Summary

This article describes how you can create a site-site VPN with our Copaco Hyper-V service

Prerequisites

  • You need to have an active Copaco Hyper-V subscription

  • You need to have the resources for a virtual network, see Add resources

  • You need to have a client device ready to connect with

Start

  1. Login to the Copaco Hyper-V Portal, see How to login to the Copaco Hyper-V control panel

  2. Go to the Menu option "NETWORKS"

  3. In the lower left corner click "NEW”

  4. Select option "VIRTUAL NETWORK -> CUSTOM CREATE".

  5. Add an name for this Virtual netwerk and click on “Next”:

  6. Add Public DNS servers or add IP's of your own DNS servers if you will set them up later.
    Enable the checkbox Configure site-to-site VPN
    Please use the default Gateway Subnet. Don't change this setting if you don't know what you are doing. The gateway subnet must differ from your IP ranges.

  7. In the next step add a network subnet you want to use for your virtual network. Please make sure the subnet you pick is not in use for the local customer network.
    You will experience routing issues when setting up a VPN connection. To change the default subnet of 10.0.0.0/24 you should first add a new subnet before removing the default.

  8. Choose a name for this Site-to-Site VPN-tunnel fill in the remote VPN Device Address, Remote Address Space(s) and the SHARED KEY.

  9. The VPN-gateway ip can be found under the VNET => Dashboard.
    Use this ip-address in your device as the remote gatewa

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices

*VPN gateways setup with Windows Azure Pack (Locally Deployed in Amsterdam) might work slightly different than gateways running in the Microsoft Azure Public Cloud and offer less features. Please see notes below.


Copaco sells and recommends WatchGuard devices to setup VPN's with Microsoft Azure Gateways. The Copaco Professional Services team can train you and assist or implement WatchGuard devices for you. Please note you will need at least firmware version v11.12.x or higher. For more information about the availability and prices of our technical consultants please contact professional.services@copaco.com

*Additional consultancy fees apply that are not included in your basic support contract.

VPN Settings
The following VPN settings work for most routers, however sometimes small variations apply depending on the device manufacturer, device model or firmware version. If your VPN came online, but won't allow traffic to pass trough it, try disabling PFS, or configure PFS on DH2 on Phase 2

Phase 1 general settings

  • Version: IKEv2

  • Transform: SHA1-AES265

  • Key Group: Diffie Helman 2 (DH2)

  • Lifetime 28800 seconds (8 hours)

Phase 2 general settings

  • Type: ESP (Encapsulating Security Payload)

  • Authentication: SHA1

  • Encryption: AES265

  • PFS (Perfect Forwarding Secret) enabled.

  • Key Group: Diffie Helman 14 (DH14)

  • Lifetime: 3600seconds (1 hour)

Unsupported Devices
Our support team and reseller base tried to implement many device types over the years, and had some bad experiences with setup or stability on the following client devices. Please avoid them at all time if you setup a VPN with Azure Network Gateways!

  • Brocade Vyatta 5400 vRouter product family

  • Barracuda Networks NextGen Firewall X-series product family

  • Cisco ASA product family

  • Cisco Meraki product family

  • Cisco ISR product family

  • Citrix NetScaler MPX product family

  • Citrix Netscaler SDX product family

  • Citrix Netscaler VPX product family

  • Draytek Vigor product family

  • Ubiquiti Unifi Security Gateway product family


These devices might work with some extra effort
Some of our reseller confirmed that the following devices work with some creative alterations in configuration, although we cannot guarantee anything!

  • Fortinet devices must use Diffie Helman Group (DH14) with PFS on Phase2. This option is required to force PFS2048 encryption. If you use default Phase 2 settings, VPN won't be able to establish a Phase 2 session.

  • Watchguard Firebox devices with firmware over version 12.2 must use Phase2 options, PFS enabled on Diffie Helman Group 14. If you use default settings, phase 2 will be set inactive if no traffic passes the VPN for 6 minutes, and VPN won't be able to reconnect because it's still "online" on Azure Pack side.

  • Cisco IOS routers example config that worked for at least some customers:

!
crypto ikev2 proposal WAP_IkeProposal
 encryption aes-cbc-256 aes-cbc-128 3des
 integrity sha1
 group 2
!
crypto ikev2 policy WAP_IkePolicy
 proposal WAP_IkeProposal
!
crypto ikev2 keyring WAP_IkeKeyring
 peer 188.126.112.101
  address 188.126.112.101
  pre-shared-key local PRESHARED-KEY
  pre-shared-key remote PRESHARED-KEY
 !
!
!
crypto ikev2 profile WAP_IkeProfile
 match identity remote address 188.126.112.101 255.255.255.255
 authentication remote pre-share
 authentication local pre-share
 keyring local WAP_IkeKeyring
!
crypto ipsec transform-set WAP_IPSecTransformSet esp-aes 256 esp-sha-hmac
 mode tunnel
!
!
crypto map WAPVPN 10 ipsec-isakmp
 set peer 188.126.112.101
 set transform-set WAP_IPSecTransformSet
 set ikev2-profile WAP_IkeProfile
 match address 110
!