Setting up an IPSec VPN connection to Microsoft Azure using Strongswan

Network

It took me a while to get the IPSec tunnel between Azure and Strongswan up and running. This post documents Strongswan’ configuration required to get traffic going through the tunnel

Assumptions

  • Private network segment on Azure’s side is 10.0.0.0/16
  • Public IP address of VPN getaway on Azure’s side is 1.2.3.4
  • Private network segment of instance running Strongswan is 172.30.0.0/16
  • IP address of instance running Strongswan is 172.30.2.11
  • Your pershared key is in /etc/strongswan/ipsec.secrets

Connection configuration

[francis@ip-172-30-2-11 ~]# cat /etc/strongswan/ipsec.conf
conn office-network-to-azure-southeast-asia
	closeaction=restart
	dpdaction=restart
	ike=aes256-sha1-modp1024
	esp=aes256-sha1
	reauth=no
	keyexchange=ikev2
	mobike=no
	ikelifetime=28800s
	keylife=3600s
	keyingtries=%forever
	authby=secret
	left=172.30.2.11             # local instance ip (strongswan)
	leftsubnet=0.0.0.0/0
	leftid=172.30.2.11           # local instance ip (strongswan)
	right=1.2.3.4          # vpn gateway ip (azure)
	rightid=1.2.3.4        # vpn gateway ip (azure)
	rightsubnet=10.0.0.0/16      # private ip segment (azure)
	auto=start