My previous blog post was about setting up IPSec VPN tunnel between AWS VPC and vCloud Director Org VDC. This time I will describe how to achieve the same with Microsoft Azure.
vCloud Director is not among Azure list of supported IPSec VPN endpoints however it is possible to set up such VPN although it is not straightforward.
I will describe the setup of both Azure and VCD endpoints very briefly as it is very similar to the one I described in my previous article.
Azure Configuration
- Resource Group (logical container object) – in my example RG UK
- Virtual network (large address space similar to AWS VPN subnet) – 172.30.0.0/16
- Subnets – at least one for VMs (172.30.0.0/24) and one for Gateway (172.30.255.0/29)
- Virtual Network Gateway – Azure VPN endpoint with public IP address associated with the Gateway subnet above. Gateway type is VPN, VPN type is Policy-based (this is because Route-based type uses IKE2 which is not supported by NSX platform used by vCloud Director).
- Local Network Gateway – vCloud VPN endpoint definition with its public IP address and subnets that should be reachable behind the vCloud VPN endpoint (81.x.x.x, 192.168.100.0/24)
- Connection – definition of the tunnel:
- Connection type: Site-to-site (IPSec)
- Virtual network gateway and local network gateway are straightforward (those created previously)
- Connection name: whatever
- Shared Key (PSK): create your own 32+ character key using upper and lower case characters and numbers
- Test VM connected to the VM subnet (IP 172.30.0.4)
vCloud Configuration
As explained above we created Policy Based VPN endpoint in Azure. Policy Based VPN uses IKE version 1, Diffie-Hellman Group 2 and no Perfect Forward Secrecy.
However selection of DH group and PFS is not available to tenant in vCloud Director on the legacy Org VDC Edge Gateway. Therefore the following workaround is proposed:
Tenant configures VPN on his Org VDC Edge Gateway with the following:
- Name: Azure
- Enable this VPN configuration
- Establisth VPN to: a remote network
- Local Networks: 192.168.100.0/24 (Org VDC network(s))
- Peer Networks: 172.30.0.0/24
- Local Endpoint: Internet (interface facing internet)
- Local ID: 10.0.2.121 (Org VDC Edge GW internet interface)
- Peer ID: 51.x.x.x (public IP of the Azure Virtual network gateway)
- Peer IP: 51.x.x.x (same as previous)
- Encryption protocol: AES256
- Shared Key: the same as in Azure Connection definition
Now we need to ask the service provider to directly in NSX in the Edge VPN configuration disable PFS and change DH Group to DH2.
Note that this workaround is not necessary on Org VDC Edge Gateway that has been enabled with Advanced Networking services. This feature is at the moment only in vCloud Air, however soon will be available to all vCloud Air Network service providers.
If all firewall rules are properly set up we should be able to ping between Azure and vCloud VMs.
Tom Fojta's Blog 
according to Microsoft Website the Support of IKEv2 is the other way around. Policy based is IKEv1 Route Based is IKEv2 https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices
Thanks for spotting this. This is just typo as later in the text it is correct. Fixed.
Hi Tomas,
can you explain differences between Peer Networks and Peer Subnets ?
Let say I have two subnets in my azure eg : 172.16.0.0/24 and 172.18.0.0/24
How do i fill those parameters ?
How about like this,
Peer networks : 17.0.0.0/8
Peer subnets : 172.16.0.0/24, 172.18.0.0/24
CMIIW
They are more or less equivalent. Peer networks are more specific, whereas subnets can summarize multiple networks. You should configure 172.16.0.0/24 and 127.18.0.0/24 in both cases.
I did all setting that I follow your guide, but it doesn’t work. No error found. It display connecting and sucessed on azure. But it doesn’t enter connected status. Where do I see log? or what I can do now?
Hi the above steps work for me. For Policy based and Azure. However I am having trouble getting Route Base /VTI & Azure BGP working with IBM vCD. Tunnel comes up however routing is not working.