Let's Configure Azure Site-to-Site VPN with RRAS in Azure Resource Manager!

UPDATE 12/20/2016: The correct port forwarding rules need to be in place in order for the VPN to work.  Here is a link to a blog with more information about which ports need to be configured on the router.

There are several blog posts about configuring an Azure site-to-site VPN with Microsoft RRAS in the old Azure portal.  I did find that Cheryl McGuire wrote an article about creating a site-to-site VPN in Azure Resource Manager with PowerShell here. However this post is more specific about configuring RRAS and Azure site-to-site VPN.

In the old Azure portal once you configured a site-to-site VPN it would generate a script that would configure RRAS on a Windows Server.  I have not been able to find where or even if that script is created in the new Azure portal.  So we are going to manually configure RRAS.

NOTE: In this post I will be disabling IPv6 because it is not used.

Before you begin you will need a Windows Server 2012 R2 that has 2 NICs.

Configuring the RRAS Server's NICs...

Label one NIC to be External and one to be Internal.

Go into the properties of the External adapter.

  • Uncheck everything except for TCP/IPv4.
  • Go into the properties of TCP/IPv4 and configure:
    • IP Address
    • Gateway
    • DNS Servers
    • Advanced Settings -> WINS -> Disable NetBIOS over TCP

Site-to-Site_2

Click OK to close out the External adapter properties.

Go into properties of the Internal adapter.

  • Uncheck TCP/IPv6.
  • Go into the properties of TCP/IPv4 and configure:
    • IP Address
    • DNS Servers

NOTE: If you configure a gateway for your Internal adapter then you will need to manually add a static route.  This will ensure all traffic is routed through the External adapter. Site-to-Site_3In other articles about setting up a site-to-site VPN with Azure it is recommended that you assign the External IP address in the DMZ on the router.  I did not do that because this is just a home lab and it still works fine.  However without the External adapter in the DMZ, Azure is unable to initiate the connection.

Installing the RRAS Roles and Features...

Now that the networking has been configured.  Make sure that the server has the latest updates.

Open Server Manager. Select Manage -> Add Roles and Features.

On the Add Roles and Features Wizard

  • Before You Begin: Click Next
  • Installation Type: Role-based -> Click Next
  • Server Selection: Select a server from the server pool -> RRAS-Server -> Click Next
  • Server Roles: Check Remote Access -> Click Next
  • Features: Click Next
  • Remote Access: Click Next
    • Role Services:
      • Direct Access and VPN (RAS)
        • Click Add Features on the pop-up window
      • Routing
      • Click Next
  • Web Server Role (IIS): Click Next
    • Role Services
      • Accept Defaults: Click Next
  • Confirmation: Click Install

While that installs let's head over to Azure

Setting up / configuring the VPN in Azure...

NOTE: For this walk-through all resources will be specified in East US.  As my own person best practice I place all my resources in the same location.

Go to Virtual Networks and click Add.

On the Create virtual network blade fill in the following:

  • Name - RRAS-S2S-Vnet
  • Address space - 10.2.0.0/16
    • There will need to be 2 subnets created so the address space here will have to be big enough for your 2 subnets.  I am going to have 2 /24 subnets under this to help clarify the differences in the 2 subnets.
  • Subnet name - default
    • This is the subnet you will use for your Azure VMs.
  • Subnet address range - 10.2.0.0/24
    • This is the address range that will be used for the Azure VMs.
  • Subscription - pick your subscription
  • Resource group - S2S-Test
    • This is creating a resource group that we will use for the rest of the resources.
  • Location - Pick the location you want your Virtual Network to reside.

Click Create.

Next you need to create a subnet for the virtual network gateway.  Click on Virtual Networks.

On the Virtual Networks blade click the RRAS-S2S-Vnet network.  Then click on All settings -> Subnets -> Add.

On the Add subnet blade fill in the following:

  • Name - GatewaySubnet
    • This has to be the name of the subnet for the Virtual Network Gateway.
  • Address Range - 10.2.1.0/24
    • This is the IP range for the RRAS server to use.

Click OK

After the Virtual Network is deployed click on Virtual network gateways.

Click on Add

On the Create virtual network gateway blade type in the name of the virtual network gateway, RRAS-S2S-VnetGW. Then click choose virtual network and select the virtual RRAS-S2S-Vnet virtual network.

 

Back on the Create virtual network gateway blade click Choose public a IP address. Then on the Choose public IP address blade click Create new.

Site-to-Site_9On the Create public IP address blade type in the name for the public IP address resource and click OK.

Back on the Create virtual network gateway blade select the following:

  • Gateway type: VPN
  • VPN type: Route-based
  • Subscription: your Azure subscription

Click on Select existing under Resource group and then on the Resource group blade select the S2S-Test, click OK.

Back on the Create virtual network gateway blade select East US as the Location and then click OK.

Back on the Create virtual network gateway blade review the options and then click Create.

Site-to-Site_12

After the Virtual Network Gateway is created select Virtual network gateways and then select RRAS-S2S-VnetGW.  The settings blade will appear. Make note of the Public IP address, this will be needed later.

Site-to-Site_24

 

Next go to Local network gateways and click Add.

Site-to-Site_14

On the Create local network gateway blade enter in the following information:

  • Name: RRAS-S2S-LclNetGW
  • IP address: Enter the public IP address of network that the RRAS server is on
  • Address space: This is where the on prem network address space is set (e.g. 192.168.1.0/24).
  • Subscription: Select your Azure subscription
  • Resource group: S2S-Test
  • Location: East US

Site-to-Site_15

Click Create.

After the Local network gateway is created, go to Local network gateways -> RRAS-S2S-LclNetGW-> Settings -> Connections.

Click Add.

Site-to-Site_17

On the Add connection blade fill in the following:

  • Name: RRAS-S2S-LclNetGW-Connection
  • Connection type: Site-tosite (IPsec)
  • Virtual network gateway: RRAS-S2S-VnetGW
  • Local network gateway: RRAS-S2S-LclNetGW
  • Shared key (PSK): Enter in any alphanumeric key as the key
  • Resource group: S2S-Test
  • Location: East US

Site-to-Site_18

Click OK.

The site-to-site VPN configuration in Azure is now complete.

Now we go back to the RRAS server...

After the install of the Remote Access role is complete, open up Routing and Remote Access.

Right-click the RRAS-Server and click Configure and Enable Routing and Remote Acess.

S2S-7

The Routing and Remote Access Server Setup Wizard will appear.

  1. Welcome to the Routing and Remote Access Server Setup Wizard: Click Next
  2. Configuration: Select Secure connection between two private networks, click Next
  3. Demand-Dial Connections: Select Yes, click Next
  4. IP Address Assignment: Select Automatically, click Next
  5. Completing the Routing and Remote Access Server Setup Wizard: Click Finish

The Demand-Dial Interface Wizard will appear.

  1. Welcome to the Demand-Dial Interface Wizard: Click Next
  2. Interface Name: Type in Azure S2S, click Next
  3. Connection Type: Select Connect using virtual private network (VPN) , click Next
  4. VPN Type: Select IKEv2, click Next
  5. Destination Address: Enter in the Public IP address of the Azure Virtual Network Gateway, click Next
  6. Protocols and Security: Check Route IP packets on this interface, click Next
  7. Static Routes for Remote Networks: Click Add
    • Static Route: Select Remote Network Support using IPv4:
      • Destination: 10.2.0.0
      • Network Mask: 255.255.255.0
      • Metric: 24
      • Click OK
    • Click Next
  8. Dial-Out Credentials: Type Azure for the User name, click Next
  9. Completing the Demand-Dial Interface Wizard: Click Finish

In the Routing and Remote Access window select RRAS-Server -> Network Interfaces.  Right-click on Azure S2S and select Properties.

Select the Security tab and under Authentication select Use preshared key for authentication. Type in the preshared key that was entered on the RRAS-S2S-LclNetGW-Connection.  Click OK.

Right-click on the Azure S2S network interface and click Connect.

After it connects open up a command prompt and ping 10.2.0.0.  You should get a response.

Now any Azure VM that you put on RRAS-S2S-Vnet will be able to communicate directly with your on-premise systems.

In order for any on-premise systems to communicate with the Azure VMs you will need to either setup a route for the Azure subnet to route through the RRAS server or set the gateway on your systems to be the RRAS server.

 

Troubleshooting

If you can connect to the VPN but cannot ping the Azure network then make sure that the route to your Azure external IP is set correctly.  You can view this by right clicking on static routes under IPv4 in RRAS.  Then select Show IP Route Table.  If you do not see your Azure Public IP listed and going to the External network adapter then you need to manually add the route.