How to Configure an IPsec IKEv2 Site-to-Site VPN to the Static Microsoft Azure VPN Gateway

You can configure your local Barracuda SecureEdge appliances to connect to the static IPsec VPN gateway service in the Microsoft Azure cloud using an IKEv2 IPsec VPN tunnel.

Before You Begin

• Create and configure a Microsoft Azure static VPN gateway for your virtual network.
• You will need the following information:
  • VPN gateway
  • External IP address for the Barracuda SecureEdge appliance
  • Remote and local networks

Step 1. Create a Network in the Microsoft Azure Cloud

Create a virtual network in the Microsoft Azure cloud. Choose subnets that are not present in your local networks to avoid IP address conflicts.

1. Log into your Windows Azure Management Portal (https://portal.azure.com).
2. Search for Virtual networks.
   
3. Next to the Virtual networks entry, click + / Create to create a new network.
   
   The Virtual network windows opens.
4. Select Virtual network and click Create.
   
5. Select Virtual network and click Create.
6. The Create virtual network windows opens. In the Basics window, select your Subscription.
7. Select the Resource group for the virtual network, or create a new resource group.
8. Enter a descriptive Name for the virtual network.
9. Select the Region your network resides in.
   
10. Click NEXT .
11. Click the IP addresses tab.
    
12. Define the address space of your virtual network. (By default, an address space is automatically created.)

13. Click Add subnet:

    • Name – Enter a name for the subnet.

    • Starting address – Enter the first IP address of the IP range for the subnet. E.g., 10.10.201.0

    • Size – Select the subnet mask from the list. E.g., /24 for 256 IP addresses.

14. Click Add.

15. Review the IP addresses page and remove address spaces and subnets that you do not need.

16. Select Review + create to validate the virtual network settings.

17. Select Create to create the virtual network.

Step 2. Create a Gateway Subnet

The gateway subnet resides in the IP address range of the virtual network and contains the IP addresses used by the virtual network gateway resources and services.

1. Go to your virtual network.
2. In the left menu, select Subnets.
3. The Subnets window opens. Click + Gateway subnet.
   
4. In the Add subnet window, adjust the IP address range value:
   
   • Starting IP – Enter the first IP for the gateway subnet. E.g., 10.10.101.0
   • Size – Select the subnet mask from the list. E.g., /27 for 32 IP addresses.
5. Click Add.
6. Click Save to save the subnet.

The Azure Virtual Network you have just created is now listed in the network menu in the Azure management interface.

Step 3. Create a VPN Gateway

Create the Azure virtual network gateway.

1. Log into your Windows Azure Management Portal (https://portal.azure.com).
2. Search for Virtual network gateways.
3. Click + Create to create a new VPN gateway.
   
   The Create virtual network gateway window opens.
4. In the Basics tab, configure the following settings:
   • Name – Enter a descriptive name for the VPN gateway.
   • Region – Select the region your network resides in.
   • Gateway type – Select VPN.
   • SKU – Select VpnGw2.

   • Generation – Select Generation 2.

     Selection of gateway SKU and Generation depends on your tunnel requirements. For a list of options, see Gateway SKUs by tunnel, connection, and throughput in the Microsoft Azure documentation.

     
     

   • Virtual network – Select the virtual network created in Step 1.
   • Gateway subnet address range – Select the address range of the gateway subnet.
   • Public IP address – Select the external IP address of the Barracuda SecureEdge appliance running the VPN service.

5. Select Review + create to validate the settings.

6. Select Create to create the virtual network gateway.

When the color of the gateway turns blue, the gateway has been successfully created. The gateway IP is now displayed below the VPN gateway image.

Step 4. Configure an IPsec Site-to-Site VPN on the SecureEdge

1. Go to https://se.barracudanetworks.com and log in with your existing Barracuda Cloud Control account.

2. In the left menu, click the Tenants/Workspaces icon and select the workspace you want to configure the IPsec IKEv2 tunnel for.

3. Go to Integration > IPsec VPN. The IPsec VPN page opens. To add a tunnel, click Add IPsec Tunnel.

4. The Create IPsec Tunnel window opens. 
   • In the General tab, specify values for the following:
     
     • Enable – Click to enable.
     • Initiates – Click to enable.
   • In the GENERAL  INFORMATION section, specify values for the following: 
     
     • Name – Enter a unique tunnel name. E.g., SEAzureVPNGateway
     • Description – Enter a brief description.
   • In the AUTHENTICATION section, specify values for the following: 
     
     • Authentication – Select Pre-shared key.

     • Shared Secret – Enter the Azure Manage Key passphrase.
       

5. Click Next.
6. In the Source/Destination tab, specify values for the following:
   • Enable BGP – Click to disable.
   • In the SOURCE section, specify values for the following:
     • Type – Select Edge Service or Site.
     • Peer – Select peer. E.g.,  Austria, a Private Edge Service.
     • WAN Interface – Select Wan1. Note : Wan1 is a static WAN interface, and a Primary Address = 15.45.125.5 is selected.
     • Address – Select 15.45.125.5. 
     • Local ID – Enter West-Europe-WAN1.
     • Network Addresses – Enter your local on-premises network. E.g., 10.14.40.0/24


   • In the DESTINATION section, specify values for the following:
     • Remote Gateway – Enter the gateway IP address of the Azure VPN Gateway created in Step 2. E.g., 51.124.190.179
     • Remote ID – Enter the gateway IP address of the Azure VPN Gateway created in Step 2. E.g., 51.124.190.179
     • Network Address – Enter the Azure subnet(s) configured in the Azure Virtual Network. E.g., 10.10.201.0/24
       
7. Click Next.
8. In the Phases tab, enter the Phase1 and Phase2 encryption settings:
   • PHASE 1 
     • Encryption – Select AES256.
     • Hash – Select SHA256.
     • DH-Group – Select Group 2.
     • Proposal Handling – Select Strict. 
     • Lifetime – Enter 28800
       
   • PHASE 2 
     • Encryption – Select AES256.
     • Hash – Select SHA256.
     • DH-Group – Select Disable PFS.
     • Proposal Handling – Select Strict. 
     • Lifetime – Enter 3600
     • Traffic Volume Enabled – Click to disable.
       
9. Click Next.
10. In the Network tab, specify the values for the following:
    In the NETWORK SETTINGS section, specify the values for the following: 
    
    • One VPN Tunnel Per Subnet Pair – Click to enable.
    • Universal Traffic Selectors – Click to enable.  
    • Force UDP Encapsulation – Click to enable.  

    • IKE Reauthentication – Click to disable. 

    In the DEAD PEER DETECTION section, specify the values for the following: 
    • Action When Detected – Select Restart.
    • Delay – Enter 1800


11. Click Save.
12. Verify that your IPsec tunnel configuration has been created successfully and click Finish.

Your Barracuda SecureEdge will now automatically connect to the Azure VPN Gateway.