Configuring a site-to-site VPN tunnel with Coro Network and Microsoft Azure

As part of a virtual office, Coro includes the ability for customers to configure Virtual Private Networks (VPNs) together with site-to-site tunnels.

This guide describes how to configure a site-to-site VPN tunnel between your virtual office network and Microsoft Azure.

Prerequisites

Before you start, make sure you have the following:

• Access as an admin user to the Coro console for your workspace
• An active subscription (or trial) for the Coro Network module
• An active Microsoft Azure subscription and access to the Azure admin portal

Configuration steps

To complete this guide, perform each of the following procedures in turn:

1. Create a virtual network in Azure
2. Create a virtual network gateway in Azure
3. Create a local network gateway in Azure
4. Create a site-to-site VPN in Azure
5. Configure a tunnel in Coro Network

Creating a virtual network

To create a virtual network, perform the following steps:

1. Sign in to the Microsoft Azure portal ( https://portal.azure.com ).
2. In the search bar, enter "virtual networks" to locate the Virtual networks section:

   

3. Select Virtual networks from the search results to view the Virtual networks list:

   

4. Select + Create to create a new virtual network:

   

5. The Create virtual network page appears, starting with the Basics tab:

   

   Enter the following details:

   • Subscription : Select your Azure subscription.
   • Resource group : Select the desired resource group. Or, select Create new to create a new one for this purpose.
   • Virtual network name : Enter a suitable name for this virtual network.
   • Region : Select the desired region into which this virtual network is added.
6. Select Next to continue.

   The Security tab appears:

   

   Leave all of the settings in this tab as unselected (the default state). Select Next to continue.

7. The IP addresses tab appears. Enter a CIDR IP address that represents the subnet you want to use with this virtual network:

   

   note

   Keep a note of this address space for configuration in Coro later.

   Important

   In this example, Azure warns that the address range specified (10.47.0.0/16) is not within the default subnet address space for the virtual network (10.0.0.0/24). If you see this message, update the "default" subnet by selecting the adjacent edit link:

   

   The Edit subnet dialog appears. Set the Starting address and Size to match the subnet you specified when creating the virtual network:

   

   Select Save.

8. Select Add a subnet :

   

9. In the Add a subnet dialog, enter the following settings:
   • Subnet purpose : Select "Virtual Network Gateway".
   • IPv4 address range : Make sure that your virtual network address range is selected.
   • Starting address : Enter the address "x.x.255.0" where "x" matches the first two octets of your selected IPv4 address.
   • Size : Select "/27 (32 addresses)".

   

10. Select Add to save your changes. Your completed subnet definitions should resemble the following:

    

11. Select Review + create :

    

12. Review your virtual network settings, then select Create :

    

After a short wait, Azure deploys your virtual network.

Creating a virtual network gateway

To create a virtual network gateway, perform the following steps:

1. Sign in to the Microsoft Azure portal ( https://portal.azure.com ).
2. In the search bar, enter "virtual network gateway" to locate the Virtual network gateways section:

   

3. Select Virtual network gateways from the search results to view the Virtual network gateways list:

   

4. Select + Create to create a new virtual network gateway:

   

5. The Create virtual network gateway page appears, starting with the Basics tab:

   

   Enter the following details:

   • Subscription : Select your Azure subscription.
   • Name : Enter a suitable name for this virtual network gateway.
   • Region : Select the desired region into which this virtual network gateway is added.
   • Gateway type : Select VPN .
   • SKU : Select "VpnGw2".
   • Generation : Select "Generation 2".
   • Virtual network : Select the virtual network you created as a part of Creating a virtual network .
   • Public IP address : Select Create new .
   • Public IP address name : Enter a suitable name for this public IP address definition.
   • Enable active-active mode : Select Disabled .
   • Configure BGP : Select Disabled .

   note

   Keep a note of the Public IP address name for configuration in Coro later.

6. The remaining tabs require no configuration. Select Review + create :

   

7. Review your virtual network gateway settings, then select Create :

   

   Azure deploys your virtual network gateway.

   note

   This can take up to 45 minutes to complete.

Before you continue, make a note of the newly deployed public IP address for configuring Coro later.

To find the public IP address:

1. In the search bar, enter the name you specified for Public IP address name (during this step ):

   

2. The public IP address configuration page appears. Locate the IP address field and make a note of the value:

   

Creating a local network gateway

To create a local network gateway, perform the following steps:

1. Sign in to the Microsoft Azure portal ( https://portal.azure.com ).
2. In the search bar, enter "local network gateways" to locate the Local network gateways section:

   

3. Select Local network gateways from the search results to view the Local network gateways list:

   

4. Select + Create to create a new local network gateway:

   

5. The Create Local network gateway page appears, starting with the Basics tab:

   

   Enter the following details:

   • Subscription : Select your Azure subscription.
   • Resource group : Select the desired resource group. Or, select Create new to create a new one for this purpose.
   • Region : Select the desired region into which this virtual network is added.
   • Name : Enter a suitable name for this virtual network gateway.
   • Endpoint : Select IP address .
   • IP address : Enter the IP address for your Coro virtual office. This address is listed at the top of the Network > Virtual Office page in the Coro console - for more details, see Virtual office .
   • Address Space(s) : One entry at a time, enter "10.8.0.0/16", "10.9.0.0/16", and "10.10.0.0/16" into the Add additional address range field. Azure validates each address range as you enter it, and provides a further textbox to add the next address range.
6. The Advanced tab requires no configuration. Select Review + create :

   

7. Review your local network gateway settings, then select Create :

   

After a short wait, Azure deploys your local network gateway.

Creating a site-to-site VPN

To create a site-to-site VPN, perform the following steps:

1. Sign in to the Microsoft Azure portal ( https://portal.azure.com ).
2. In the search bar, enter the first few letters of the resource group you used in the previous sections. Azure displays the results in the dropdown list:

   

3. Select your resource group to view it's configuration page. Then, locate and select the Virtual network gateway you created during Creating a virtual network gateway :

   

4. On the virtual network gateway configuration page, select Connections from the left-hand menu:

   

   Azure displays all current connections associated with this virtual network gateway.

5. Select + Add to add a new connection:

   

6. The Create connection page appears, starting with the Basics tab:

   

   Enter the following details:

   • Subscription : Select your Azure subscription.
   • Resource group : Use the pre-selected resource group associated with this virtual network gateway.
   • Connection type : Select "Site-to-site (IPsec)".
   • Name : Enter a suitable name for this connection.
   • Region : Use the pre-selected region associated with this virtual network gateway.
7. Select Next to continue.

   The Settings tab appears:

   

   Enter the following details:

   • Virtual network gateway : Select the gateway you created as a part of Creating a virtual network gateway .
   • Local network gateway : Select the gateway you created as a part of Creating a local network gateway .
   • IKE Protocol : Select IKEv2 .
   • Use Azure Private IP Address : Leave unselected.
   • Enable BGP : Leave unselected.
   • IPsec/IKE policy : Select Custom .
   • IKE phase 1 : Set the following values:

     Encryption	Integrity/PRF	DH Group
     AES256	SHA1	DHGroup2

   • IKE Phase 2 : Set the following values:

     IPset Encryption	IPsec Integrity	PFS Group
     AES256	SHA1	None

   • IPsec SA lifetime in KiloBytes : Enter "0".
   • IPsec SA lifetime in seconds : Enter "27000".

     note

     Keep a note of this value for later.

   • Use policy based traffic selector : Select Disable .
   • DPD timeout in seconds : Enter "45".
   • Connection Mode : Select Default .
   • Ingress NAT Rules : Leave as "0 selected".
   • Egress NAT Rules : Leave as "0 selected".
8. Select Review + create :

   

9. Review your virtual network settings, then select Create :

   

   After a few minutes wait, Azure deploys the connection.

Before you continue, reset the shared key used by the site-to-site connection. This is a shared password (secret) that Azure and Coro use to authenticate and secure the tunnel.

To reset the shared key:

1. In the search bar, locate and select the site-to-site connection resource configured as part of the virtual network gateway (the value you specified in the Name field during this step ):

   

2. On the connection configuration page, select Authentication from the left-hand menu:

   

3. Enter a value into the Shared key (PSK) field:

   note

   Use a minimum of 20 characters. Make sure to keep a note for configuration in Coro later.

   

4. Select Save to save your key.

Configuring Coro Network

Before you can configure Coro with details of your site-to-site tunnel, make sure you first obtain the following items from your Azure configuration:

• Public IP address - see Creating a virtual network gateway .
• Virtual network CIDR address space - see Creating a virtual network .
• Shared key - see Creating a site-to-site VPN .
• Shared key lifetime - see Creating a site-to-site VPN .

Next, perform the following steps:

1. Sign into the Coro console .
2. Navigate to Control Panel > Network :

   

3. Select the Settings tab:

   

4. Select + ADD to add a new site-to-site tunnel configuration.
5. In the Add tunnel dialog, configure your site details :

   

   Enter the following details:

   • Site name : Enter a suitable name for your site-to-site tunnel.
   • Site description : Enter a suitable short description for this tunnel.
   • Remote gateway IP : Enter the public IP address configured in Azure.
   • Remote network IP : Enter the virtual network CIDR address space configured in Azure.
   • Preshared key : Enter the shared key configured in Azure.
   • Lifetime key : Enter the shared key lifetime value configured in Azure.
6. In the same dialog, configure the firewall settings :
   • Remote network mask : Select your local network subnet mask ("16").
   • IKE version : Select "IKEv2".
   • Phase 1 encryption : Select "AES256-SHA1-D2".
   • Phase 2 encryption : Select "AES256-SHA1-D2".
   • Aggressive mode : Select "No".
7. To save your configuration, select SAVE .

Test the configuration

After you have completed configuration of Azure and Coro Network, test the connection from the Coro console:

1. Sign into the Coro console.
2. Navigate to Control Panel > Network > Settings .
3. Select the three-dot menu icon adjacent to your tunnel configuration, then select Test tunnel to trigger a synchronization test.
4. Upon completion of a successful test, the Test status field updates to show Success .