Azure VPN – Linux Openswan VPN

(19 July 2017)

In this test the VPN connection was established between Azure native VPN gateway and an Openswan gateway running in an Ubuntu 14.04 server in a remote Azure virtual network. The authentication was based on pre-shared key (PSK). The following configuration settings were in use:

Azure

Virtual network: 192.168.2.0/24 (protected network)
Public ip address: xxx.xxx.xxx.xxx
Gateway type: Policy-based (Static Routing)

Openswan

Ubunte 14.04 Linux Openswan U2.6.38/K3.19.0-56-generic (netkey)
Virtual network: 192.168.1.0/24 (protected network)
Public ip address: yyy.yyy.yyy.yyy
Internal ip address: 192.168.1.4

AzureVPN-Openswan

 

Azure VPN configuration steps:

Resource Manager mode

  1. In Azure, create Virtual Network with address space 192.168.2.0/24 and define a subnet and the VPN Gateway subnet as part of this network (e.g. 192.168.2.0/28 for the VPN gateway and 192.168.2.128/25 for the virtual network devices).
  2. Create Virtual Network Gateway and select Gateway Type = VPN, VPN Type = Policy-based, Virtual Network = (the network you created above). Assign also a Public IP address to the gateway.
  3. Create Local Network Gateway and select IP Address = yyy.yyy.yyy.yyy (the public IP address of the Openswan gateway) and Address Space = 192.168.1.0/24 (the local network on the Openswan side).
  4. In the Virtual Network Gateway, go to Connections and add a connection with the settings: Connection Type = Site-to-site(IPSec), Virtual Network Gateway = (your current gateway), Local Network Gateway = (the Local Network Gateway you created above), Shared Key (PSK) = (the same key you define in the Openswan settings in the ipsec.secrets file).

Classic mode

  1. In Azure, create Virtual Network with address space 192.168.2.0/24 and define Subnet-1 and the VPN Gateway subnet as part of this network.
  2. In the Virtual Network wizard select “Configure a site-to-site VPN” and select as the local network the protected network on the Openswan side (192.168.1.0/24). If the Virtual Network has already been created, go to Virtual Network Configure > site-to-site connectivity menu and select “Connect to the local network” option.
  3. In the Virtual Network Dashboard menu create a”Static Routing” type of VPN Gateway.
  4. Check the “Gateway IP Address” in the Dashboard and use this address as the remote gateway address in the OpenSwan IPSec configuration.
  5. Select “Manage Shared Key” and cut & paste it for using in the Openswan configuration.
  6. In the Local Network menu select the network protected by the Openswan VPN Gateway and define the Openswan public ip address in “VPN Device IP Address”.

Openswan configuration steps:

  1. In Azure, create a virtual network for the Openswan site with address space 192.168.1.0/24.
  2. Add Ubuntu 14.04 Linux server in the virtual network.
  3. In the Azure Virtual Machine Endpoints menu for the Ubuntu server enable the endpoints for UDP 500 and UDP 4500 packets:
    • UDP 500: Private port 500, public port 500
    • UDP 4500: Private port 4500, public port 4500
  4. In the Dashboard check the Public Virtual IP Address assigned to the Virtual Machine and use it as the Local Network Gateway or VPN Device IP Address in the Azure VPN configuration.
  5. Connect to the Ubuntu server e.g. with Putty app from a Windows VM that is located in the same virtual Network.
  6. Install Openswan VPN gateway with command: sudo apt-get install openswan.
  7. Edit IPSec and address settings in the configuration file: /etc/ipsec.conf
  8. Paste the Azure VPN gateway Shared Key in /etc/ipsec.secrets
  9. Restart the VPN service: sudo service ipsec restart

In addition to the above steps, the routing settings in the Azure Virtual Network on the Openswan side may need to be modified as discussed in the test case Routing with Ubuntu Linux VPN Gateway (Classic Mode) or Routing with Ubuntu Linux VPN (Resource Manager Mode).

 

SAMPLE “IPSEC.CONF” IN OPENSWAN

config setup

protostack=netkey
virtual_private=%v4:192.168.1.0/24
oe=off
nat_traversal=yes

conn vpn

authby=secret
auto=start
type=tunnel
left=192.168.1.4
leftid=yyy.yyy.yyy.yyy
leftsubnet=192.168.1.0/24
leftnexthop=%defaultroute
right=xxx.xxx.xxx.xxx
rightsubnet=192.168.2.0/24
ike=aes256-sha1-modp1024
esp=aes256-sha1
pfs=no

NOTES:
  • Because Openswan is located behind NAT, it may try to use the internal ip address (192.168.1.4) for identification while Azure VPN sees the packets coming from the public ip address, causing the identity check to fail. To avoid this, define the public ip address as the Openswan id with the command “leftid=yyy.yyy.yyy.yyy”.
  • right = <Azure VPN Gateway IP Address>
SAMPLE “IPSEC.SECRETS” IN OPENSWAN

: PSK “m4H8MTyAAabyIdNEIa29SbYbq9PLbuOr”

NOTES:
  • PSK = Shared Key copied and pasted from Azure VPN Gateway