Connecting your site to Windows Azure virtual networks

To connect your enterprise local networks to the Windows Azure virtual networks that host virtual machines, you have to setup a site-to-site VPN connection. Windows Azure provides configuration scripts for some popular VPN device (gateway) models from Cisco and Juniper. However, if your VPN device is not enlisted, you have to setup the VPN from scratch.

It takes 10 minutes or so to implement the VPN connection. Before you get started, collect the following information:

  • IP address of the primary (local) gateway
  • IP address of the secondary (remote) gateway
  • The network id of the local network (in dotted decimal or CIDR format)
  • The network id of the remote network (in dotted decimal or CIDR format)
  • The pre-shared key (shared secret) between the primary and secondary gateway

The primary IPSec configurations are summarized as follows:

  • IKE (phase 1) proposal
    • Exchange Model: Main Mode
    • Key exchange: DH G2 (Diffie-Hellman Group 2)
    • Encryption: AES-128
    • Authentication: SHA1
    • Life Time: 28800 seconds
  • IPSec (Phase 2) Proposal
    • Protocol: ESP
    • Encryption: AES-128
    • Authentication: SHA1
    • Life Time: 3600 seconds
    • Perfect Forward Secrecy: disabled

If you intend to implement the VPN with the Windows Server 2008 R2 as a gateway, please refer to Simonsen’s How to connect your on-premise network to Windows Azure using Windows Server as a VPN gateway.

The following are some excerpts about IKE:

  • IKE phases and modes

IKE consists of two phases: phase 1 and phase 2.

IKE phase 1’s purpose is to establish a secure authenticated communication channel by using the Diffie–Hellman key exchange algorithm to generate a shared secret key to encrypt further IKE communications. This negotiation results in one single bi-directional ISAKMP Security Association (SA). The authentication can be performed using either pre-shared key (shared secret), signatures, or public key encryption.

Phase 1 operates in either Main Mode or Aggressive Mode. Main Mode protects the identity of the peers; Aggressive Mode does not.

During IKE phase 2, the IKE peers use the secure channel established in Phase 1 to negotiate Security Associations on behalf of other services like IPsec. The negotiation results in a minimum of two unidirectional security associations (one inbound and one outbound). Phase 2 operates only in Quick Mode.

Windows Azure Virtual Network Sonicwall TZ 170