Connecting from Azure to SORACOM Door
SORACOM Door (“Door”) allows you to establish VPN connections between web sites and SORACOM.
Here we shall explain how you can use SORACOM Door to make a VPN connection from Microsoft Azure (“Azure”).
Run a Virtual Server for VPN Connections on Azure
From the Azure console, run the virtual Linux server that will run as a router (router server).
This document is based on the Ubuntu Server 16.04 LTS as the virtual machine that runs as the router. Also, please note that the values below have been used for the virtual network settings on Azure as an example, so when you are actually building the system, please make sure to replace them with the settings of your own environment.
|Azure Virtual Network Address Range||ex.) 10.3.0.0/16|
|Router Subnet||ex.) 10.3.0.0/24|
|Router Server Local IP Address||ex.) 10.3.0.4|
|Router Server Public IP Address||ex.) 220.127.116.11|
From the Azure console, run the virtual server.
- Click on “Add Virtual Machines.”
- When searching for virtual machines, enter “Ubuntu” and select “Ubuntu Server 16.04 LTS” from the list.
- When selecting the deploy model, choose “Resource Manager.”
- Under “Basic,” enter a server name (any), username, password, subscription, and resource group.
- Under “Size,” select “A0 Standard.”
- For “Settings,” use the default values (if you need to change the subnet, etc. you can do this here).
- Verify the settings summary and then click on “Create.”
After running Linux, use SSH to verify that the connection is working correctly.
Request to Use SORACOM Door
From the Azure console, verify the public IP address that was assigned to the virtual server.
Next, make a request to use SORACOM Door. Usage requests are sent from this page.
When sending the request, you will need to input the following information.
|Vendor name or model number of the VPN gateway device that you plan to use.||Microsoft Azure(Ubuntu Server 16.04 LTS)|
|VPN Global IP address to be configured for the VPN gateway device that you will be using (static).||The public IP address that was verified in the step above.|
|If you are using dynamic routing, enter the AS number.||64512 (any number between 64512 and 65534)|
|If you are using dynamic routing, enter the IP address range for the routing.||The Azure virtual network’s network range (in this example: 10.3.0.0/16)|
Once the SORACOM configuration is complete, the following information is set with regard to IPSec Tunnnel #1 and #2.
- Encryption information (pre-shared key, encryption format, etc.).
- Connection IP address information (outside and inside IP address data of the tunnel interface).
- BGP information (Virtual Private Gateway’s ASN, etc.).
- VPG network address range.
This information is used to set various configurations on the router server.
Connecting from Linux to Door on Azure
Network Security Group Configuration
The following data items are added to the network security group settings on the router server.
Reception Security Rules (UDP 500)
- Transmitting Port Range:*
- Destinetion Port Range:500
Reception Security Rules (TCP 50)
- Transmitting Port Range:*
- Destination port Range:50
Transmission Security Rules(ALL)
- Transmission Port Range:*
- Destination Port Range:*
Installation of Required Softwere
Log in to the router server on Azure and install any required softwere.
sudo su apt-get install racoon quagga ipsec-tools
IP Filter and Forwarding Configuration
In order to run the server as a router,you need to change the kernel parameters. Edit /etc/sysctl.conf.
cd /etc vi sysctl.conf
Make the new settings on the system.
net.ipv4.conf.default.rp_filter=0 (Remove comment out) net.ipv4.conf.all.rp_filter=0 (Remove comment out) net.ipv4.conf.eth0.rp_filter=0 （Add） net.ipv4.conf.lo.rp_filter=0 （Add） net.ipv4.conf.eth0.disable_policy=1 (Add) net.ipv4.ip_forward=1 (Change value 0 to 1)
Reflect the new setting on the system.
sysctl -p sysctl.conf
Preparation for IPSec/BGP Configuration
To create the ipsectools,racoon,and quagga configuration files,you first need to prepare carious types information based on the table below.
|<LOCAL PUBLIC IP>||18.104.22.168||Public IP address of the router server|
|<LOCAL PRIVATE IP>||10.3.0.4||Local IP address of the router server|
|<CONN A PUBLIC IP>||22.214.171.124||IPSec Tunnel #1’s public IP address|
|<CONN A LOCAL LINK>||169.254.24.250/30||Inside IP address of the tunnel interface for IPSec Tunnel #1 on the router side(Customer Gateway)|
|<CONN A REMOTE LINK>||169.254.24.249/30||Inside IP address of the tunnel interface for IPSec Tunnel #1 on the VPG side(Virtual Private Gateway)|
|<CONN A REMOTE LINK WO 30>||169.254.24.249||As above,without the /30|
|<CONN A PSK>||XkqigeaoRuOglouOWmok||IPSec Tunnel #1’s Pre-Shared Key|
|<CONN B PUBLIC IP>||126.96.36.199||IPSec Tunnel #2’s public IP address|
|<CONN B LOCAL LINK>||169.254.24.22/30||Inside IP address of the tunnel interface for IPSec Tunnel #2 on the router server side(Customer Gateway)|
|<CONN B REMOTE LINK>||169.254.24.21/30||Inside IP address of the tunnel interface for IPSec Tunnel #2 on the VPG side(Virtual Private Gateway)|
|<CONN B REMOTE LINK WO 30>||169.254.24.21||As above,without the /30|
|<CONN B PSK>||Euo3vqxH6zM0gaORmoqpP||IPSec Tunnel #2’s Pre-Shared Key|
|<LOCAL SUBNET>||10.3.0.0/16||Azure virtual network address range|
|<REMOTE SUBNET>||100.65.6.0/24||VPG network address range|
|<LOCAL ASN>||64512||Router server’s BGP ASN|
|<REMOTE ASN>||10124||VPG BGP ASN|
(The above template refers to these settings)
Download each of the files above and use the above variables to replace the values in the templetes.
Open /etc/ipsec-tools.conf, copy the created values from “ipsectools Configuration”, add them to the end of the file,and then save the file.
Open /etc/racoon/racoon.conf, copy the created values from “racoon Configuration”, add them to the end of the file, and then save the file.
Next, open /etc/racoon/psk.txt, copy the created values from “racoon PSK Configuration”, add them to the end of the file, adn then save the file.
Open /etc/quagga/daemons, and change zebra and bgpd to “yes”.
Create a new /etc/quagga/bgpd.conf file, copy in the created values from “quagga BGP Configuration,” and then save the file.
Create a new /etc/quagga/zebra.conf file, copy in the contents of the file below, and then save the file.
Add an interface using the command below.
ip a a 169.254.24.250/30 dev eth0 (169.254.24.250/30 = <CONN A LOCAL LINK> ) ip a a 169.254.24.22/30 dev eth0 (169.254.24.22/30 = <CONN B LOCAL LINK> )
Also, add the values below to /etc/network/interfaces.d/50-cloud-init.cfg, on the line after iface eth0. This is so that the settings are reflected on the system at run time.
(TAB)post-up ip a a 169.254.24.250/30 dev eth0 (169.254.24.250/30は<CONN A LOCAL LINK> ) (TAB)post-up ip a a 169.254.24.22/30 dev eth0 (169.254.24.22/30は<CONN B LOCAL LINK> )
*(TAB) is the tab key
Running the Service
Once the above configuration is complete, start the service.
service setkey restart service racoon restart service quagga restart
In order to verify the connection, check that the ping command gets through to the inside IP address of the tunnel interface for IPSec Tunnel #1 and #2 on the VPG side.
PING 169.254.25.149 (169.254.25.149) 56(84) bytes of data. 64 bytes from 169.254.25.149: icmp_seq=1 ttl=64 time=2.40 ms 64 bytes from 169.254.25.149: icmp_seq=2 ttl=64 time=2.28 ms
Configuration for Connecting to Other Subnets
To access subnets other than the router server from your device (e.g. web server subnets), you will need to configure a route table. In addition to the router server, this document also features a web subnet containing a group of web servers, and it is assumed that access is performed from a device.
When accessing a web server from a device, the communication from the device is temporarily NATed at the VPG, so the source IP address becomes an IP address within the VPG’s network address range (100.65.6.0/24 in the above example). Hence, the web subnet route table needs to be configured so that any communication sent to this range is routed to the router server.
Firstly, you need to enable the router server’s IP forwarding settings. From the Azure console, select the network interface attached to the router server, and click on “Settings > IP Address.”
On the IP Address configuration screen, set “IP Forwarding Setting” to “Enabled.”
Also, for “Allocation,” select “Static.” This configuration allows you to forward all device communications to other servers.
Next, you need to configure the routing settings for the web subnet. In order to forward all communications sent to the VPG’s network address range to the router server, you create a route table and apply it to the web server’s subnet. Follow the steps below to create a route table.
- Select “Resource Group”
- Click on “Add”
- Search for “route table” and click on “Create”
- Enter a name (any), and configure appropriate settings for subscription, resource group, and location.
- Once complete, select “Settings > Routes”
- Click on “Add,” enter a route name (any) and an address prefix (VPG’s network address range, 100.65.6.0/24 in the above example), set Next Hop Type to “Virtual Appliance” and Next Hop Address to the router server’s local IP address (10.3.0.4 in the above example), and click on “OK”
- Select the subnet and click on “Add Connections”
- Select the virtual network and web subnet, and click on “OK”
Once the above settings have been reflected on the system, you will be able to access a private IP address on the web server from a device. If the web server is using port 80 or similar, please also make sure to change the appropriate settings to the web server’s security group.