⬆️ ⬇️

Configure the Site-to-Site IPsec tunnel between the Windows Azure cloud and the D-Link DFL-210

Greetings



In this article, I will describe in stages the entire process of configuring the Site-to-Site tunnel between the Windows Azure cloud and the D-Link DFL-210 firewall (relevant for the DFL line of devices: 210 \ 260E \ 800 \ 860E)



Attention! All configuration steps are accompanied by a large number of pictures!

')





Step 1: Configure Windows Azure





First, create a new Windows Azure virtual network using the wizard

Picture


Name: Habratest

New Territorial Group: Habragroup

Region: Western Europe

Picture


Then we enter the name and address of the local DNS (if necessary). Otherwise, we use DNS from Windows Azure, or any public

Put the checkbox "Configure a network-to-network VPN connection "

Picture


In the next step, enter the settings of our DFL:

Name: Mydfl

The IP address of the VPN device: 78.153.146.110 is the dedicated static IPv4 address of our DFL ( This is important. If DFL is over NAT, then we will fail )

Address space: 192.168.22.0/24 - local subnet, which we will connect to Windows Azure

Picture


In the last step, enter the settings of the subnet to which we will connect (will be used for services created in Windows Azure)

In our case, the settings will be as follows:

The total address space of the virtual network: 172.16.80.0/24

Subnet:

AzureSubnet 172.16.80.0/27

Gateway 172.16.80.32/29

Picture


Virtual subnet is created!



Go to the " Settings " of the newly created virtual network and check that we did everything correctly

Picture




On the " Dashboard " tab we see the following picture.

Picture


Click the " Create Gateway " button at the bottom of the page and select the " Static Routing " mode. Confirm your intentions by clicking " OK "

Picture


We are waiting for 10-15 minutes until Windows Azure creates a gateway for us



... It took 10 to 15 minutes ...


So, the gateway is created. We look, that Windows Azure gave us:

Gateway IP Address: 23.97.132.122

Picture


Next, click the " Key Management " button at the bottom of the page and get our personal pre-shared key:

R9GrgLgZPosdZ7isMdt8MkrDQnfBwUbO

Picture




Step 2: Configure DFL





General requirements for the gateway can be found here:

http://msdn.microsoft.com/ru-ru/library/windowsazure/jj156075.aspx#BKMK_VPNGateway



Here you have to make one very important note.

In the Russian DFL firmware (installed by default), such wonderful encryption methods as AES, which Windows Azure uses (and not only) for its work, are not available. We will leave discussions on this topic outside of this article and use the following trick:

We follow the link http://tsd.dlink.com.tw/

Choose your DFL model from the list and download the latest WorldWide firmware for our device (denoted “For WW”)

Download the firmware in our DFL and wait for the completion of the operation

Firmware uploaded and we can continue




Now let's add all the IP addresses of the cloud to the directory (“ Objects-> Address book-> InterfaceAddresses ):

Name: Habratest_cloud_gateway

Value: 23.97.132.122

Name: Habratest_cloud_subnet

Value: 172.16.80.0/24

Picture


Then go to " Objects-> Authentication Objects " and add a new object of the type " Pre-shared key ":

Name: Habratest_cloud_key

Passphrase: R9GrgLgZPosdZ7isMdt8MkrDQnfBwUbO

Picture


Next, go to the " Objects-> VPN Objects-> IKE Algorithms " item and create a new IKE algorithm:

Name: Habratest_cloud_stage1

We put the daws: 3DES and AES (128,128,256), as well as the SHA1 checkbox

Picture


After creating the IKE algorithm, proceed to the creation of the IPsec algorithm ( "Objects-> VPN Objects-> IPsec Algorithms" ):

Name: Habratest_cloud_stage2

Galki: same as IKE

Picture


Now let's proceed directly to creating a rule for an IPsec tunnel ( "Interfaces-> IPsec" ):

General tab

Name: Habratest_cloud_IPsec

Local Network: lannet

Remote Network: Habratest_cloud_subnet

Remote Endpoint: Habratest_cloud_gateway

Encapsulation mode: Tunnel ( important setting! )



IKE Config Mode Pool: None

IKE Algorithms: Habratest_cloud_stage1

IKE Lifetime: 28800



IPsec Algorithms: Habratest_cloud_stage2

IPsec Lifetime: 3600 sec

IPsec Lifetime: 102400000 Kb

Picture


“Authentication” tab

Put the point “ Pre-shared key ” and choose our “ Habratest_cloud_key >”

Picture


Tab " IKE Settings "

IKE:

Main - DH Group 2

PFS - None

Security Association: Per Net

NAT Traversal: On if supported and NATed

Dead Peer Detection: Use

Picture


Then we create two IP Rules (“ Rules-> IP Rules ”):

Rule 1 :

Name: lan_to_cloud

Action: Allow

Service: All_service

Schedule: None

Source interface: lan

Source Network: lannet

Destination Interface: Habratest_cloud_IPsec

Destination Network: Habratest_cloud_subnet

Picture


Rule 2 :

Name: cloud_to_lan

Action: Allow

Service: All_service

Schedule: None

Source interface: Habratest_cloud_IPsec

Source Network: Habratest_cloud_subnet

Destination Interface: lan

Destination Network: lannet

Picture




So we created the basic settings for the tunnel. Now save and apply the changes to the DFL



That's all! We observe beautiful pictures of the raised tunnel

Picture






Then you can create the necessary services in Windows Azure (virtual machines, databases, etc)






A little about possible errors in the DFL logs:

1. statusmsg = “No request" - incorrect encryption methods are selected

2. reason = “Invalid proposal” - the same as item 1

3. reason = "IKE_INVALID_COOKIE" - the tunnel was already raised, but after that changes were made to its settings. Go to the DFL "Status-> IPsec-> Habratest_cloud_IPsec-> on the top right of the List all active IKE SAs page" and delete the outdated IKE SA. Reboot DFL

Picture





That's all. Do not forget to change the test data from the article (IP addresses, subnets, regions, pre-shared key keys) to your



Thanks for attention!



PS I ask you to pay attention to the comment of the habrauser DikSoft , which reports that such a scenario is officially unsupported and there may be problems

Source: https://habr.com/ru/post/214789/



All Articles