SORACOM Developers

Documents

Connecting from Azure to SORACOM Door

SORACOM Door (“Door”) allows you to establish VPN connections between web sites and SORACOM.

Here we shall explain how you can use SORACOM Door to make a VPN connection from Microsoft Azure (“Azure”).

Run a Virtual Server for VPN Connections on Azure

From the Azure console, run the virtual Linux server that will run as a router (router server).

This document is based on the Ubuntu Server 16.04 LTS as the virtual machine that runs as the router. Also, please note that the values below have been used for the virtual network settings on Azure as an example, so when you are actually building the system, please make sure to replace them with the settings of your own environment.

Data Items Value
Azure Virtual Network Address Range ex.) 10.3.0.0/16
Router Subnet ex.) 10.3.0.0/24
Router Server Local IP Address ex.) 10.3.0.4
Router Server Public IP Address ex.) 40.115.186.34

From the Azure console, run the virtual server.

After running Linux, use SSH to verify that the connection is working correctly.

Request to Use SORACOM Door

From the Azure console, verify the public IP address that was assigned to the virtual server.

Next, make a request to use SORACOM Door. Usage requests are sent from this page.

When sending the request, you will need to input the following information.

Data Items Value
Vendor name or model number of the VPN gateway device that you plan to use. Microsoft Azure(Ubuntu Server 16.04 LTS)
VPN Global IP address to be configured for the VPN gateway device that you will be using (static). The public IP address that was verified in the step above.
If you are using dynamic routing, enter the AS number. 64512 (any number between 64512 and 65534)
If you are using dynamic routing, enter the IP address range for the routing. The Azure virtual network’s network range (in this example: 10.3.0.0/16)

Once the SORACOM configuration is complete, the following information is set with regard to IPSec Tunnnel #1 and #2.

This information is used to set various configurations on the router server.

Connecting from Linux to Door on Azure

Network Security Group Configuration

The following data items are added to the network security group settings on the router server.

Installation of Required Softwere

Log in to the router server on Azure and install any required softwere.

sudo su
apt-get install racoon quagga ipsec-tools

IP Filter and Forwarding Configuration

In order to run the server as a router,you need to change the kernel parameters. Edit /etc/sysctl.conf.

cd /etc
vi sysctl.conf

Make the new settings on the system.

net.ipv4.conf.default.rp_filter=0 (Remove comment out)
net.ipv4.conf.all.rp_filter=0  (Remove comment out)
net.ipv4.conf.eth0.rp_filter=0  (Add)
net.ipv4.conf.lo.rp_filter=0    (Add)
net.ipv4.conf.eth0.disable_policy=1  (Add)

net.ipv4.ip_forward=1 (Change value 0 to 1)

Reflect the new setting on the system.

sysctl -p sysctl.conf

Preparation for IPSec/BGP Configuration

To create the ipsectools,racoon,and quagga configuration files,you first need to prepare carious types information based on the table below.

Variable Name Example Description
<LOCAL PUBLIC IP> 40.115.186.34 Public IP address of the router server
<LOCAL PRIVATE IP> 10.3.0.4 Local IP address of the router server
<CONN A PUBLIC IP> 52.68.161.59 IPSec Tunnel #1’s public IP address
<CONN A LOCAL LINK> 169.254.24.250/30 Inside IP address of the tunnel interface for IPSec Tunnel #1 on the router side(Customer Gateway)
<CONN A REMOTE LINK> 169.254.24.249/30 Inside IP address of the tunnel interface for IPSec Tunnel #1 on the VPG side(Virtual Private Gateway)
<CONN A REMOTE LINK WO 30> 169.254.24.249 As above,without the /30
<CONN A PSK> XkqigeaoRuOglouOWmok IPSec Tunnel #1’s Pre-Shared Key
<CONN B PUBLIC IP> 52.196.231.47 IPSec Tunnel #2’s public IP address
<CONN B LOCAL LINK> 169.254.24.22/30 Inside IP address of the tunnel interface for IPSec Tunnel #2 on the router server side(Customer Gateway)
<CONN B REMOTE LINK> 169.254.24.21/30 Inside IP address of the tunnel interface for IPSec Tunnel #2 on the VPG side(Virtual Private Gateway)
<CONN B REMOTE LINK WO 30> 169.254.24.21 As above,without the /30
<CONN B PSK> Euo3vqxH6zM0gaORmoqpP IPSec Tunnel #2’s Pre-Shared Key
<LOCAL SUBNET> 10.3.0.0/16 Azure virtual network address range
<REMOTE SUBNET> 100.65.6.0/24 VPG network address range
<LOCAL ASN> 64512 Router server’s BGP ASN
<REMOTE ASN> 10124 VPG BGP ASN

Next,the above variables are used to replace tha values in th following three templates. - ipsectools Configuration - racoon Configuration - racoon PSK Configuration - quagga BGP Configuration

(The above template refers to these settings)

Download each of the files above and use the above variables to replace the values in the templetes.

IPSec/BGP Configuration

ipsec-tools Configuration

Open /etc/ipsec-tools.conf, copy the created values from “ipsectools Configuration”, add them to the end of the file,and then save the file.

racoon Configuration

Open /etc/racoon/racoon.conf, copy the created values from “racoon Configuration”, add them to the end of the file, and then save the file.

Next, open /etc/racoon/psk.txt, copy the created values from “racoon PSK Configuration”, add them to the end of the file, adn then save the file.

quagga Configuration

Open /etc/quagga/daemons, and change zebra and bgpd to “yes”.

zebra=yes
bgpd=yes

Create a new /etc/quagga/bgpd.conf file, copy in the created values from “quagga BGP Configuration,” and then save the file.

Create a new /etc/quagga/zebra.conf file, copy in the contents of the file below, and then save the file.

Add Interface

Add an interface using the command below.

ip a a 169.254.24.250/30 dev eth0    (169.254.24.250/30 = <CONN A LOCAL LINK> )
ip a a 169.254.24.22/30 dev eth0    (169.254.24.22/30 = <CONN B LOCAL LINK> )

Also, add the values below to /etc/network/interfaces.d/50-cloud-init.cfg, on the line after iface eth0. This is so that the settings are reflected on the system at run time.

  (TAB)post-up ip a a 169.254.24.250/30 dev eth0   (169.254.24.250/30は<CONN A LOCAL LINK> )
  (TAB)post-up ip a a 169.254.24.22/30 dev eth0  (169.254.24.22/30は<CONN B LOCAL LINK> )

*(TAB) is the tab key

Running the Service

Once the above configuration is complete, start the service.

service setkey restart
service racoon restart
service quagga restart

In order to verify the connection, check that the ping command gets through to the inside IP address of the tunnel interface for IPSec Tunnel #1 and #2 on the VPG side.

PING 169.254.25.149 (169.254.25.149) 56(84) bytes of data.
 64 bytes from 169.254.25.149: icmp_seq=1 ttl=64 time=2.40 ms
 64 bytes from 169.254.25.149: icmp_seq=2 ttl=64 time=2.28 ms

Configuration for Connecting to Other Subnets

To access subnets other than the router server from your device (e.g. web server subnets), you will need to configure a route table. In addition to the router server, this document also features a web subnet containing a group of web servers, and it is assumed that access is performed from a device.

When accessing a web server from a device, the communication from the device is temporarily NATed at the VPG, so the source IP address becomes an IP address within the VPG’s network address range (100.65.6.0/24 in the above example). Hence, the web subnet route table needs to be configured so that any communication sent to this range is routed to the router server.

Firstly, you need to enable the router server’s IP forwarding settings. From the Azure console, select the network interface attached to the router server, and click on “Settings > IP Address.”

On the IP Address configuration screen, set “IP Forwarding Setting” to “Enabled.”

Also, for “Allocation,” select “Static.” This configuration allows you to forward all device communications to other servers.

Next, you need to configure the routing settings for the web subnet. In order to forward all communications sent to the VPG’s network address range to the router server, you create a route table and apply it to the web server’s subnet. Follow the steps below to create a route table.

Once the above settings have been reflected on the system, you will be able to access a private IP address on the web server from a device. If the web server is using port 80 or similar, please also make sure to change the appropriate settings to the web server’s security group.

Getting Started

SORACOM Air for Cellular

SORACOM Air for Sigfox

SORACOM Beam

SORACOM Canal/Direct/Door

SORACOM Endorse

SORACOM Funnel

SORACOM Gate

SORACOM Harvest

SORACOM Inventory

SORACOM Junction

SORACOM Krypton

SORACOM Lagoon

Service Detail

Developer Tools

pagetop