This article describes how you can create a site-site VPN with our Copaco Hyper-V service
You need to have an active Copaco Hyper-V subscription
You need to have the resources for a virtual network, see Add resources
You need to have a client device ready to connect with
Login to the Copaco Hyper-V Portal, see How to login to the Copaco Hyper-V control panel
Go to the Menu option "NETWORKS"
In the lower left corner click "NEW”
Select option "VIRTUAL NETWORK -> CUSTOM CREATE".
Add an name for this Virtual netwerk and click on “Next”:
Add Public DNS servers or add IP's of your own DNS servers if you will set them up later.
Enable the checkbox Configure site-to-site VPN
Please use the default Gateway Subnet. Don't change this setting if you don't know what you are doing. The gateway subnet must differ from your IP ranges.
In the next step add a network subnet you want to use for your virtual network. Please make sure the subnet you pick is not in use for the local customer network.
You will experience routing issues when setting up a VPN connection. To change the default subnet of 10.0.0.0/24 you should first add a new subnet before removing the default.
Choose a name for this Site-to-Site VPN-tunnel fill in the remote VPN Device Address, Remote Address Space(s) and the SHARED KEY.
The VPN-gateway ip can be found under the VNET => Dashboard.
Use this ip-address in your device as the remote gatewa
*VPN gateways setup with Windows Azure Pack (Locally Deployed in Amsterdam) might work slightly different than gateways running in the Microsoft Azure Public Cloud and offer less features. Please see notes below.
Copaco sells and recommends WatchGuard devices to setup VPN's with Microsoft Azure Gateways. The Copaco Professional Services team can train you and assist or implement WatchGuard devices for you. Please note you will need at least firmware version v11.12.x or higher. For more information about the availability and prices of our technical consultants please contact email@example.com
*Additional consultancy fees apply that are not included in your basic support contract.
The following VPN settings work for most routers, however sometimes small variations apply depending on the device manufacturer, device model or firmware version. If your VPN came online, but won't allow traffic to pass trough it, try disabling PFS, or configure PFS on DH2 on Phase 2
Phase 1 general settings
Key Group: Diffie Helman 2 (DH2)
Lifetime 28800 seconds (8 hours)
Phase 2 general settings
Type: ESP (Encapsulating Security Payload)
PFS (Perfect Forwarding Secret) enabled.
Key Group: Diffie Helman 14 (DH14)
Lifetime: 3600seconds (1 hour)
Our support team and reseller base tried to implement many device types over the years, and had some bad experiences with setup or stability on the following client devices. Please avoid them at all time if you setup a VPN with Azure Network Gateways!
Brocade Vyatta 5400 vRouter product family
Barracuda Networks NextGen Firewall X-series product family
Cisco ASA product family
Cisco Meraki product family
Cisco ISR product family
Citrix NetScaler MPX product family
Citrix Netscaler SDX product family
Citrix Netscaler VPX product family
Draytek Vigor product family
Ubiquiti Unifi Security Gateway product family
These devices might work with some extra effort
Some of our reseller confirmed that the following devices work with some creative alterations in configuration, although we cannot guarantee anything!
Fortinet devices must use Diffie Helman Group (DH14) with PFS on Phase2. This option is required to force PFS2048 encryption. If you use default Phase 2 settings, VPN won't be able to establish a Phase 2 session.
Watchguard Firebox devices with firmware over version 12.2 must use Phase2 options, PFS enabled on Diffie Helman Group 14. If you use default settings, phase 2 will be set inactive if no traffic passes the VPN for 6 minutes, and VPN won't be able to reconnect because it's still "online" on Azure Pack side.
Cisco IOS routers example config that worked for at least some customers:
crypto ikev2 proposal WAP_IkeProposal
encryption aes-cbc-256 aes-cbc-128 3des
crypto ikev2 policy WAP_IkePolicy
crypto ikev2 keyring WAP_IkeKeyring
pre-shared-key local PRESHARED-KEY
pre-shared-key remote PRESHARED-KEY
crypto ikev2 profile WAP_IkeProfile
match identity remote address 188.8.131.52 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local WAP_IkeKeyring
crypto ipsec transform-set WAP_IPSecTransformSet esp-aes 256 esp-sha-hmac
crypto map WAPVPN 10 ipsec-isakmp
set peer 184.108.40.206
set transform-set WAP_IPSecTransformSet
set ikev2-profile WAP_IkeProfile
match address 110