WatchGuard Support Center

Knowledge Base - Article

Article

000009508
 Configure a route-based VPN connection to a Microsoft Azure virtual network (Fireware v11.12 and higher)

Information
How can I configure a route-based VPN connection between a Firebox and a Microsoft Azure virtual network?

When you configure a virtual network with Microsoft Azure, you can establish a VPN from your local area network to the Azure virtual network. In Fireware v11.12 and higher, you can enable a route-based VPN to a Microsoft Azure virtual network through a BOVPN virtual interface.

WatchGuard refers to this configuration as static routing. In this article, we use the Microsoft term, route-based routing.

When you configure a route-based VPN from your Firebox to an Azure virtual network, you must select the Cloud VPN or Third-Party Gateway endpoint type. This endpoint type does not use Generic Routing Encapsulation (GRE), a tunneling protocol used to encapsulate encrypted IPSec tunnel.

To configure a policy-based VPN to an Azure virtual network, you must configure a BOVPN gateway and tunnel, which does not use a virtual interface. For more information about policy-based VPNs, see Configure a policy-based VPN connection to a Windows Azure virtual network (Fireware v11.11.x).

For information about dynamic routing with BGP to Microsoft Azure, see BOVPN Virtual Interface for Dynamic Routing to Microsoft Azure in Fireware Help.

Configure the Azure Virtual Network

To configure your Azure virtual network, connect to the Azure Management Portal, and follow these instructions from Microsoft: https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-create-vnet-arm-pportal/.

Gather Information about the Azure Virtual Network

Use this template to keep the information gathered from your Azure virtual network. We recommend that you save this information in a text file so that you can copy and paste information to your Firebox configuration.

Azure Virtual Network Settings

Local gateway IP address (Azure gateway IP address)
Remote gateway IP address (Firebox gateway IP address)
Shared key (Auto-generated by Azure)
Local network IP address (Azure local network)
Remote network IP address (Local network behind your Firebox)

Standard Azure VPN Settings

To establish an encrypted VPN tunnel, the Firebox and the Azure gateway negotiate settings and exchange information in two phases: Phase 1 and Phase 2. To successfully negotiate the tunnel, the Firebox and Azure must use identical Phase 1 and Phase 2 settings. If the Phase 1 and Phase 2 settings do not match, the VPN tunnel is not built.

These Firebox settings are compatible with Azure:

Phase 1
IKE version — IKEv2
You must change the default Firebox settings from IKEv1 to IKEv2.
Authentication — SHA1
Encryption — 3DES
Key Group — Diffie-Hellman Group 2

For added security, you can specify stronger Phase 1 encryption algorithms:

  • SHA1–AES(256) 
  • SHA2(256)–AES(256)
    Some older XTM devices do not support SHA2. To determine whether your XTM device supports SHA2, see Add a Phase 1 Transform.

Phase 2
Perfect Forward Secrecy (PFS) — No 
Perfect Forward Secrecy (PFS) is not currently supported for VPN connections between Fireboxes and Azure.
IPSec Proposal — ESP–AES–SHA1
The AES key length is 256.

For the most recent list of protocols and algorithms supported by Microsoft for routed-based VPNs, see the Phase 1 and Phase 2 tables at https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-about-vpn-devices

Example Configuration

In this example, we use these values:

Firebox
Local gateway ID — 203.0.113.2
Remote gateway ID (Azure) — 198.51.100.2
Local IP address — 203.0.113.2
Remote IP address (Azure) — 198.51.100.2
VPN route to Azure virtual network — 172.16.0.0./16

Azure
Local gateway ID — 198.51.100.2
Remote gateway ID (Firebox) — 203.0.113.2
Local IP address — 198.51.100.2
Remote IP address (Firebox) — 203.0.113.2
Local network — 172.16.0.0./16

​Configure the Firebox

You can configure your Firebox with Fireware Web UI or with Policy Manager. To configure your Firebox, follow the instructions in the section for your configuration tool:

Configure the Firebox with Fireware Web UI

To configure a route-based VPN connection to Azure in Fireware Web UI:

    1. Select VPN > BOVPN Virtual Interfaces.
      The BOVPN Virtual Interfaces page appears.
    2. Click Add.
    3. In the Interface Name text box, type a name to identify this gateway.
    4. From the Remote Endpoint Type drop-down list, select Cloud VPN or Third-Party Gateway.
    5. In the Use Pre-Shared Key text box, paste the auto-generated shared key you copied from the Azure Management Portal.
    6. In the Gateway Endpoint section, click Add.
      The Gateway Endpoint Settings dialog box appears.
    7. Select the Local Gateway tab.
    8. In the By IP Address text box, type the external IP address of your Firebox. In our example, we use, 203.0.113.2.
      Screen shot of VPN local gateway settings
    9. Select the Remote Gateway tab.
    10. In the Static IP Address text box, type the IP address of the Azure gateway. In our example,  we use 198.51.100.2.
    11. In the By IP Address text box, type the gateway ID of the Azure gateway. In our example,  we use 198.51.100.2.
      Screen shot of the completed Remote Gateway page
    12. Click OK
    13. Select the VPN Routes tab.
    14. Click Add.
    15. From the Choose Type drop-down list, select Host IPv4, Network IPv4, Host IPv6, or Network IPv6. 
      For example, select Network IPv4.
    16. In the Route To text box, type the local IP address of the Azure resource to which you will connect.
      For example, type the IP address of the local Azure network.
      Screen shot of the Add VPN Routes dialog box
    17. Click OK.
      The VPN Routes table is populated.
      Screen shot of populated VPN Routes table
    18. Select the Phase 1 Settings tab.
    19. From the Version drop-down list, select IKEv2.
      Route-based VPN connections to Azure require IKEv2.
    20. Click Save.
      Two policies are automatically added to the Firebox: BOVPN-Allow.out and BOVPN-Allow.in.
    21. To test the configuration, ping a local Azure resource from the local network behind your Firebox.
      Make sure that your Firebox and Azure virtual network are configured to allow ICMP traffic.

      Configure the Firebox with Policy Manager

      To configure a route-based VPN connection to Azure in Policy Manager:

      1. Select VPN > BOVPN Virtual Interfaces.
        The BOVPN Virtual Interfaces page appears.
      2. Click Add.
      3. In the Interface Name text box, type a name to identify this gateway.
      4. From the Remote Endpoint Type drop-down list, select Cloud VPN or Third-Party Gateway.
      5. In the Use Pre-Shared Key text box, paste the auto-generated shared key you copied from the Azure Management Portal.
      6. In the Gateway Endpoints section, click Add.
      7. In the Local Gateway section, select By IP Address.
      8. In the IP Address text box, type the external IP address of your Firebox.
        For example, 198.51.100.3.
      9. In the Remote Gateway section, select Static IP Address.
      10. In the IP Address text box, type the IP address of the Azure gateway.
        For example, 203.0.113.50.
      11. Select By IP Address to specify the gateway ID.
      12. In the IP Address text box, type the gateway ID of the Azure gateway.
        For example, 203.0.113.50.
        Screen shot of completed Gateway Settings page
      13. Click OK.
      14. Select the VPN Routes tab.
      15. Click Add.
      16. From the Choose Type drop-down list, select Host IPv4, Network IPv4Host IPv6, or Network IPv6. 
        For example, Network IPv4​.
      17. In the Route To box, type the local IP address of the Azure resource to which you will connect.
        For example, type the IP address of the local Azure network.
        Screen shot of the Add Route dialog box
      18. Click OK.
        The VPN Routes table is populated.
        Screen shot of populated VPN Routes table
      19. Select the Phase 1 Settings tab.
      20. From the Version drop-down list, select IKEv2.
        Route-based VPN connections to Azure require IKEv2.
      21. Click OK.
        Two policies are automatically added to the Firebox: BOVPN-Allow.out and BOVPN-Allow.in.  
      22. To test the configuration, ping a local Azure resource from the local network behind your Firebox. Make sure that your Firebox and Azure virtual network are configured to allow ICMP traffic.

      See Also

      BOVPN Virtual Interface for Dynamic Routing to Microsoft Azure in Fireware Help
      Configure a VPN connection to a Windows Azure virtual network (Fireware v11.11.x)