Azure – S2S – Cisco RV325 to Microsoft Azure

Lately I saw some questions about how to connect a Cisco Small Business Router RV325 towards Microsoft Azure. Here a small and quick explanation. First we need to point out to the following Microsoft document: VPN Gateway about VPN devices

So when we look at the RV325, the IKE version that is supported is only version 1. This means that we only can use Policy Based VPN connection to Azure.

What is Policy Based routing?

Policy based routing is a technique that forwards and routes data packets based on policies or filters, defined by the network engineer.

How do we configure the RV325?

Let us take a look at the following table, because the RV325 is only supporting Internet Key Exchange version 1. We need to look at the Policy Based installation for Phase 1, same for phase 2.

Phase 1

phase1

Phase 2

phase2

We can start configuring the VPN config on the RV325.

tip

Start configuration.

RV325_VPN_STEP01

RV325 Menu

We go to the VPN menu and click [Gateway to Gateway]
RV325_VPN_STEP02
First part of the configuration, we add a name for the tunnel, select the WAN interface that will be used to build the VPN tunnel. Select the Keying mode to [IKE with Preshared key] and select [Enable].
RV325_VPN_STEP03
Select for the “Local Security Gateway Type” >> [IP Only].
IP Address will be automatically filled in based on the interface selected .Select [Subnet] for the “Local Security Group Type”.
For the IP Address/Subnet mask we will enter the local subnet of the network.
RV325_VPN_STEP04
Remote Group Setup
We select for “Remote Security Gateway Type” >> [IP Only]
IP Address, is the Public IP address created in Microsoft Azure. This will be added in a later stadium.
Remote Security Group Type, we select [Subnet] and IP Address/Subnet mask we will enter the subnet of the Azure network (VPN Gateway subnet)
RV325_VPN_STEP05
For the IPSec Setup we will set the values for Phase 1 and 2 equal to the values we found in the tables above.
RV325_VPN_STEP06
Advanced settings will be set as follow. See picture.
Select [Keep-Alive] and [NetBIOS Broadcast]
Click [Save] to complete the settings.

Configure the Azure VPN Gateway?

Using PowerShell to create a policy based VPN Gateway. Open Azure PowerShell. Connect to your Azure account

Login-AzureRmAccount
Enter your Azure account credentials and click Login. Create a Resource Group:

New-AzureRmResourceGroup -Name «Resource Group Name» -Location WestEurope

Create the network configuration for the VPN gateway subnet and two Azure subnets. The VPN gateway subnet must use the name GatewaySubnet.

$sbn_vpngw_s2s = New-AzureRmVirtualNetworkSubnetConfig -Name "GatewaySubnet" -AddressPrefix 10.20.1.0/28 
$sbn_fe = New-AzureRmVirtualNetworkSubnetConfig -Name "Subnet_FE" -AddressPrefix 10.20.2.0/24
$sbn_be = New-AzureRmVirtualNetworkSubnetConfig -Name "Subnet_BE" -AddressPrefix 10.20.3.0/24
Create virtual network:
New-AzureRmVirtualNetwork -Name «vnet name» -ResourceGroupName «Resource Group Name» -Location WestEurope -AddressPrefix 10.20.0.0/16 -Subnet $sbn_vpngw_s2s,$sbn_fe,$sbn_be
Create on-premises VPN Gateway configuration:
New-AzureRmLocalNetworkGateway -Name «location name» -ResourceGroupName «Resource Group Name» -Location WestEurope -GatewayIpAddress «On-Premises Public WAN IP»
-AddressPrefix @('«Local Subnet 01»','«Local Subnet 02»')

Create an Azure public IP address and store it in a variable for later use.

$pip-gw-s2s = New-AzureRmPublicIpAddress -Name PIP-GW-S2S -ResourceGroupName «Resource Group Name» -Location WestEurope -AllocationMethod Dynamic

Create variables for virtual network, VPN subnet, and gateway IP configuration.

$vnet = Get-AzureRmVirtualNetwork -Name «vNet Name» -ResourceGroupName «Resource Group Name» 
$sbn_vpn = Get-AzureRmVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -VirtualNetwork $vnet 
$ip-gw = New-AzureRmVirtualNetworkGatewayIpConfig -Name gwip -SubnetId $sbn_vpn.Id -PublicIpAddressId $pip-gw-s2s.Id

Create policy based VPN Gateway:

New-AzureRmVirtualNetworkGateway -Name «vNet Gateway Name» -ResourceGroupName «Resource Group Name» -Location WestEurope -IpConfigurations $ip-gw -GatewayType Vpn -VpnType PolicyBased

Create the VPN connection:

$vpn_gateway = Get-AzureRmVirtualNetworkGateway -Name «vNet Gateway Name» `
-ResourceGroupName «Resource Group Name»
$local = Get-AzureRmLocalNetworkGateway -Name OnPremiseVPNGateway `
-ResourceGroupName «Resource Group Name»
New-AzureRmVirtualNetworkGatewayConnection -Name localtovpn `
-ResourceGroupName «Resource Group Name» -Location WestEurope `
-VirtualNetworkGateway1 $vpn_gateway -LocalNetworkGateway2 $local `
-ConnectionType IPsec -RoutingWeight 10 -SharedKey «SharedKey»

SharedKey – for example 28f-hf34g-gd43e-93nd5-hfgwes-23

Creating the VPN connection can take up to 30 minutes to complete.

When policy based routing, we need to create a route table in Azure:

#Creating the Route Table
$routeTable001 = New-AzureRmRouteTable `
-Name "RouteTable001" `
-ResourceGroupName "«Resource Group Name»" `
-location WestEurope
#Creating a route in the route table
Get-AzureRmRouteTable `
-ResourceGroupName "«Resource Group Name»" `
-Name "RouteTable001" `
| Add-AzureRmRouteConfig `
-Name "Route01" `
-AddressPrefix xxx.xxx.xxx.xxx/24 `
-NextHopType "VirtualNetworkGateway" `
| Set-AzureRmRouteTable
Cisco RV325_S2S-01

The connection to the RV325 can be established and status can be verified on the device or in Azure.

All feedback is welcome!


5 thoughts on “Azure – S2S – Cisco RV325 to Microsoft Azure

  1. Hi Frederik,

    Can you explain the purpose of the last command?

    $virtualNetwork = New-AzureRmVirtualNetwork `
    -ResourceGroupName “«Resource Group Name»” `
    -Location WestEurope `
    -Name «vnet name» `
    -AddressPrefix xxx.xxx.xxx.xxx/16

    Like

    1. Dear Wesley, Thank you for the feedback.
      Last command was not needed because we have create the virtual network in a previous step in the beginning. I have updated the blog post.

      Like

  2. Hi, i closed a vpn site to site with azure using a Cisco RV 320 policy based.
    From my azure VM I can ping and access the share folder of my server on network onpremisses, however the opposite does not work. From any network machine on premisses I can not ping and even access the VM share folder on the azure even by shutting down the Windows firewall for testing. Any idea to fix it?

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.