Create Azure VPN gateways by Windows server 2012

I was doing a lab for past few weeks to figure out how Azure gateway has been configured and finally were able to establish connectivity between two VNETs without Azure gateways. This is completely unsupported scenario and just thought of sharing so that we can understand the way Azure gateways works. Also it is important to mention that we no longer use Windows RAS and we are using our own stack. I’m sure that most of us may know this , however thought of sharing for those who may find this beneficial.

Setup Diagram:

 

Setup Description:

VNET name: VNET1

Public IP: 13.65.198.85

Address space : 10.1.0.0/16

Subnets:   Internal : 10.1.1.0/24

                  External :10.1.2.0/24

                  Test-subnet: 10.1.3.0/24

Virtual machines used: RAS1 -> Two NIC VM with IP address 10.1.1.8 for internal and 10.1.2.8 for external.

                                         VM1 -> Client test VM with IP address 10.1.3.8

VNET name: VNET2

Public IP: 13.85.30.146

Address space : 10.2.0.0/16

Subnets:   Internal : 10.2.1.0/24

                  External :10.2.2.0/24

                  Test-subnet: 10.2.3.0/24

Virtual machines used: RAS2 -> Two NIC VM with IP address 10.2.1.8 for internal and 10.2.2.8 for external.

                                         VM1 -> Client test VM with IP address 10.2.3.8

Scenario 1: Connecting two VNET’s using IKEv2 by configuring RAS on both side.(Site to Site- Dynamic gateway including Multi-site)

Before beginning make sure IP forwarding is enabled on both the NIC and also make sure that the NSG is allowed for UDP port 500 and 4500.

You can run this PowerShell script below to configure RAS1:

Import-Module RemoteAccess          // loads the RemoteAccess comdlets we need to execute

Install-RemoteAccess -VpnType VpnS2S          // enables RRAS

Add-VpnS2SInterface -Name DynamicTunnel -Protocol IKEv2 -AuthenticationMethod PSKOnly -ResponderAuthenticationMethod PSKOnly -InitiateConfigPayload $false -SourceIpAddress 13.65.198.85 -Destination 13.85.30.146 -SharedSecret Corp123! -NumberOfTries 0 -IPv4Subnet @('10.2.0.0/16:100') -EncryptionType RequireEncryption -SADataSizeForRenegotiationKilobytes 102400000 -SALifeTimeSeconds 3600    // creates the Demand-Dial Interface

Connect-VPNS2SInterface DynamicTunnel

You can run this PowerShell script below to configure RAS2:

Import-Module RemoteAccess          // loads the RemoteAccess comdlets we need to execute

Install-RemoteAccess -VpnType VpnS2S          // enables RRAS

Add-VpnS2SInterface -Name DynamicTunnel -Protocol IKEv2 -AuthenticationMethod PSKOnly -ResponderAuthenticationMethod PSKOnly -InitiateConfigPayload $false -SourceIpAddress 13.85.30.146 -Destination 13.65.198.85  -SharedSecret Corp123! -NumberOfTries 0 -IPv4Subnet @('10.1.0.0/16:100') -EncryptionType RequireEncryption -SADataSizeForRenegotiationKilobytes 102400000 -SALifeTimeSeconds 3600    // creates the Demand-Dial Interface

Connect-VPNS2SInterface DynamicTunnel

At this point we may get an error “error in assigning an inner ip address in the tunnel mode”.

Use this command on both ends to fix the issue: set-vpns2sinterface dynamictunnel -initiateconfigpayload $false

Once RAS role is installed and then when initiateconfigpayload is set to false, the tunnel gets connected. If that is not set to false, we can see SA_INIT and SA_AUTH exchanges and then VM2 will send a delete notify message. This is because when we connect the dialer will send an IP address from its DHCP pool to the other VM and that why they send a delete payload. So disabling that will make it work.

Once that is done, we can see the tunnel is up and we can use these commands to for troubleshooting purposes:

Get-RemoteAccess: Displays the configuration of DirectAccess (DA) and VPN (both Remote Access VPN and site-to-site VPN).

 

Get-VpnS2SInterface : The Get-VpnS2SInterface cmdlet retrieves details for a site-to-site (S2S) interface. (Get-VpnS2SInterface -Verbose | fl)

Get-VpnS2SInterfaceStatistics : Retrieves statistics of a site-to-site (S2S) interface.

 

Get-VpnServerConfiguration:

Here we can see SSTP ports as 128 and that’s why we have a limitation of 128 VPN clients.

Once the tunnel is connected when you do show interface you can see the interface saying connected. If you can see little closer we can even see that for the tunnel interface the MTU is 1400. That’s the reason why route based gateway has the MTU of 1400. I think this applies to our new gatewayV2 as well.

Idx     Met         MTU          State                Name

---  ----------  ----------  ------------  ---------------------------

  1          50  4294967295  connected     Loopback Pseudo-Interface 1

37          10        1400  connected     Dunamic

16           5        1500  connected     Ethernet 3

17           5        1500  connected     Ethernet 4

Note: Here instead of using Local network gateway we will be using UDR to route the traffic that is destined to the other network to the RAS server.

For Multi-site configuration we can use Add-vpns2sinterface again with the peer local network address, IP address as well as the pre-shared key to make it work.

Scenario 2: Connecting two VNET’s using IKEv2 by configuring RAS on both side.(BGP over IPSEC- Dynamic gateway)

Here the main difference is that instead of giving the entire range of peer IP address space we are giving only the peer-BGP IP address. When the site to site is up, the BGP router will start advertising its local address space to the peer and all the routes are dynamically learnt.

In RAS 1:

$localIP="10.1.2.8"

$localSubnet=”10.1.0.0/24”

$localASN="65111"

$peerIP="10.2.2.8"

$peerASN="65222"

$peerPublicIP="13.65.198.85"

$psk="Corp123!"

$peersubnet=@($peerIP+"/32:100")

Install-RemoteAccess -VpnType VpnS2S

Add-VpnS2SInterface -Protocol IKEv2 -AuthenticationMethod PSKOnly -NumberOfTries 0 -ResponderAuthenticationMethod PSKOnly -Name BGPconnection -Destination $peerPublicIP -IPv4Subnet $peersubnet -SharedSecret $psk -SADataSizeForRenegotiationKilobytes 102400000 -SALifeTimeSeconds 3600

Add-BgpRouter -BgpIdentifier $localIP -LocalASN $localASN

Add-BgpPeer -Name $peerpublicIP -LocalIPAddress $localIP -PeerIPAddress $peerIP -LocalASN $localASN -PeerASN $peerASN -OperationMode Mixed -PeeringMode Automatic

Add-BgpCustomRoute -Network $localSubnet -PassThru

set-vpns2sinterface BGPconnection -initiateconfigpayload $false

In RAS2:

$localIP="10.2.2.8"

$localSubnet=”10.2.0.0/24”

$localASN="65222"

$peerIP="10.1.2.8"

$peerASN="65111"

$peerPublicIP="13.85.30.146"

$psk="Corp123!"

$peersubnet=@($peerIP+"/32:100")

Install-RemoteAccess -VpnType VpnS2S

Add-VpnS2SInterface -Protocol IKEv2 -AuthenticationMethod PSKOnly -NumberOfTries 0 -ResponderAuthenticationMethod PSKOnly -Name BGPconnection -Destination $peerPublicIP -IPv4Subnet $peersubnet -SharedSecret $psk -SADataSizeForRenegotiationKilobytes 102400000 -SALifeTimeSeconds 3600

Add-BgpRouter -BgpIdentifier $localIP -LocalASN $localASN

Add-BgpPeer -Name $peerpublicIP -LocalIPAddress $localIP -PeerIPAddress $peerIP -LocalASN $localASN -PeerASN $peerASN -OperationMode Mixed -PeeringMode Automatic

Add-BgpCustomRoute -Network $localSubnet -PassThru

set-vpns2sinterface BGPconnection -initiateconfigpayload $false

Once that is done, we can actually execute the below command to for troubleshooting:

Get-BgpPeer : The Get-BgpRouter cmdlet gets router configuration information for Border Gateway Protocol (BGP) routers.

Get-BgpRouter : The Get-BgpRouter cmdlet gets router configuration information for Border Gateway Protocol (BGP) routers.

Get-BgpRouteInformation : The Get-BgpRouteInformation cmdlet retrieves Border Gateway Protocol (BGP) route information for one or more network prefixes.