Skip to content

Connecting with Azure

Introduction

About this Document

In this document we explain how to connect the AXS GUARD IPsec server with Microsoft Azure VPN using PSK host authentication.

Before you start

Azure VPN offers policy-based and route-based IPsec tunnels. Both are supported by the AXS Guard appliance.

The configuration of the Azure platform is beyond the scope of this guide. For information about setting up your tunnels on Azure, please see the official documentation provided by Microsoft and other online resources.

Default IPsec & IKE parameters

You will find the the supported combinations of algorithms and parameters Azure VPN gateways use on the official Azure VPN documentation website.

Azure-side Configuration Overview

  1. Configure the Microsoft Azure virtual network.

  2. Configure the Microsoft Azure DNS server.

  3. Create the Microsoft Azure virtual network gateway.

  4. Create the Microsoft Azure local network gateway.

AXS Guard-side Configuration

Policy-based Setup

  1. Go to VPN > IPsec > Tunnels

  2. Create a new tunnel with the following phase 1 settings:

    • IKE Version: Version 1.

    • IKE Profile: AES_CBC-SHA1-ANY.

    • Host Authentication: PSK.

    • Remote IP Type: Specific.

    Policy-based Phase 1

  3. Configure the following phase 2 settings:

    • ESP Profile: AES_256-HMAC_SHA1. Note that PFS is disabled in this profile.

    • Remote Identifier Type: Remote Endpoint IP.

    Policy-based Phase 2

Route-based Setup

  1. Go to VPN > IPsec > Tunnels

  2. Create a new tunnel with the following phase 1 settings:

    • IKE Version: Version 2.

    • IKE Profile: AES_CBC-SHA1-ANY.

    • Host Authentication: PSK.

    • Remote IP Type: Specific.

    Route-based Phase 1

  3. Configure the following phase 2 settings:

    • ESP Profile: AES_256-HMAC_SHA1. Note that PFS is enabled in this profile.

    • Remote Identifier Type: Remote Endpoint IP.

    Important

    Both sides of the VPN must be able to support PFS in order for PFS to work. When PFS is enabled, the two gateways must generate a new set of phase 1 keys for every negotiation of a new phase 2 SA.

    Route-based Phase 2