Azure Site to Site VPN with an Aruba Gateway

Reading Time: 4 minutes

As described in earlier posts I run EVE-NG in Azure. For several reasons, I need a direct connection to EVE-NG and the nodes within EVE-NG. I could use an Aruba Gateway in Azure but this would consume too much of my tight budget, so I decided to use an Azure Site to Site VPN with my Gateway at home.

The setup of the Azure Site to Site VPN was a little bit tricky, so I decided to create this post and share my findings.

Build the Azure Site to Site Gateway

Let’s start with the Azure part first. This is just a simple click through the GUI part. I use the cheapest version of the Azure Gateway to save as much money as possible so I go with the Basic VPN Gateway. I assume, that you have some basic knowledge of Azure and will not describe every detail. This would go above the scope of this post.

Create a new VNET, if you do not have already one. It could be a very simple VNET, just make sure your “Address Space” did not overlap with your local one. From that VNET create a new subnet, dedicated to the gateway. No other devices can be part of this subnet. I have two subnets in my VNET, one for the gateway and one for my EVE-NG:

Azure Site to Site VPN - Gateway Subnet
Azure Site to Site VPN – Gateway Subnet

Next, create a Basic Azure VPN using the VNET and subnet above. Also, create a new public IP, or use an existing one. This would be the IP you connect the Aruba Gateway to. “Gateway type” is VPN and “VPN type” is “Route-based”. You do not need BGB for this simple setup:

Azure Site to Site VPN - Gateway Configuration
Azure Site to Site VPN – Gateway Configuration

Now, create the “Local network gateway”. This represents the Aruba Gateway including the networks behind the gateway. This is somehow static routing as we do not use BGP:

Azure Site to Site VPN - Local Gateway
Azure Site to Site VPN – Local Gateway

Now, go back to your “Virtual network gateway” and create a new connection like the one below. Select your “Local gateway” from above and create a “Shared key”:

Azure Site to Site VPN - Add Connection
Azure Site to Site VPN – Add Connection

Afterward, select your connection and make sure you have the following “Configuration”:

Azure Site to Site VPN - Connection Configuration
Azure Site to Site VPN – Connection Configuration

That’s all you need to do for the Azure part, let’s head over to Aruba Central and configure the Aruba Gateway.

Build the Aruba Gateway Site to Site VPN

I use Aruba Central to configure my Gateway for the Site to Site VPN. As a Mobility Controller is using the same underlying OS you can do the same there. The config should be quite similar.

The first step is to adjust the DPD timing for IPSec. In Aruba Central select the group with the Gateway and go to “Devices–>Gateway–>Config–>VPN–>DPD” and adjust the settings as below:

Aruba Gateway Site to Site VPN - Adjust DPD Settings
Aruba Gateway Site to Site VPN – Adjust DPD Settings

Adjust the “Tunnel MTU” to your needs.

Now go to “Devices–>Gateways–>Config–>VPN–>Site to Site” and create a new “IPSec maps”:

First, go to “Transforms” and create a new transform with the settings below:

Aruba Gateway Site to Site VPN - New Transform
Aruba Gateway Site to Site VPN – New Transform

This is to match the settings in Azure. Also, add a second “Transform” to the table. I use “default-3rd-ikev2-transform”. Without a second transform, it will not work. Even if they always chose the first one, which we created above.

Now get back to the top of the form and enter the required information:

Aruba Gateway Site to Site VPN - Configuration
Aruba Gateway Site to Site VPN – Configuration

Replace the “Name” with your name for the IPSec map. Also, replace the “Destination network” to align with your VNET in Azure. “Peer gateway IPv4” is your public IP in Azure for the Virtual Network Gateway. “Pre-Connect” is an important point. Check this one to keep the tunnel connected. Without the checkmark, the tunnel is built only if required.

“Save Settings” to finally create the config. You can now check if the tunnel is up. Either in Aruba Central:

Aruba Gateway Site to Site VPN - Tunnel Status
Aruba Gateway Site to Site VPN – Tunnel Status

Or within Azure as well:

Azure Site to Site VPN - Tunnel Status
Azure Site to Site VPN – Tunnel Status

If you find this post useful, leave me a comment and share your feedback with me. If you would like to do me a favor, share this post with your friends and social media contacts. This would really help to make this blog more popular and help others to find the information above more easily using search engines.

4 thoughts on “Azure Site to Site VPN with an Aruba Gateway”

  1. Thank you Florian, you are doing god’s work . I visit your blog every week looking for new content. Keep it up! <3 from Argentina.

    Reply
  2. Thank you Florian for this post. Just want to ask if something changes on Aruba Gateway configuration when IPsec tunnel mode is policy based not route based? We want to configure IKEv2 policy based IPsec with Mikrotik on other end. Thanks once more!

    Reply
    • Hi Andrius,

      Well, this is hard to tell as this depends on the configuration of the Mikrotik router on the other hand. I would say no, but it really depends if these two systems are compatible with each other.

      BR
      Florian

      Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: