I would like to be able to setup multiple Azure Virtual Networks, connect them together and also allow multiple On-Premises VPN routers to connect in to those Virtual Networks. Below is how I plan on setting up the networks.
Datacenter Virtual Network:
172.16.250.0/24 address space
172.16.250.0/25 subnet-1
172.16.250.128/29 gateway
-> Point-to-Site Connectivity: 10.0.253.0/24
-> Site-to-Site Connectivity: Datacenter Local Network: 10.0.250.0/24
Headquarters Virtual Network:
172.16.0.0/24 address space
172.16.0.0/25 subnet-1
172.16.0.128/29 gateway
-> Site-to-Site Connectivity: Headquarters Local Network: 10.0.0.0/24
Region1 Virtual Network:
172.16.1.0/24 address space
172.16.1.0/25 subnet-1
172.16.1.128/29 gateway
-> Site-to-Site Connectivity: Region1 Local Network: 10.0.1.0/24
So with this I want the Datacenter, Headquarters and Regional Virtual Networks to be connected. I then need for on-premise VPN routers to connect to the Headquarters and Regional Virtual Networks. How can I 1) get the VN's to talk to each other and 2) I have Cisco 881 routers and I'm using the following configs from Azure.
! Microsoft Corporation
! Windows Azure Virtual Network
! This configuration template applies to Cisco ISR 2900 Series Integrated Services Routers running IOS 15.1.
! It configures an IPSec VPN tunnel connecting your on-premise VPN device with the Azure gateway.
! ---------------------------------------------------------------------------------------------------------------------
! ACL rules
!
! Proper ACL rules are needed for permitting cross-premise network traffic.
! You should also allow inbound UDP/ESP traffic for the interface which will be used for the IPSec tunnel.
access-list 101 permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.0.255
! ---------------------------------------------------------------------------------------------------------------------
! Internet Key Exchange (IKE) configuration
!
! This section specifies the authentication, encryption, hashing, and Diffie-Hellman group parameters for the Phase
! 1 negotiation and the main mode security association.
crypto ikev2 proposal azure-proposal
encryption aes-cbc-256 aes-cbc-128 3des
integrity sha1
group 2
exit
crypto ikev2 policy azure-policy
proposal azure-proposal
exit
crypto ikev2 keyring azure-keyring
peer 104.215.95.202
address 104.215.95.202
pre-shared-key
exit
exit
crypto ikev2 profile azure-profile
match address local interface
match identity remote address 104.215.95.202 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring azure-keyring
exit
! ---------------------------------------------------------------------------------------------------------------------
! IPSec configuration
!
! This section specifies encryption, authentication, tunnel mode properties for the Phase 2 negotiation
crypto ipsec transform-set azure-ipsec-proposal-set esp-aes 256 esp-sha-hmac
mode tunnel
exit
! ---------------------------------------------------------------------------------------------------------------------
! Crypto map configuration
!
! This section defines a crypto profile that binds the cross-premise network traffic to the IPSec transform
! set and remote peer. We also bind the IPSec policy to the virtual tunnel interface, through which
! cross-premise traffic will be transmitted. We have picked an arbitrary tunnel id "1" as an example. If
! that happens to conflict with an existing virtual tunnel interface, you may choose to use a different id.
crypto ipsec profile vti
set transform-set azure-ipsec-proposal-set
set ikev2-profile azure-profile
exit
int tunnel 1
ip address 169.254.0.1 255.255.255.0
ip tcp adjust-mss 1350
tunnel source
tunnel mode ipsec ipv4
tunnel destination 104.215.95.202
tunnel protection ipsec profile vti
exit
ip route 172.16.0.0 255.255.255.0 tunnel 1
Are there any configurations that need to be added or removed from this template to get the On-Premises VPN working?
Thanks for your help!
Best Answer
How can I get the VN's to talk to each other
You will need to create VNet-to-VNet VPN tunnels, this can be done by doing the following:
This is all very well documented here: Configure a VNet-to-VNet connection in the Azure Portal and here too VNet-to-VNet: Connecting Virtual Networks in Azure across Different Regions
Are there any configurations that need to be added or removed from this template to get the On-Premises VPN working?
You're in luck, you're device is supported with the Azure site-to-site VPN using dynamic routing, to insure that you can successfully connect your LAN to Azure, I would recommend going over the details in this page: About VPN devices for site-to-site virtual network connections
Unfortunately, I'm not an expert when it comes to Cisco routers, I will be unable to review the configuration you posted, but I can help you by providing the general guidelines to connect Azure to you VPN device:
I hope those are enough to help you, if not, I'm sure someone else with more experience in Cisco will be able to help you figure this out.