Configuring CISCO MERAKI TO AZURE Site to Site VPN IPsec tunnel IKEv1 #Meraki #Azure #Cisco #IPsec #IKEv1

This document will show you how to step by step to configure Cisco Meraki to azure site to site VPN IPsec tunnel IKEv1.

If the Cisco Meraki Security appliances running firmware less than version 15.12 do not have support for IKEv2. Also, there is a bug at concurrent firmware 14.53 (confirmed by Meraki support engineer), when you build up a VPN non-Meraki peer with Azure, the all auto VPN peers will down and won’t come back on line until you reboot the security appliance. Everything will be fine after reboot it.

Settings at Azure site

Create Azure Virtual network

1.Signin to Azure portal.

2.In Search resources, service, and docs (G+/), type virtual network.

3.Select Virtual Network from the Services results.

4.On the Virtual Network page, select Create.

5.Once you select Create, the Create virtual network page opens.

6.On the Basics tab, configure Project details and Instance details VNet settings.

When you fill in the fields, you see a green check mark when the characters you enter in the field are validated. Some values are auto filled, which you can replace with your own values:

  • Subscription: Select Pay-As-You-Go.
  • Resource group: Select the existing (Create new) Resource group AZ-DR01.

  • Name: Type AZ-DR01-VNet1.
  • Region: Select Canada Central.

7.Click Next: IP Address.

8.On the IP Addresses tab, configure the values.

  • IPv4 address space: Type 10.15.0.0/16.

9.Click +Add subnet.

  • Subnet name: type FrontEnd.
  • Subnet address range: 10.15.1.0/24.
  • Services: Keep the default settings (0 selected)

10.Click Add.

11.Click Next: Security.

12.On the Security tab, at this time, leave the default values:

  • BastionHost: Disable.
  • DDoS Protection Standard: Disable.
  • Firewall: Disable.

13.Click Next: Tags.

14.On the Tags tab, leave the default values.

15.Click Next: Review + create.

16.After the settings have been validated, select Create.

17.Make sure the new VNet deployment is complete without issues, click Go to resource.

Create Azure VPN Gateway

1.In Search resources, service, and docs (G+/), type virtual network gateway.

2.Select Virtual network gateway from the Services results.

3.On the Basics tab, configure Project details and Instance details and Public IP address for Virtual network gateway settings.

  • Subscription: Select Pay-As-You-Go.
  • Name: Type AZ-DR01-VNet1-GW1.
  • Region: Select Canada Central.
  • Gateway type: Select VPN.
  • VPN type: Select Policy-based.
  • SKU: Select Basic (Bandwidth:100Mbps)
  • Virtual network: Select AZ-DR01-VNet1.
  • Gateway subnet address range: Type 10.15.255.0/27
  • Public IP address: Leave Create new selected.
  • Public IP address name: AZ-DR01-VNet1-GW1-Public-IP
  • Assignment: VPN gateway supports only Dynamic.
  • Enable Active-Active mode: Select Disabled.
  • Configure BGP ASN: Select Disabled.

4.Click Next: Tags.

5.On the Tags tab, leave the default values.

6.Click Next: Review + create.

7.After the settings have been validated, select Create.

8.Make sure the new Virtual network gateway deployment is complete without issues, click Go to resource.

Create Azure Local Network Gateway

1.In Search resources, service, and docs (G+/), type virtual network gateway.

2.Select Local network gateway from the Services results.

3.Click Create local network gateway.

4.On the Create local network gateway page, specify the values for your local network gateway.

  • Name: Type OFFICECalgary.
  • IP address: Type OFFICE-Calgary WAN IP address (208.230.42.114).
  • Address Space: add 192.168.0.0/22 and 172.16.200.0/24 and 172.16.250.0/24
  • Configure BGP settings: Use only when configuring BGP. Otherwise, don’t select this.
  • Subscription: Select Pay-As-You-Go.
  • Resource Group: Select AZ-DR01.
  • Location: Select Canada Central.

5.Click Create.

Create VPN connection

1.on the Azure Services page, click the new create Virtual network gateway.

2.on the Virtual network gateway page, select Connections.

3.On the Connections page, click +Add.

4.On the Add connection page, configure the values for your connection.

  • Name: Type AZ-DR01-VNet1toOFFICECalgary
  • Connection type: Select Site-to-site(IPSec).
  • Virtual network gateway: The value is fixed because you are connecting from this gateway.
  • Local network gateway: Click Choose a local network gateway and select the local network gateway that you want to use.

  • Click the OFFICECalgary local network gateway.

  • Shared Key: Type Azure
  • IKE Protocol: Select IKEv1
  • Resource Group: Select AZ-DR01

5.Click OK.

Settings at Meraki site

1.Signin to Cisco Meraki portal.

2.Select Security & SD-WAN, click Site-to-site VPN.

3.On the Site-to-site VPN field, select Hub.

4.On the VPN settings field, select the local networks that you want to connect to Azure and then select VPN on.

5. On the Organization-wide settings page, click add a peer in the Non-Meraki VPN peers.

6.On the Non-Meraki VPN peers, configure details settings.

  • Name: Type ToAzure
  • IKE Version: Select IKEv1
  • IPsec Policies: Click Default and then change Default to Azure

Click Update.

  • Public IP: Type Azure Virtual Network Gateway Public IP address (53.139.26.221)
  • Private subnets: Type 10.15.0.0/16
  • Preshared secret: Type Azure.
  • Availability: select All Networks.

7.Click Save Changes.

Verify the VPN connection

In the Azure portal, you can view the connection status of a Resource Manager VPN Gateway by navigating to the connection.

1.In the Azure portal menu, select All resources or search for and select All resources from any page.

2.Select to the virtual network gateway.

3.On the blade for the virtual network gateway, click Connections. You can see the status of each connection.

In the Meraki portal, you can view the VPN status of a Meraki by navigating to the Non-Meraki peer.

1.Signin Meraki portal.

2.Select Security & SD-WAN, click VPN Status.

3.Click Non-Meraki peer.

4.Make sure the Status light show green.

Configuring CISCO MERAKI TO AZURE Site to Site VPN tunnels IKEv2 #Azure #Cisco #Meraki

This document will show you how to step by step to configure Cisco Meraki to azure site to site VPN tunnels IKEv2.

The Cisco Meraki Security appliances running firmware must be on firmware 15 or greater to take advantage of IKEv2, because the firmware 15.x is still beta version, you need to ask Meraki support to upgrade it for you if you need it.

Settings at Azure site

Create Azure Virtual network

1.Signin to Azure portal.

2.In Search resources, service, and docs (G+/), type virtual network.

3.Select Virtual Network from the Services results.

4.On the Virtual Network page, select Create.

5.Once you select Create, the Create virtual network page opens.

6.On the Basics tab, configure Project details and Instance details VNet settings.

When you fill in the fields, you see a green check mark when the characters you enter in the field are validated. Some values are auto filled, which you can replace with your own values:

  • Subscription: Select Pay-As-You-Go.
  • Resource group: Select the existing (Create new) Resource group AZ-DR01.

  • Name: Type AZ-DR01-VNet1.
  • Region: Select Canada Central.

7.Click Next: IP Address.

8.On the IP Addresses tab, configure the values.

  • IPv4 address space: Type 10.15.0.0/16.

9.Click +Add subnet.

  • Subnet name: type FrontEnd.
  • Subnet address range: 10.15.1.0/24.
  • Services: Keep the default settings (0 selected)

10.Click Add.

11.Click Next: Security.

12.On the Security tab, at this time, leave the default values:

  • BastionHost: Disable.
  • DDoS Protection Standard: Disable.
  • Firewall: Disable.

13.Click Next: Tags.

14.On the Tags tab, leave the default values.

15.Click Next: Review + create.

16.After the settings have been validated, select Create.

17.Make sure the new VNet deployment is complete without issues, click Go to resource.

Create Azure VPN Gateway

1.In Search resources, service, and docs (G+/), type virtual network gateway.

2.Select Virtual network gateway from the Services results.

3.On the Basics tab, configure Project details and Instance details and Public IP address for Virtual network gateway settings.

  • Subscription: Select Pay-As-You-Go.
  • Name: Type AZ-DR01-VNet1-GW1.
  • Region: Select Canada Central.
  • Gateway type: Select VPN.
  • VPN type: Select Route-Based.
  • SKU: Select VpnGW1 (Bandwidth:650Mbps)
  • Virtual network: Select AZ-DR01-VNet1.
  • Gateway subnet address range: Type 10.15.255.0/27
  • Public IP address: Leave Create new selected.
  • Public IP address name: AZ-DR01-VNet1-GW1-Public-IP
  • Assignment: VPN gateway supports only Dynamic.
  • Enable Active-Active mode: Select Disabled.
  • Configure BGP ASN: Select Disabled.

4.Click Next: Tags.

5.On the Tags tab, leave the default values.

6.Click Next: Review + create.

7.After the settings have been validated, select Create.

8.Make sure the new Virtual network gateway deployment is complete without issues, click Go to resource.

Create Azure Local Network Gateway

1.In Search resources, service, and docs (G+/), type virtual network gateway.

2.Select Local network gateway from the Services results.

3.Click Create local network gateway.

4.On the Create local network gateway page, specify the values for your local network gateway.

  • Name: Type OFFICECalgary.
  • IP address: Type OFFICE-Calgary WAN IP address (208.230.42.114).
  • Address Space: add 192.168.0.0/22 and 172.16.200.0/24 and 172.16.250.0/24
  • Configure BGP settings: Use only when configuring BGP. Otherwise, don’t select this.
  • Subscription: Select Pay-As-You-Go.
  • Resource Group: Select AZ-DR01.
  • Location: Select Canada Central.

5.Click Create.

Create VPN connection

1.on the Azure Services page, click the new create Virtual network gateway.

2.on the Virtual network gateway page, select Connections.

3.On the Connections page, click +Add.

4.On the Add connection page, configure the values for your connection.

  • Name: Type AZ-DR01-VNet1toOFFICECalgary
  • Connection type: Select Site-to-site(IPSec).
  • Virtual network gateway: The value is fixed because you are connecting from this gateway.
  • Local network gateway: Click Choose a local network gateway and select the local network gateway that you want to use.

  • Click the OFFICECalgary local network gateway.

  • Shared Key: Type Azure
  • IKE Protocol: Select IKEv2
  • Resource Group: Select AZ-DR01

5.Click OK.

Settings at Meraki site

1.Signin to Cisco Meraki portal.

2.Select Security & SD-WAN, click Site-to-site VPN.

3.On the Site-to-site VPN field, select Hub.

4.On the VPN settings field, select the local networks that you want to connect to Azure and then select VPN on.

5. On the Organization-wide settings page, click add a peer in the Non-Meraki VPN peers.

6.On the Non-Meraki VPN peers, configure details settings.

  • Name: Type ToAzure
  • IKE Version: Select IKEv2
  • IPsec Policies: Click Default and then change Default to Azure

Click Update.

  • Public IP: Type Azure Virtual Network Gateway Public IP address (53.139.26.221)
  • Private subnets: Type 10.15.0.0/16
  • Preshared secret: Type Azure.
  • Availability: select All Networks.

7.Click Save Changes.

Verify the VPN connection

In the Azure portal, you can view the connection status of a Resource Manager VPN Gateway by navigating to the connection.

1.In the Azure portal menu, select All resources or search for and select All resources from any page.

2.Select to the virtual network gateway.

3.On the blade for the virtual network gateway, click Connections. You can see the status of each connection.

In the Meraki portal, you can view the VPN status of a Meraki by navigating to the Non-Meraki peer.

1.Signin Meraki portal.

2.Select Security & SD-WAN, click VPN Status.

3.Click Non-Meraki peer.

4.Make sure the Status light show green.

SITE-TO-SITE VPN FROM SOPHOS XG FIREWALL TO AZURE #AZURE #MVPBUZZ #MVPHour #SOPHOS #VPN #FIREWALL

Today, I would like to tell you how to build a site-to-site VPN from Sophos XG firewall to Azure, if you have no budget to buy a hardware base firewall for your home office or lab, no worry, you also can download and install at Microsoft Hyper-V (or others) Virtual Machine and it’s free!!

Let’s follow step by step to build site-to-site VPN from Sophos XG firewall to Azure.

Settings in Microsoft Azure Site

  1. Logon to Azure portal and select Virtual networks.

  2. On the Virtual networks page, click Create virtual network.

  3. Enter information as follow and click Create.

    Name: AZURE-LAB-VNet1

    Address Space: 10.10.0.0/16

    Subscription: select your subscription

    Resource group: select Create new and enter your Resource Group name

    Location: Select Central US (you also can choice other locations)

    Subnet Name: enter your subnet name

    Address range: 10.10.0.0/19

    DDoS protection: Basic (Default)

    Service endpoints: Disable (default)

  4. On the AZURE-LAB-Vnet1 page, select Subnets.

  5. On the AZURE-LAB-VNet1 – Subnets page, click +Gateway subnet.

  6. Enter Address range as 10.10.32.0/27 and click OK.

  7. Go back to Azure Dashboard and click +Create a resource.

  8. On the search bar, enter Virtual network gateway.

  9. Select Virtual network gateway and click Create.

  10. Enter information as follow and click Create.

    Name: AZURE-LAB-GW

    Gateway type: VPN

    VPN type: Route-based

    SKU: Basic

    Virtual network: Azure-Lab-VNet1

    Public IP address: Create new, enter AZURE-LAB-GWIP as its name, Basic for SKU and then click OK.

    Subscription: select your subscription

    Location: select the location as before (Central US) and then click Create.

  11. Go back to Azure Dashboard and click +Create a resource.

  12. On the search bar, enter Local network gateway.

  13. Select Local network gateway and click Create.

  14. Enter information as follow and click Create.

    Name: Cary-HQ

    IP Address: 184.65.174.148

    Subscription: select your subscription.

    Resource Group: click Use Existing and select AZURE-LAB

    Location: select the same location as before (Central US) and then click Create.

  15. On the Cary-HQ page select Connections.

  16. On the Cary-HQ – Connections page, click +Add.

  17. Enter information as follow and then click OK.

    Name: AZURE-LAB-VNet1toCaryHQ

    Virtual network gateway: AZURE-LAB-GW

    Local network gateway: Cary-HQ

    Shared key: enter your share, it is must the same as XG firewall site.

Settings On-premises Site

  1. We are using Sophos XG firewall behind NAT device, so we need to do port forward settings at NAT Device.


  2. Login to Sophos XG firewall.


  3. Select Network and make sure interfaces settings are correct.


  4. Select VPN and click Add, it’s under IPsec Connections.


  5. Enter information as follow and click Save.

    Name: GAM2Azure

    IP Version: IPv4

    Connection Type: Site-to-Site

    Gateway Type: Respond Only

    Policy: Microsoft Azure

    Authentication Type: select Preshared Key and type preshared key, it’s must be the same as Azure site.

    Listening Interface: Port2 – 102.168.0.127

    Local ID Type: IP Address

    Local ID: 184.65.174.148

    Local Subnet: LAN (172.16.1.0/24)

    Gateway Address: 52.176.45.61

    Remote ID Type: IP Address

    Remote ID: 52.176.45.61

    Remote Subnet: AZUREVNet (10.10.0.0/16)


  6. On the VPN page, the Active and Connection status should show green.


  7. On the Azure Connection page, the status should show Connected.


  8. You may find there is no traffic at VPN tunnel even their status show connected. No worry, that’s because we still not configure firewall rules yet.
  9. On the Sophos XG Firewall configure web page, select Firewall and click Add Firewall Rule.


  10. Enter follow information to create Inbound VPN rule and click Save.

    Rule Name: Inbound_VPN

    Action: Accept

    Source Zones: VPN

    Source Networks and Devices: Any

    Destination Zones: LAN

    Destination Networks: Any

    Services: Any


  11. Enter follow information to create Outbound VPN rule and click Save.

    Rule Name: Outbound_VPN

    Action: Accept

    Source Zones: LAN

    Source Networks and Devices: Any

    Destination Zones: VPN

    Destination Networks: Any

    Services: Any


    Now, we have Site-to-site VPN successfully.

    Hope you enjoy this post!!

    Cary Sun @SifuSun

SITE TO SITE VPN FROM CISCO PIX TO AZURE

A customer asked me to build a Site-to-Site VPN between their CISCO PIX environment with Azure, yes, you don’t hear wrong, it is a PIX, I know it’s pretty old but we need to make it if customer need it. Let’s follow the steps and do it.

Settings in Microsoft Azure

  1. Logon to Azure portal and click +New.

2. In the Search the marketplace field, type Virtual Network and then Enter.

3. click Virtual Network, select Resource Manager from the Select a deployment model and then click Create.

4. On the Create virtual network page, enter the name for your virtual network in Name filed.

5. In the Address space filed, enter the address space, make sure that the address space that you specify does not overlap with the address space for your on-premises location.

6. In the Subnet name field, enter the subnet name.

7. In the Subnet address range field, enter the subnet address range, but don’t use all of address space for this, because you need to reserve space for gateway subnet.

8. In the Subscription field, verify that the subscription listed is the correct one.

9. In the Resource group field, create a new one by typing a name for your new resource group.

10. In the Location field, select the location for your Virtual Network and then select Pin to dashboard.

11. Select Subnets after the virtual Network is be created, click +Gateway subnet.

12. In the Address range field, enter your gateway subnet and then click OK.

13. On the left side of the portal page, click +.

14. In the search filed, type Virtual Network Gateway and the enter.

15. click Virtual Network Gateway in Results and then click Create.

16. On the Create virtual network gateway page, type the virtual gateway name in the Name field.

17. Select VPN as the Gateway type.

18. Select Policy-based as the VPN type.

19. Select Computer Account and then click Next.

20. Select Local Computer and then click Finish.

21. Select Basic as SKU.

22. Click Choose a virtual network in Virtual network field and select the new created virtual network.

23. Click Choose a public IP address in the Public IP address field, click Create new.

24. Type gateway IP address name in the Name field and then click OK.

25. Select Pin to dashboard and then click Create.

26. Select All resources in the Azure portal, click +Add.

27. Type local network gateway in search and then hit Enter.

28. Select Local network gateway and click Create.

29. On the Create local network gateway page, type your on-premises site name in the Name field.

30. In the IP address field, type the public IP address of the VPN device at on-premises site.

31. In the address space field, type the on-premises IP address range.

32. In the Resource Group field, Select Use existing and select the existing the resource group name.

33. Select Pin to dashboard and then click Create.

34. On the dashboard of Azure portal, select Virtual Network Gateway that we created.

35. Select Connections and then click +Add.

36. On the Add connection page, type Site-to-Site VPN name to the Name field.

37. Select Site-to-site (IPSEC) as Connection type.

38. In the Local network gateway field, select the local network gateway that we created.

39. Type shared key in the Shared key (PSK) field, this shared must be matched with your on-premises VPN device and then click OK.

Settings in Cisco PIX site

Logon to PIX and add configure as follow:

name 10.13.0.0 sh-az-vnet description Azure Vnet

name 52.176.xxx.xxx sh-az-vnetGWIP description Azure Gateway

access-list inside_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 sh-az-vnet 255.255.0.0

access-list outside_access_in extended permit ip sh-az-vnet 255.255.0.0 10.10.0.0 255.255.0.0

access-list outside_1_cryptomap extended permit ip 10.10.0.0 255.255.0.0 sh-az-vnet 255.255.0.0

nat (inside) 0 access-list inside_nat0_outbound

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto map outside_map 10 match address outside_1_cryptomap

crypto map outside_map 10 set peer sh-az-vnetGWIP

crypto map outside_map 10 set transform-set ESP-AES-256-SHA

crypto map outside_map 10 set security-association lifetime seconds 3600

crypto map outside_map 10 set security-association lifetime kilobytes 102400000

crypto map outside_map 10 set reverse-route

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 28800

tunnel-group sh-az-vnetGWIP type ipsec-l2l

tunnel-group sh-az-vnetGWIP ipsec-attributes

pre-shared-key (type pre-shared key and it need match with Azure)

sysopt connection tcpmss 1350

sysopt connection permit-vpn

Verify the VPN connection

  1. Logon Azure portal.
  2. select the virtual network gateway and then click connections.
  3. Check the VPN status and make sure it’s Connected.

4. Logon on the Cisco PIX.

5. Type show crypto isakmp sa and check the status.

Now, we have Site-to-site VPN successfully.

Happy Friday and hope you enjoy this post!!

Cary Sun @SifuSun