and click Next.
    • Enter public IP address of the Azure virtual network gateway as Gateway.
    • Leave Port default.
    • Leave Force UDP Encapsulation unchecked.
    • Enter 169.254.0.1 as the Remote virtual address.
    • Click Add under Static Routes.
      • Create a new static route for each Azure virtual network that will be accessed across the tunnel.
User-added image
  • Step 7: Adjust IKE Phase 1 to the following settings, click Next.
    • Leave the Key Lifetime at the default 28800.
    • Encryption check the box for AES 256.
    • Hash check the box for SHA2 256.
      • TIP: SHA2 256 and SHA 256 are the same thing. Azure docs reference SHA 256.
    • Group check the box for Group 2.
User-added image
  • Step 8: Adjust IKE Phase 2 to the following settings, click Next.
    • Uncheck the box for Perfect Forward Secrecy.
    • Change the Key Lifetime to 27000.
    • Encryption check the box for AES 256.
    • Hash check the box for SHA2 256.
User-added image
  • Step 9: Leave Dead Peer Detection as default, click Finish.

Use Cases

Case 1

A Site-to-Site RouteBased VPN tunnel from a Cradlepoint device on-premise to a Virtual VPN Gateway in the Microsoft Azure cloud.

User-added image


Troubleshooting

Verify VPN Tunnel in Azure Portal

Verify the VPN connection in the Azure portal by clicking All Resources, click Virtual Network Gateway, click Connections, click the Connection name, and then view the connection status under Essentials. The Status is Succeeded and Connected when you have made a successful connection. Verify Data in/Data out is incrementing.

User-added image

Verify VPN Tunnel in Cradlepoint

Verify the VPN connection in the Cradlepoint device local UI. Click on STATUS, then Tunnels and IPSec VPN. Verify state is up and Child SA has In/Out packets.

User-added image


Related Articles/Links


Published Date: 8/3/17

This article not have what you need? Not find what you were looking for? Think this article can be improved? Please let us know at suggestions@cradlepoint.com.

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255