Create Site to Site VPN between Microsoft Azure VNET and on-premise gateway using Windows RRAS

Overview

This document will guide you on how to setup a Site to Site VPN between Microsoft Azure VNET and on-premise gateway, Routing and Remote Access (RRAS) server on a Windows 2012 server. For the purpose of lab setup, VMWare Workstation was used to setup the on premise VMs.

Architecture

Azure network, VPN Gateway, Site to Site VPN setup

1.    Setup VNEet 

Create a non routable virtual network – VNET, in Azure to host your VMs. In this example the VNET is 10.10.0.0/16.



2.    Setup Azure VMs subnet and Gateway subnet

Create subnet for VM, this subnet has to be inside the network range of the vnet created above. For example the VM subnet in this example is 10.10.0.0/24, which is part of the VNET 10.10.0.0/16 created earlier.





Also create a subnet for VPN gateway, this subnet should also be part of the VNET and must be named ‘GatewaySubnet’, this is a requirement. GatewaySubnet is to host the VPN gateway only, no other VMs or network components will go in this subnet, hence the available addresses can be minimal, in this example it is 10.10.254.0/29, making two free IP addresses available.

3.    Setup VPN Gateway


Create a virtual network Gateway to host IPSec VPN configurations. In virtual network section select the gateway subnet created above – GatewaySubnet.

4.    Setup local Gateway


Create a local network gateway to host the public IP address of the on premise device that will be the other end of the VPN tunnel. Provide the public IP address of the on premise VPN device. In home router, this IP will likely be dynamic, you will have to change it accordingly to maintain your

VPN.

In the address specify, provide the internal LAN subnet that you want to make available for Azure VPN subnet.

5.    Setup connection in the local Gateway

Inside the Local network gateway, create a connection object. Select Site to Site (IPSec) in the connection Type. Select the VPN gateway created earlier and specify the pre shared key that will also be used in the local VPN end.





On premise network setup

1.    Setup Router configs for IPSEC UDP ports.

Setup port forwarding on the router so that the connections coming from the Internet on ports 500 and 4500, required for Site to Site VPN, will be forwarded to the internal IP of the VM inside your home or office network.


2.    Setup Access Lists (ACLs) as required

Prepare Windows Server networks

1.    Configure External network with default gateway pointing to egress router.




2.    Configure Internal network with no default gateway.



3.    Rename the networks ‘External’ and ‘Internal’



Windows Routing and Remote Access (RRAS) server setup

1.    Add RRAS role on the Windows server. Start by going to Control panel > Programs > Programs and features > Turn Windows features on or off



2.    Select Role based or feature based installation


3.    Select the server


4.    In the server roles select Remote Access.



5.    Also select latest .NET Framework version to install.




6.    Hit next to continue RRAS server role install.




7.    Select DirectAccess and VPN (RAS) AND Routing options





8.    Follow prompts to finish RRAS install. Once the installation finishes, open up Server Manager and carry on with the Post-deployment configuration.

9.    From the Server Manager open the getting started wizard for RRAS. Select Deploy VPN only.




RRAS configs and setup IPSec tunnel

1.    After the RRAS initial configuration setup is complete, open up the RRAS management console.




2.    Follow next to continue the setup.




3.    Select custom configuration.



4.    Select VPN Access and LAN routing.



5.    Click Next.




6.    Start the service.





7.    Confirm the RRAS and DirectAccess VPN setup.



8.    Confirm your NICs are visible.



9.    Right click on the Network Interface and click on New Demand-dial Interface



10.    Follow prompt to setup new demand dial interface.



11.    Give  it an understandable name.



12.    Select connect using VPN



13.    Select IKEv2 as the VPN type.




14.    Copy the public IP of the  Azure VPN gateway



15.    Paste the IP into the RRAS setup and click Next.



16.    Select Route IP packets on this interface



17.    Enter the Azure VM subnet network details.



18.    Click Next to finish the setup.



19.    Enter a random user name, in the next screen. It does not matter what you put in because you will not use this user ID anywhere in the VPN. You will instead be using the Pre Shared key.



20.    Complete the setup.



21.    You should see the VPN status as connected if your setup is good.




Azure VM setup


1.    Set up a VM that will connect to the on prem network.

2.    Take note of the VM public IP address, you will RDP into this VM from your on premise network.

6.    Provide it an IP inside the VM Subnet.

Test Site to Site VPN connectivity

1.    Use your choice of RDP tool to connect to the Azure VM using its public IP




2.    From you local machine can RDP into the Azure VM using the internal IP (10.10.0.4 in this example). Open mstsc and type in the IP.




3.    Confirm you can RDP.




4.    You will not be able to ping the Azure VM from on premise because by default only RDP port will be opened on it. You will need to setup Network Security Group (NSG) for the VM and allow ping for this.