En muchas ocasiones debemos configurar una VPN contra Azure en donde tenemos toda nuestra plataforma, MSFT nos provee de plantillas de configuración de VPN para distintos modelos dispositivos de seguridad.
| Fabricante | Dispositivo | Versión Requerida de SO | Plantila de Configuración: static-routing (policy-based) | Plantila de Configuración para dynamic-routing (route-based) |
|---|---|---|---|---|
|
Cisco
|
ASA
|
8.3
|
Not supported
|
|
|
Cisco
|
ASR
|
IOS 15.1 (static)
IOS 15.2 (dynamic)
|
||
|
Cisco
|
ISR
|
IOS 15.0 (static)
IOS 15.1 (dynamic)
|
||
|
Juniper
|
SRX
|
JunOS 10.2 (static)
JunOS 11.4 (dynamic)
|
||
|
Juniper
|
J-Series
|
JunOS 10.4r9 (static)
JunOS 11.4 (dynamic)
|
||
|
Juniper
|
ISG
|
ScreenOS 6.3 (static and dynamic)
|
||
|
Juniper
|
SSG
|
ScreenOS 6.2 (static and dynamic)
|
||
|
Watchguard
|
All
|
Fireware XTM v11.x
|
Not supported
|
|
|
F5
|
BIG-IP series
|
N/A
|
Not Supported
|
|
|
Citrix
|
CloudBridge MPX appliance or VPX virtual appliance
|
N/A
|
Not supported
|
|
|
Microsoft
|
Routing and Remote Access Service
|
Windows Server 2012
|
Not supported
|
Aquí os muestro las que más me interesan a mi, por supuesto, la de los dispositivos Cisco:
Static routing template for Cisco ISR device family
! Microsoft Corporation
! Windows Azure Virtual Network
! Windows Azure Virtual Network
! This configuration template applies to Cisco ISR 2900 Series Integrated Services Routers running IOS 15.0.
! It configures an IPSec VPN tunnel connecting your on-premise VPN device with the Azure gateway.
! It configures an IPSec VPN tunnel connecting your on-premise VPN device with the Azure gateway.
! ———————————————————————————————————————
! ACL rules
!
! Proper ACL rules are needed for permitting cross-premise network traffic.
! You should also allow inbound UDP/ESP traffic for the interface which will be used for the IPSec tunnel.
access-list <RP_AccessList> permit ip <SP_OnPremiseNetworkIpRange> <SP_OnPremiseNetworkWildcardBits> <SP_AzureNetworkIpRange> <SP_AzureNetworkWildcardBits>
! ACL rules
!
! Proper ACL rules are needed for permitting cross-premise network traffic.
! You should also allow inbound UDP/ESP traffic for the interface which will be used for the IPSec tunnel.
access-list <RP_AccessList> permit ip <SP_OnPremiseNetworkIpRange> <SP_OnPremiseNetworkWildcardBits> <SP_AzureNetworkIpRange> <SP_AzureNetworkWildcardBits>
! ———————————————————————————————————————
! Internet Key Exchange (IKE) configuration
!
! This section specifies the authentication, encryption, hashing, Diffie-Hellman, and lifetime parameters for the Phase
! 1 negotiation and the main mode security association. We have picked an arbitrary policy # "10" as an example. If
! that happens to conflict with an existing policy, you may choose to use a different policy #.
crypto isakmp policy 10
authentication pre-share
encryption aes 256
hash sha
group 2
lifetime 28800
exit
crypto isakmp key <SP_PresharedKey> address <SP_AzureGatewayIpAddress>
! Internet Key Exchange (IKE) configuration
!
! This section specifies the authentication, encryption, hashing, Diffie-Hellman, and lifetime parameters for the Phase
! 1 negotiation and the main mode security association. We have picked an arbitrary policy # "10" as an example. If
! that happens to conflict with an existing policy, you may choose to use a different policy #.
crypto isakmp policy 10
authentication pre-share
encryption aes 256
hash sha
group 2
lifetime 28800
exit
crypto isakmp key <SP_PresharedKey> address <SP_AzureGatewayIpAddress>
! ———————————————————————————————————————
! IPSec configuration
!
! This section specifies encryption, authentication, tunnel mode properties for the Phase 2 negotiation
crypto ipsec transform-set <RP_IPSecTransformSet> esp-aes 256 esp-sha-hmac
mode tunnel
exit
! IPSec configuration
!
! This section specifies encryption, authentication, tunnel mode properties for the Phase 2 negotiation
crypto ipsec transform-set <RP_IPSecTransformSet> esp-aes 256 esp-sha-hmac
mode tunnel
exit
! ———————————————————————————————————————
! Crypto map configuration
!
! This section defines a crypto map that binds the cross-premise network traffic to the
! IPSec transform set and remote peer. We have picked an arbitrary ID # "10" as an example. If
! that happens to conflict with an existing crypto map, you may choose to use a different ID #.
crypto map <RP_IPSecCryptoMap> 10 ipsec-isakmp
set peer <SP_AzureGatewayIpAddress>
set security-association lifetime seconds 3600
set security-association lifetime kilobytes 102400000
set transform-set <RP_IPSecTransformSet>
match address <RP_AccessList>
exit
! Crypto map configuration
!
! This section defines a crypto map that binds the cross-premise network traffic to the
! IPSec transform set and remote peer. We have picked an arbitrary ID # "10" as an example. If
! that happens to conflict with an existing crypto map, you may choose to use a different ID #.
crypto map <RP_IPSecCryptoMap> 10 ipsec-isakmp
set peer <SP_AzureGatewayIpAddress>
set security-association lifetime seconds 3600
set security-association lifetime kilobytes 102400000
set transform-set <RP_IPSecTransformSet>
match address <RP_AccessList>
exit
! ———————————————————————————————————————
! External interface configuration
!
! This section binds to the external interface of the router so that the cross-premise network traffic matching the
! traffic selector defined in the crypto map will be properly encrypted and transmitted via the IPSec VPN tunnel. It
! also adjusts the TCPMSS value properly to avoid fragmentation
interface <NameOfYourOutsideInterface>
no crypto map
crypto map <RP_IPSecCryptoMap>
ip tcp adjust-mss 1350
exit
! External interface configuration
!
! This section binds to the external interface of the router so that the cross-premise network traffic matching the
! traffic selector defined in the crypto map will be properly encrypted and transmitted via the IPSec VPN tunnel. It
! also adjusts the TCPMSS value properly to avoid fragmentation
interface <NameOfYourOutsideInterface>
no crypto map
crypto map <RP_IPSecCryptoMap>
ip tcp adjust-mss 1350
exit
! Microsoft Corporation
! Windows Azure Virtual Network
! Windows Azure Virtual Network
! This configuration template applies to Cisco ISR 2900 Series Integrated Services Routers running IOS 15.1.
! It configures an IPSec VPN tunnel connecting your on-premise VPN device with the Azure gateway.
! It configures an IPSec VPN tunnel connecting your on-premise VPN device with the Azure gateway.
! ———————————————————————————————————————
! ACL rules
!
! Proper ACL rules are needed for permitting cross-premise network traffic.
! You should also allow inbound UDP/ESP traffic for the interface which will be used for the IPSec tunnel.
access-list <RP_AccessList> permit ip <SP_OnPremiseNetworkIpRange> <SP_OnPremiseNetworkWildcardBits> <SP_AzureNetworkIpRange> <SP_AzureNetworkWildcardBits>
! ACL rules
!
! Proper ACL rules are needed for permitting cross-premise network traffic.
! You should also allow inbound UDP/ESP traffic for the interface which will be used for the IPSec tunnel.
access-list <RP_AccessList> permit ip <SP_OnPremiseNetworkIpRange> <SP_OnPremiseNetworkWildcardBits> <SP_AzureNetworkIpRange> <SP_AzureNetworkWildcardBits>
! ———————————————————————————————————————
! Internet Key Exchange (IKE) configuration
!
! This section specifies the authentication, encryption, hashing, and Diffie-Hellman group parameters for the Phase
! 1 negotiation and the main mode security association.
crypto ikev2 proposal <RP_IkeProposal>
encryption aes-cbc-256 aes-cbc-128 3des
integrity sha1
group 2
exit
! Internet Key Exchange (IKE) configuration
!
! This section specifies the authentication, encryption, hashing, and Diffie-Hellman group parameters for the Phase
! 1 negotiation and the main mode security association.
crypto ikev2 proposal <RP_IkeProposal>
encryption aes-cbc-256 aes-cbc-128 3des
integrity sha1
group 2
exit
crypto ikev2 policy <RP_IkePolicy>
proposal <RP_IkeProposal>
exit
proposal <RP_IkeProposal>
exit
crypto ikev2 keyring <RP_IkeKeyring>
peer <SP_AzureGatewayIpAddress>
address <SP_AzureGatewayIpAddress>
pre-shared-key <SP_PresharedKey>
exit
exit
peer <SP_AzureGatewayIpAddress>
address <SP_AzureGatewayIpAddress>
pre-shared-key <SP_PresharedKey>
exit
exit
crypto ikev2 profile <RP_IkeProfile>
match address local interface <NameOfYourOutsideInterface>
match identity remote address <SP_AzureGatewayIpAddress> 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local <RP_IkeKeyring>
exit
match address local interface <NameOfYourOutsideInterface>
match identity remote address <SP_AzureGatewayIpAddress> 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local <RP_IkeKeyring>
exit
! ———————————————————————————————————————
! IPSec configuration
!
! This section specifies encryption, authentication, tunnel mode properties for the Phase 2 negotiation
crypto ipsec transform-set <RP_IPSecTransformSet> esp-aes 256 esp-sha-hmac
mode tunnel
exit
! IPSec configuration
!
! This section specifies encryption, authentication, tunnel mode properties for the Phase 2 negotiation
crypto ipsec transform-set <RP_IPSecTransformSet> esp-aes 256 esp-sha-hmac
mode tunnel
exit
! ———————————————————————————————————————
! Crypto map configuration
!
! This section defines a crypto profile that binds the cross-premise network traffic to the IPSec transform
! set and remote peer. We also bind the IPSec policy to the virtual tunnel interface, through which
! cross-premise traffic will be transmitted. We have picked an arbitrary tunnel id "1" as an example. If
! that happens to conflict with an existing virtual tunnel interface, you may choose to use a different id.
crypto ipsec profile <RP_IPSecProfile>
set transform-set <RP_IPSecTransformSet>
set ikev2-profile <RP_IkeProfile>
exit
! Crypto map configuration
!
! This section defines a crypto profile that binds the cross-premise network traffic to the IPSec transform
! set and remote peer. We also bind the IPSec policy to the virtual tunnel interface, through which
! cross-premise traffic will be transmitted. We have picked an arbitrary tunnel id "1" as an example. If
! that happens to conflict with an existing virtual tunnel interface, you may choose to use a different id.
crypto ipsec profile <RP_IPSecProfile>
set transform-set <RP_IPSecTransformSet>
set ikev2-profile <RP_IkeProfile>
exit
int tunnel 1
ip address 169.254.0.1 255.255.255.0
ip tcp adjust-mss 1350
tunnel source <NameOfYourOutsideInterface>
tunnel mode ipsec ipv4
tunnel destination <SP_AzureGatewayIpAddress>
tunnel protection ipsec profile <RP_IPSecProfile>
exit
ip address 169.254.0.1 255.255.255.0
ip tcp adjust-mss 1350
tunnel source <NameOfYourOutsideInterface>
tunnel mode ipsec ipv4
tunnel destination <SP_AzureGatewayIpAddress>
tunnel protection ipsec profile <RP_IPSecProfile>
exit
ip route <SP_AzureNetworkCIDR> tunnel 1
Con estas configuraciones, básicamente cualquier persona que tenga un mínimo conocimiento de dispositivos Cisco, podrá configurar la VPN sin problemas. De todas formas, si alguien necesita ayuda contar conmigo. Además, con algunas modficiaciones podéis utilizarlas para configurar la VPN de las sedes vuestra empresa o clientes
Espero que os sea de utilidad!!!
