Setting up an IPSec VPN connection to Microsoft Azure using Strongswan

Network

It took me a while to get the IPSec tunnel between Azure and Strongswan up and running. This post documents Strongswan’ configuration required to get traffic going through the tunnel

Assumptions

  • Private network segment on Azure’s side is 10.0.0.0/16
  • Public IP address of VPN getaway on Azure’s side is 1.2.3.4
  • Private network segment of instance running Strongswan is 172.30.0.0/16
  • IP address of instance running Strongswan is 172.30.2.11
  • Your pershared key is in /etc/strongswan/ipsec.secrets

Connection configuration

[francis@ip-172-30-2-11 ~]# cat /etc/strongswan/ipsec.conf
conn office-network-to-azure-southeast-asia
        closeaction=restart
        dpdaction=restart
        ike=aes256-sha1-modp1024
        esp=aes256-sha1
        reauth=no
        keyexchange=ikev2
        mobike=no
        ikelifetime=28800s
        keylife=3600s
        keyingtries=%forever
        authby=secret
        left=172.30.2.11             # local instance ip (strongswan)
        leftsubnet=0.0.0.0/0
        leftid=172.30.2.11           # local instance ip (strongswan)
        right=1.2.3.4          # vpn gateway ip (azure)
        rightid=1.2.3.4        # vpn gateway ip (azure)
        rightsubnet=10.0.0.0/16      # private ip segment (azure)
        auto=start

Leave a Reply