How to Configure an IPsec IKEv2 Site-to-Site VPN to the Static Microsoft Azure VPN Gateway

You can configure your local Barracuda SecureEdge appliances to connect to the static IPsec VPN gateway service in the Microsoft Azure cloud using an IKEv2 IPsec VPN tunnel.

Before You Begin

• Create and configure a Microsoft Azure static VPN gateway for your virtual network.
• You will need the following information:
  • VPN gateway
  • External IP address for the Barracuda SecureEdge appliance
  • Remote and local networks

Requirements and Limitations

• When creating general settings for an IPsec tunnel on the SecureEdge appliance, you must disable the Initiates field for your connected Barracuda-hosted Edge Service or Edge Service for vWAN. However, you can enable the Initiates field for your connected Site or Private Edge Service.

Step 1. Create a Virtual Network and Subnet

Create a virtual network in the Microsoft Azure cloud. Choose subnets that are not present in your local networks to avoid IP address conflicts.

1. Log into your Azure Portal (https://portal.azure.com).
2. Search for Virtual networks.
   
3. Next to the Virtual networks entry, click + / Create to create a new network.
   
   The Virtual network windows opens.
4. Select Virtual network and click Create.
   
5. Select Virtual network and click Create.
6. The Create virtual network windows opens. In the Basics window, select your Subscription.
7. Select the Resource group for the virtual network, or create a new resource group.
8. Enter a descriptive Name for the virtual network. E.g., VNet1.
9. Select the Region your network resides in.
   
10. Click Next.
11. Click the IP addresses tab.
12. Define the address space of your virtual network, e.g., 172.16.0.0/16 (By default, an address space is automatically created.) 

13. Click Add subnet:

    • Name – Enter a name for the subnet, e.g., subnet-VNet1

    • Starting address – Enter the first IP address of the IP range for the subnet. E.g., 172.16.1.0

    • Size – Select the subnet mask from the list. E.g., /24 for 256 IP addresses.
      
      

14. Click Add.

15. Review the IP addresses page and remove address spaces and subnets that you do not need.

16. Select Review + create to validate the virtual network settings.

17. Select Create to create the virtual network.

Step 2. Create a Gateway Subnet

The gateway subnet resides in the IP address range of the virtual network and contains the IP addresses used by the virtual network gateway resources and services.

1. Go to your virtual network.
2. In the left menu, select Subnets.
3. The Subnets window opens. Click + Gateway Subnet.
4. In the Add a subnet window, adjust the IP address range value:
   
   • Starting IP – Enter the first IP for the gateway subnet. E.g., 172.16.254.0
   • Size – Select the subnet mask from the list. E.g., /27 for 32 IP addresses. Note: It is recommended that you create a gateway subnet that uses a /27 (or larger), for example, /27 or /26. For more information, see Microsoft Azure - create a gateway subnet.
     
     
5. Click Add.
6. Click Save to save the subnet.

The Azure Virtual Network you have just created is now listed in the network menu in the Azure management interface.

Step 3. Create a VPN Gateway

Create the Azure virtual network gateway.

1. Log into your Microsoft Azure Portal (https://portal.azure.com).
2. Search for Virtual network gateways.

3. Next to the Virtual network gateways entry, click + / Create to create a new VPN gateway

   
   
   The Create virtual network gateway window opens.
4. In the Basics tab, configure the following settings:

   • Subscription – Select your subscription.

   • Name – Enter a descriptive name for the VPN gateway.
   • Region – Select the region your network resides in.
   • Gateway type – Select VPN.
   • SKU – Select VpnGw2.

   • Generation – Select Generation 2.

     Selection of gateway SKU and Generation depends on your tunnel requirements. For a list of options, see Gateway SKUs by tunnel, connection, and throughput in the Microsoft Azure documentation.

     
     

   • Virtual network – Select the virtual network created in Step 1.
   • Subnet  – Gateway subnet created in Step 2 is auto-selected.
     

   • Public IP address – Select Create new.

   • Public IP address name – Enter a name for your public IP address instance.

   • Availability zone – Select Zone-redundant, unless you know you want to specify a zone.

   • Enable active-active mode – Select Disabled.

   • Configure BGP – Select Disabled.
     

5. Select Review + create to validate the settings.

6. Select Create to create the virtual network gateway.

On the Overview page of your virtual network gateway, you can see the deployment status for your gateway. After the gateway is created successfully, you can obtain the public IP addresses on the VPN gateway. Note: These public IP addresses are needed to configure your on-premises SecureEdge appliance.

View Public IP Address

To view public IP addresses associated with your virtual network gateway:

1. Go to your VPN gateway that you created in Step 3. For example, in this case MyVPNgateway.

2. In the left menu, go to Settings > Properties.

3. Make a note of the public IP. To view more information about the IP address, click the associated IP address link. E.g., Public IP address 20.31.67.158 (VNet1GWpip1).

Step 4. Create a Local Network Gateway

The local network gateway is the description of your Barracuda SecureEdge appliance in Azure. To configure a local network gateway:

1. Log into your Azure Portal (https://portal.azure.com).

2. Search for Local network gateways . Next to the local network gateways entry, click + / Create to create a new local network gateway. 
   
   

3. The Create local network gateway window opens.

4. In the Basics tab, specify the values for your local network gateway.

   • Region – Select the region.

   • Name – Enter a name for your local network gateway object.

   • Endpoint – Select the endpoint type for the on-premises SecureEdge appliance. You can choose between IP address or FQDN (Fully Qualified Domain Name). In this case, select IP address.

   • IP address – Enter the public IP address of your local gateway. 
     

5. Select Next: Advanced.

6. In the Advanced tab, specify the values for the BGP settings.

   • Configure BGP settings – Set to No.
     
     

7. Select Review + create.

8. Select Create to create the local network gateway. 

Step 5. Create the VPN Connection

1. Go to your virtual network gateway.

2. In the left menu, select Connections.

3. The Connections window opens. At the top of the Connections page, click +Add.
   
   
   

4. In the Basics tab, specify the values for your connections.

   • Connection type – Select Site-to-site (IPsec).

   • Name – Enter the name for this connection.

   • Region – Select the region for this connection.
     
     

5. Select Next: Settings.

6. In the Settings tab, specify the values for the following:

   • Virtual network gateway – Select the virtual network gateway from the drop-down list.

   • Local network gateway – Select the local network gateway from the drop-down list.

   • Authentication Method – Select Shared Key (PSK).

   • Shared key – Enter the key value. Note: The key value must match the key value that you used for your local on-premises SecureEdge appliance.

   • IKE Protocol – Select IKEv2.

   • IPsec/IKE policy – Select Default.

   • DPD timeouts in seconds – Enter the Dead Peer Detection value ,e.g., 45.

   • Connection Mode – Select Default. 
     
     

7. Select Review + create.

8. Select Create to create the connection.

9. On the Overview page of your connection, you can see the deployment status for your VPN connection.
   
   
   In addition, you can verify the deployment status of your VPN connection under the Settings > Connections.
   

Step 6. Configure an IPsec Site-to-Site VPN on SecureEdge 

1. Go to https://se.barracudanetworks.com and log in with your existing Barracuda Cloud Control account.

2. In the left menu, click the Tenants/Workspaces icon and select the workspace you want to configure the IPsec IKEv2 tunnel for.

3. Go to Integration > IPsec VPN. The IPsec VPN page opens. To add a tunnel, click Add an IPsec Connection.
   
   

4. The Create IPsec Tunnel window opens. 
   • In the General tab, specify values for the following:
     
     • Enable – Click to enable.
     • Initiates – Click to disable.
   • In the GENERAL  INFORMATION section, specify values for the following: 
     
     • Name – Enter a unique tunnel name. E.g., SEAzureVPNGateway
     • Description – Enter a brief description.
   • In the AUTHENTICATION section, specify values for the following: 
     
     • Authentication – Select Pre-shared key.

     • Shared Secret – Enter the same Shared Key you entered when creating the VPN connection on Azure.

       
       

5. Click Next.
6. In the Source/Destination tab, specify values for the following:
   • Enable BGP – Click to disable.
   • In the SOURCE section, specify values for the following:
     • Type – Select Edge Service.
     • Peer – Select peer. E.g.,  Campus, an Edge Service.
     • Local ID – Enter West-Europe-WAN1.
     • Network Addresses – Enter your local on-premises network. E.g., 10.10.200.0/24.Note: You must enter a valid network address in CIDR format.


   • In the DESTINATION section, specify values for the following:
     • Remote Gateway – Enter the gateway IP address of the Azure VPN Gateway created in Step 2. E.g., 20.31.67.158
     • Remote ID – Enter the gateway IP address of the Azure VPN Gateway created in Step 2. E.g., 20.31.67.158
     • Network Addresses – Enter the Azure subnet(s) configured in the Azure Virtual Network. E.g., 172.16.1.0/24. Note: You must enter a valid network address in CIDR format.
       
7. Click Next.
8. In the Phases tab, enter the Phase1 and Phase2 encryption settings:
   • PHASE 1
     • Encryption – Select AES256.
     • Hash – Select SHA256.
     • DH-Group – Select Group 2.
     • Proposal Handling – Select Strict. 
     • Lifetime – Enter 28800
       
   • PHASE 2
     • Encryption – Select AES256.
     • Hash – Select SHA256.
     • DH-Group – Select Disable PFS.
     • Proposal Handling – Select Strict. 
     • Lifetime – Enter 3600
     • Traffic Volume Enabled – Click to disable.
       
9. Click Next.
10. In the Network tab, specify the values for the following:
    In the NETWORK SETTINGS section, specify the values for the following: 
    
    • One VPN Tunnel Per Subnet Pair – Click to enable.
    • Universal Traffic Selectors – Click to enable.  
    • Force UDP Encapsulation – Click to enable.  

    • IKE Reauthentication – Click to disable. 

    In the DEAD PEER DETECTION section, specify the values for the following: 
    • Action When Detected – Select Restart.
    • Delay – Enter 45.


11. Click Save.
12. Verify that your IPsec tunnel configuration has been created successfully and click Finish.
    

After the configuration is complete, you can see a new IPsec tunnel is shown on the IPsec VPN page, and the status of the field names (e.g., Enabled) can be verified. 

Your Barracuda SecureEdge appliance will now automatically connect to the Azure VPN Gateway.

Verify the VPN Connection

In the Azure portal, you can see the connection status of a VPN gateway:

1. Go to your virtual network gateway.

2. In the left menu, select Connections.

3. The Connections window opens. You can see the status of the connection. The status is Connected after you make a successful connection.
   
   
   

Further Information

• https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal