Building a Meraki VPN to Azure
IFM supplies network engineering services for $NZ200+GST per hour. If you require assistance with designing or engineering a Cisco network - hire us!
Cisco Meraki MX only supports IKEv1 and Azure only supports having a single IKEv1 VPN (Policy Based). Meraki does not support the Azure "route-based (dynamic-routing) gateway". Chances are if you already have any other Azure VPNs you wont be able to get a working configuration.
What now?
You look at the virtual MX (vMX) and admire that it is a great solution, but perhaps you only have a small number of sites (or even just one) to connect to Azure and spending that much money just isn't going to happen.
Easy. Deploy an Ubuntu server in Azure and deploy StrongSwan on it. StrongSwan is a powerful IPSec VPN system. It allows you to terminate as many VPNs as you want on it, using either IKEv1 or IKEv2. Basically, all of the restrictions in Azure go away.
I said Easy. Easy if you know your way around Ubuntu, StrongSwan and Azure. Otherwise it is daunting.
Below are the basic steps for achieving this configuration. If this still seems to daunting then you could always engage IFM and we'll help you out with it.
Azure Configuration
- Log into the Azure Portal. https://portal.azure.com/
- Select "Virtual Machines".
- Click on "Add" in the top left hand corner.
- Select "Ubuntu Server".
- Choose the latest LTS (long term support) version.
- Click on "Create".
- Select a username.
- Select "Authentication Type" of "password".
- Generate a random password and make sure you save it somewhere.
- Select a "B1S Standard" machine.
- Under "Public IP Address" make sure you select static.
- Select "Firewall. Click on "Advanced" on the top. Allow ports udp/500 and and udp/4500.
- In the top right hand corner click "+ New".
- Select "Networking" and then "Route Table".
- Give it name and click "Create".
- Click on "All Resources" and select the new Route table.
- Click on "Settings/Routes".
- Click on "Add".
- Name the route after the Meraki site. Set the "Next hop type" to "Virtual Appliance".
- Put in the IP address of the Ubuntu instance.
- Select "Subnets".
- Select "Associate".
- Select an existing network and then click "OK".
- Select "Virtual Machines". Select the VPN instance.
- Select "Networking".
- Click on the network interface.
- Click on "IP Configuration".
- Enable "IP Forwarding".
- Click on "save".
Ubuntu Configuration
- SSH into your new instance.
- The new instance needs to have IPv4 routing enabled. Execute this command (if you don't know how to edit using vi then use nano instead):
sudo vi /etc/sysctl.conf
- Uncomment the below line so that it reads:
net.ipv4.ip_forward = 1
- Update the packages database:
sudo apt-get update
- Install the Linux StrongSwan server with this command:
sudo apt-get install strongswan
- Update the software with:
sudo apt-get upgrade
- Edit the global configuration file with this command:
sudo vi /etc/ipsec.conf
- Add a default section, and a connection for each remote site (left is Azure side, right is the Meraki MX site):
conn %default
ikelifetime=1440m
rekeymargin=3m
keyingtries=%forever
keyexchange=ikev1
authby=secret
dpdaction=restart
dpddelay=30
conn remote-site
left=%defaultroute
leftsubnet=10.0.0.0/24 <Azure encryption domain>
leftid=54.xx.xx.xx <Azure public IP of VPN server>
leftfirewall=yes
right=%any
rightsubnet=192.168.0.0/24 <remote encryption domain behind MX>
rightid=203.xx.xx.x <remote VPN outside IP address on MX>
auto=add
ike=aes256-sha1-modp1024
esp=aes256-sha1
“rightid” is the actual IP address configured on the outside of the Meraki MX. If the MX has a public IP address then it will be this. If it is behind a device doing NAT, then it will be the private IP address configured on the outside of its interface.
- Execute the command:
sudo vi /etc/ipsec.secrets
This file contains the pre-shared key for this VPN connection. A sample file will contain the line:
%any %any : PSK "password"
Note that the space either side of the colon is important. - To make sure everything will restart correctly, I suggest rebooting the entire machine at this instance:
sudo reboot
- From this point onwards, if you change the IPSec config you need to execute this command to make the change take effect:
sudo service strongswan restart
- You can check the log using this command:
tail /var/log/syslog
Meraki Configuration
Simply build a "normal" non-Meraki VPN, and select the "Azure" encryption settings.