It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

How to Configure an IKEv2 IPsec Site-to-Site VPN to a Routed-Based Microsoft Azure VPN Gateway

  • Last updated on

To connect to your Azure virtual network with your on-premise F-Series Firewall, Microsoft offers the Azure VPN Gateway in two different versions: static and route-based. The route-based VPN Gateway allows connection for up to 10 on-premise firewalls. To connect to the VPN Gateway, configure an IPsec IKEv2 site-to-site VPN tunnel on your F-Series Firewall. The F-Series Firewall must be configured as the active partner. The following instructions are for Azure Resource Manager deployments.


In this article

Before You Begin

  • You will need the following information:
    • VPN Gateway
    • Public IP address of your on-premise F-Series Firewall
    • Remote and local networks.
  • Install and Configure Azure PowerShell 1.0.1 or higher.

Step 1. Create a Dynamic Microsoft Azure VPN Gateway using Azure Resource Manager and PowerShell

Use Azure PowerShell to create a routed-based VPN Gateway.

  1. Open Azure PowerShell.
  2. Connect to your Azure account:

  3. Enter your Azure account credentials and click Login.
  4. Create a Resource Group:

    New-AzureRmResourceGroup -Name YOUR_RESOURCE_GROUP -Location YOUR_LOCATION
  5. Create the network configuration for the VPN gateway subnet and two Azure subnets.

    $vpnsubnet = New-AzureRmVirtualNetworkSubnetConfig -Name "GatewaySubnet" -AddressPrefix $subnet1 = New-AzureRmVirtualNetworkSubnetConfig -Name "Subnet1" -AddressPrefix $subnet2 = New-AzureRmVirtualNetworkSubnetConfig -Name 'Subnet2' -AddressPrefix
  6. Create the virtual network:

    New-AzureRmVirtualNetwork -Name VNET_NAME -ResourceGroupName YOUR_RESOURCE_GROUP -Location YOUR_LOCATION -AddressPrefix -Subnet $vpnsubnet,$subnet1,$subnet2
  7. Create the local VPN Gateway configuration. Use the public IP address your firewall is using to connect to the Azure VPN Gateway.

    New-AzureRmLocalNetworkGateway -Name OnPremiseVPNGateway -ResourceGroupName YOUR_RESOURCE_GROUP -Location YOUR_LOCATION -GatewayIpAddress YOUR_PUBLIC_IP -AddressPrefix @('LOCAL_SUBNET1','LOCAL_SUBNET2')
  8. Create an Azure public IP address and store it in a variable for later use. 

    $gwpip = New-AzureRmPublicIpAddress -Name gwpip -ResourceGroupName YOUR_RESOURCE_GROUP -Location YOUR_LOCATION -AllocationMethod Dynamic

  9. Create variables for virtual network, VPN subnet, and gateway IP configuration.

    $vnet = Get-AzureRmVirtualNetwork -Name VNET_NAME -ResourceGroupName YOUR_RESOURCE_GROUP $vpnsubnet = Get-AzureRmVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -VirtualNetwork $vnet $gwipconfig = New-AzureRmVirtualNetworkGatewayIpConfig -Name gwipconfig1 -SubnetId $vpnsubnet.Id -PublicIpAddressId $gwpip.Id
  10. Create the routed-based (dynamic) VPN Gateway attached to the virtual network:

    New-AzureRmVirtualNetworkGateway -Name VNET_GW_NAME -ResourceGroupName YOUR_RESOURCE_GROUP -Location YOUR_LOCATION -IpConfigurations $gwipconfig -GatewayType Vpn -VpnType RouteBased
  11. Create the VPN connection:

    $gateway1 = Get-AzureRmVirtualNetworkGateway -Name VNET_GW_NAME -ResourceGroupName YOUR_RESOURCE_GROUP $local = Get-AzureRmLocalNetworkGateway -Name OnPremiseVPNGateway -ResourceGroupName YOUR_RESOURCE_GROUP New-AzureRmVirtualNetworkGatewayConnection -Name localtovpn -ResourceGroupName YOUR_RESOURCE_GROUP -Location YOUR_LOCATION -VirtualNetworkGateway1 $gateway1 -LocalNetworkGateway2 $local -ConnectionType IPsec -RoutingWeight 10 -SharedKey YOUR_PASSPHRASE

Creating the VPN connection may take a couple of minutes. You can now configure the on-premise firewall to connect to the Azure VPN Gateway.

Step 2. Get the VPN Gateway Public IP Address

Get the public IP address allocated for the Azure VPN gateway.

  1. Open Azure PowerShell
  2. Get the IP address assigned to the VPN gateway:

    Get-AzureRmPublicIpAddress -Name gwpip -ResourceGroupName YOUR_RESOURCE_GROUP

Step 3. Configure IPsec IKEv2 Site-to-Site VPN on the F-Series Firewall

Configure a site-to-site IKEv2 VPN tunnel on the F-series Firewall.  The firewall is configured as the active partner.

  1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > VPN-Service > Site to Site .
  2. Click the IPSEC IKEv2 Tunnels tab.
  3. Click Lock.
  4. Right-click the table and select New IKEv2 tunnel. The IKEv2 Tunnel window opens.
  5. In the IKEv2 Tunnel Name field, enter your tunnel name.
  6. Set Initiates Tunnel to Yes.
  7. Set Restart Child on close to Yes
  8. Configure the Authentication settings:
    • Authentication Method – Select Pre-shared key.
    • Shared Secret – Enter the passphrase you used when creating the virtual network gateway connection in Step 1.11.
  9. Configure the Phase 1 encryption settings:
    • Encryption – Select AES-256
    • Hash Meth. – Select SHA
    • DH Group – Select Group 2.
    • Lifetime – Enter 28800.
  10. Configure the Phase 2 encryption settings:
    • Encryption – Select AES-256.
    • Hash Meth. – Select SHA.
    • DH Group – Select Disable PFS.
    • Lifetime – Enter 3600.
  11. Configure the Local Network settings:
    • Local Gateway Enter the public IP address the Azure VPN Gateway is connecting to, or use if you are using a dynamic IP address
      Network Address Enter your local on-premise networks and click Add
  12. Configure the Remote Network settings:
    • Remote Gateway Enter the Gateway IP Address of the Azure VPN Gateway in Step 2.
    • Network Address Enter the Azure subnet(s) configured in the Azure Virtual Network and click Add.
  13. Click OK.
  14. Click Send Changes and Activate.

Step 4. Create an Access Rule

Create a pass access rule to allow traffic from the local network to the remote network.

  1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Firewall Rules. 
  2. Click Lock.
  3. Create a PASS access rule:
    • Bi-Directional – Enable.
    • Source  – Select the local on-premise network(s). 
    • Service – Select the service you want to have access to the remote network, or select ALL for complete access. 
    • Destination – Select the network object containing the remote Azure Virtual Network subnet(s).
    • Connection Method – Select No Src NAT
  4. Click OK.
  5. Move the access rule up in the rule list, so that it is the first rule to match the firewall traffic.
  6. Click Send Changes and Activate.

Your Barracuda NextGen Firewall F-Series will now automatically connect to the Azure VPN Gateway.


Last updated on