Azure Site to Site VPN with Juniper SRX100

Things you will need

• An active Azure subscription
• A Virtual network
• A local network
• A VPN gateway I choose a Juniper SRX100 because its capable of running dynamic routing, and throughput of 60MBIT with IPSEC and its low cost. Azure Configuration If you have created the Virtual network correctly you should see something like this First of we need to define the local network so Azure knows where to accept connections from and how to route traffic. This is done under Networks where you select Local Networks_and create new local network Here give the network a name, and specify the public IP that Azure can reach you VPN gateway on. And you specify the IP range of your local network. Now we need to setup the VPN gateway on the network in Azure we want a connection to. Select Configure and Connect to the local network and choose the local network you want connected to this Azure Network This will also add a Gateway network in your address space, some times it might be necessary to expand the address space with a larger CIDR in order to make room for the gateway network. Once your done, click save. Now when you look at the dashboard you see your two networks but notice it says THE GATEWAY WAS NOT CREATED. Because we need to create the VPN gateway, by clicking_Create gateway. Choose the appropriate Routing method, i’m using the Juniper SRX100 and it supports Dynamic routing, so i’m going to choose that. You can see what kinds of gateways Azure support here. The gateway will take some time to provision, about 15 minutes. When done, you will see something like this. Now its time to configure our On-premise VPN gateway. Configuring Juniper SRX100 VPN Gateway I used a combination of the Web GUI and CLI to configure the Juniper SRX100 Gateway. Power the box up and connect to the second port, the first is for Internet access. Go through the guide and accept the defaults. Go into the Azure portal and select the network you created earlier, and click on _Manage key_copy this preshared key, and use it in the configuration below. When done, connect to the box via console and enter the following commands, they are a slight simplification of the one found on Technet.

set security ike proposal RP_IkeProposal authentication-method pre-shared-keys  
set security ike proposal RP_IkeProposal authentication-algorithm sha1  
set security ike proposal RP_IkeProposal encryption-algorithm aes-256-cbc  
set security ike proposal RP_IkeProposal lifetime-seconds 28800  
set security ike proposal RP_IkeProposal dh-group group2  
set security ike policy RP_IkePolicy mode main  
set security ike policy RP_IkePolicy proposals RP_IkeProposal  
set security ike policy RP_IkePolicy pre-shared-key ascii-text <Preshared key from Azure gateway>  
set security ike gateway RP_IkeGateway ike-policy RP_IkePolicy  
set security ike gateway RP_IkeGateway address <Azure Gateway>  
set security ike gateway RP_IkeGateway external-interface fe-0/0/0  
set security ike gateway RP_IkeGateway version v2-only  
set security ipsec proposal RP_IPSecProposal protocol esp  
set security ipsec proposal RP_IPSecProposal authentication-algorithm hmac-sha1-96  
set security ipsec proposal RP_IPSecProposal encryption-algorithm aes-256-cbc  
set security ipsec proposal RP_IPSecProposal lifetime-seconds 3600  
set security ipsec policy RP_IPSecPolicy proposals RP_IPSecProposal  
set security ipsec vpn RP_IPSecVpn ike gateway RP_IkeGateway  
set security ipsec vpn RP_IPSecVpn ike ipsec-policy RP_IPSecPolicy  
set security zones security-zone Internal host-inbound-traffic system-services ike  
set security zones security-zone Internal address-book address RP_OnPremiseNetwork <SP_OnPremiseNetworkCIDR>  
set security zones security-zone Internet host-inbound-traffic system-services ike  
set interfaces st0 unit 0 family inet  
set security zones security-zone untrust interfaces st0.0  
set security ipsec vpn RP_IPSecVpn bind-interface st0.0  
set routing-options static route <SP_AzureNetworkCIDR> next-hop st0.0  
set security flow tcp-mss ipsec-vpn mss 1350  
commit  
exit

• Preshared key from Azure gateway, is the key you got in the step above
• Azure Gateway, is the IP address of the VPN gateway you created in Azure
• SP_OnPremiseNetworkCIDR, is the IP range of your local network e.g. 10.0.0.0/24
• SP_AzureNetworkCIDR, is the IP range of the network you created in Azure e.g. 10.2.0.0/24 When done, you are ready to initiate the connection from the Azure Portal by clicking_Connect_. If you did everything correct you will see that the VPN tunnel is up and running. Now you are ready to connect to the Juniper SRX100 and see if you can access your servers running in Azure trough their internal IP’s. Questions or comments, write below.