Configuring a site-to-site VPN tunnel with Coro Network and Microsoft Azure

As part of a virtual office, Coro includes the ability for customers to configure Virtual Private Networks (VPNs) together with site-to-site tunnels.

This guide describes how to configure a site-to-site VPN tunnel between your virtual office network and Microsoft Azure.

Prerequisites

Before you start, make sure you have:

  • Access as an admin user to the Coro console for your workspace.
  • An active subscription (or trial) for the Coro Network module.
  • An active Microsoft Azure subscription and access to the Azure admin portal.

Configuration steps

To complete this guide, perform each of the following procedures in turn:

  1. Create a virtual network in Azure
  2. Create a virtual network gateway in Azure
  3. Create a local network gateway in Azure
  4. Create a site-to-site VPN in Azure
  5. Configure a tunnel in Coro Network

Creating a virtual network

To create a virtual network, perform the following steps:

  1. Sign in to the Microsoft Azure portal ( https://portal.azure.com ).
  2. In the search field, enter "virtual networks" to locate the Virtual networks section:

    Azure search for virtual networks

  3. Select Virtual networks from the search results to view the Virtual networks list:

    Azure virtual networks list

  4. Select + Create to create a virtual network:

    Azure virtual networks create button

  5. Microsoft Azure displays the Create virtual network page, starting with the Basics tab:

    Azure Create virtual networks - Basics tab

    Enter the following details:

    • Subscription : Select your Azure subscription.
    • Resource group : Select the resource group. Alternatively, select Create new to create one for this purpose.
    • Virtual network name : Enter a name for this virtual network.
    • Region : Select the region into which this virtual network is added.
  6. Select Next to continue.

    Microsoft Azure displays the Security tab:

    Azure Create virtual networks - Security tab

    Leave all the settings in this tab as unselected (the default state). Select Next to continue.

  7. Microsoft Azure displays the IP addresses tab.

    Enter a CIDR IP address that represents the subnet you want to use with this virtual network:

    Azure Create virtual networks - IP addresses tab

    note

    Keep a note of this address space for configuration in Coro later.

    Important

    In this example, Azure warns that the address range specified (10.47.0.0/16) is not within the default subnet address space for the virtual network (10.0.0.0/24). If you see this message, update the "default" subnet by selecting the adjacent edit link:

    Azure Create virtual networks - edit default subnet

    Microsoft Azure displays the Edit subnet dialog.

    Set the Starting address and Size to match the subnet you specified when creating the virtual network:

    Azure Create virtual networks - set default subnet

    Select Save.

  8. Select Add a subnet :

    Azure Create virtual networks - Add a subnet

  9. In the Add a subnet dialog, enter the following settings:
    • Subnet purpose : Select "Virtual Network Gateway".
    • IPv4 address range : Make sure that your virtual network address range is selected.
    • Starting address : Enter the address "x.x.255.0" where "x" matches the first two octets of your selected IPv4 address.
    • Size : Select "/27 (32 addresses)".

    Azure Create virtual networks - Add a subnet

  10. Select Add to save your changes. Your completed subnet definitions should resemble the following:

    Azure Create virtual networks - subnets defined

  11. Select Review + create :

    Azure Create virtual networks - Review + create button

  12. Review your virtual network settings, then select Create :

    Azure Create virtual networks - Create the virtual network

After a short wait, Azure deploys your virtual network.

Creating a virtual network gateway

To create a virtual network gateway, perform the following steps:

  1. Sign in to the Microsoft Azure portal ( https://portal.azure.com ).
  2. In the search field, enter "virtual network gateways" to locate the Virtual network gateways section:

    Azure search for virtual network gateways

  3. Select Virtual network gateways from the search results to view the Virtual network gateways list:

    Azure virtual network gateways list

  4. Select + Create to create a virtual network gateway:

    Azure virtual network gateway create button

    Microsoft Azure displays the Create virtual network gateway page, starting with the Basics tab:

    Azure Create virtual network gateway - Basics tab

  5. Enter the following details:
    • Subscription : Select your Azure subscription.
    • Name : Enter a name for this virtual network gateway.
    • Region : Select the region into which this virtual network gateway is added.
    • Gateway type : Select VPN .
    • SKU : Select "VpnGw2".
    • Generation : Select "Generation 2".
    • Virtual network : Select the virtual network you created as a part of Creating a virtual network .
    • Public IP address : Select Create new .
    • Public IP address name : Enter a name for this public IP address definition.
    • Enable active-active mode : Select Disabled .
    • Configure BGP : Select Disabled .
    note

    Keep a note of the Public IP address name for configuration in Coro later.

  6. The remaining tabs require no configuration. Select Review + create :

    Azure Create virtual network gateway - Review + create button

  7. Review your virtual network gateway settings, then select Create :

    Azure Create virtual network gateway - Create gateway

    Azure deploys your virtual network gateway.

    note

    This can take up to 45 minutes to complete.

Before you continue, make a note of the newly deployed public IP address for configuring Coro later.

To find the public IP address:

  1. In the search field, enter the name you specified for Public IP address name (during this step ):

    Azure search for public IP address resource

  2. The public IP address configuration page appears. Locate the IP address field and make a note of the value:

    Azure public IP address

Creating a local network gateway

To create a local network gateway, perform the following steps:

  1. Sign in to the Microsoft Azure portal ( https://portal.azure.com ).
  2. In the search field, enter "local network gateways" to locate the Local network gateways section:

    Azure search for local network gateways

  3. Select Local network gateways from the search results to view the Local network gateways list:

    Azure local network gateways list

  4. Select + Create to create a local network gateway:

    Azure local network gateway create button

    Microsoft Azure displays the Create Local network gateway page, starting with the Basics tab:

    Azure Create local network gateway - Basics tab

  5. Enter the following details:
    • Subscription : Select your Azure subscription.
    • Resource group : Select the resource group. Or, select Create new to create one for this purpose.
    • Region : Select the region into which this virtual network is added.
    • Name : Enter a name for this virtual network gateway.
    • Endpoint : Select IP address .
    • IP address : Enter the IP address for your Coro virtual office. This address is listed at the top of the Network > Virtual Office page in the Coro console - for more details, see Virtual office .
    • Address Space(s) : One entry at a time, enter "10.8.0.0/16", "10.9.0.0/16", and "10.10.0.0/16" into the Add additional address range field. Azure validates each address range as you enter it, and provides a further textbox to add the next address range.
  6. The Advanced tab requires no configuration. Select Review + create :

    Azure Create local network gateway - Review + create button

  7. Review your local network gateway settings, then select Create :

    Azure Create local network gateway - Create gateway

After a short wait, Azure deploys your local network gateway.

Creating a site-to-site VPN

To create a site-to-site VPN, perform the following steps:

  1. Sign in to the Microsoft Azure portal ( https://portal.azure.com ).
  2. In the search field, enter the first few letters of the resource group you used in the previous sections. Azure displays the results in the dropdown list:

    Azure search for resource group

  3. Select your resource group to view it's configuration page. Then, locate and select the Virtual network gateway you created during Creating a virtual network gateway :

    Azure resource group - selecting the virtual network gateway

  4. On the virtual network gateway configuration page, select Connections from the left-hand menu:

    Azure virtual network gateway - selecting Connections

    Azure displays all current connections associated with this virtual network gateway.

  5. Select + Add to add a new connection:

    Azure virtual network gateway connections - selecting Add

    Microsoft Azure displays the Create connection page, starting with the Basics tab:

    Azure Create connection - Basics tab

  6. Enter the following details:
    • Subscription : Select your Azure subscription.
    • Resource group : Use the pre-selected resource group associated with this virtual network gateway.
    • Connection type : Select "Site-to-site (IPsec)".
    • Name : Enter a name for this connection.
    • Region : Use the pre-selected region associated with this virtual network gateway.
  7. Select Next to continue.

    Azure displays the Settings tab:

    Azure Create connection - Settings tab

    Enter the following details:

    • Virtual network gateway : Select the gateway you created as a part of Creating a virtual network gateway .
    • Local network gateway : Select the gateway you created as a part of Creating a local network gateway .
    • IKE Protocol : Select IKEv2 .
    • Use Azure Private IP Address : Leave unselected.
    • Enable BGP : Leave unselected.
    • IPsec/IKE policy : Select Custom .
    • IKE phase 1 : Set the following values:
      Encryption Integrity/PRF DH Group
      AES256 SHA1 DHGroup2
    • IKE Phase 2 : Set the following values:
      IPset Encryption IPsec Integrity PFS Group
      AES256 SHA1 None
    • IPsec SA lifetime in KiloBytes : Enter "0".
    • IPsec SA lifetime in seconds : Enter "27000".
      note

      Keep a note of this value for later.

    • Use policy based traffic selector : Select Disable .
    • DPD timeout in seconds : Enter "45".
    • Connection Mode : Select Default .
    • Ingress NAT Rules : Leave as "0 selected".
    • Egress NAT Rules : Leave as "0 selected".
  8. Select Review + create :

    Azure Create connection - Review + create button

  9. Review your virtual network settings, then select Create :

    Azure Create connection - Create the connection

    After a few minutes wait, Azure deploys the connection.

Before you continue, reset the shared key used by the site-to-site connection. This is a shared password (secret) that Azure and Coro use to authenticate and secure the tunnel.

To reset the shared key:

  1. In the search field, locate and select the site-to-site connection resource configured as part of the virtual network gateway (the value you specified in the Name field during this step ):

    Azure search for site-to-site connection resource

  2. On the connection configuration page, select Authentication from the left-hand menu:

    Azure connection resource - selecting Authentication

  3. Enter a value into the Shared key (PSK) field:
    note

    Use a minimum of 20 characters. Make sure to keep a note for configuration in Coro later.

    Azure connection resource - Authentication shared key

  4. Select Save to save your key.

Configuring Coro Network

Before you can configure Coro with details of your site-to-site tunnel, make sure you first obtain the following items from your Azure configuration:

Next, perform the following steps:

  1. Sign in to the Coro console .
  2. From the sidebar, select Control Panel to access the Control Panel .
  3. Select Network :

    Network

  4. Select Site-to-site tunnels :

    Settings

  5. Select + ADD to add a new site-to-site tunnel configuration.
  6. Configure your Site details :

    Add tunnel dialog

    note

    Avoid using special characters or spaces in your site details or preshared key.

    • Site name : Enter a name for your site-to-site tunnel.
    • Site description : Enter a short description for this tunnel.
    • Remote gateway IP : Enter the public IP address configured in Azure.
    • Remote network IP : Enter the virtual network CIDR address space configured in Azure.
    • Preshared key : Enter the shared key configured in Azure.
    • Lifetime key : Enter the shared key lifetime value configured in Azure.
  7. In the same dialog, configure the Firewall settings :
    • Remote network mask : Select your local network subnet mask ("16").
    • IKE version : Select "IKEv2".
    • Phase 1 encryption : Select "AES256-SHA1-D2".
    • Phase 2 encryption : Select "AES256-SHA1-D2".
    • Aggressive mode : Select "No".
  8. To save your configuration, select SAVE .

Test the configuration

After you have completed configuration of Azure and Coro Network, test the connection from the Coro console:

  1. Sign in to the Coro console .
  2. Go to Control Panel > Network > Site-to-site tunnels .
  3. Select the three-dot menu adjacent to your tunnel configuration, then select Test tunnel to trigger a synchronization test.
  4. Upon completion of a successful test, the Test status field updates to show Success .