Site-2-Site IPSEC VPN Tunnel from Microsoft Azure to On-Premises with Citrix NetScaler

NetScaler provides the ability to extend your enterprise network to the Cloud. The NetScaler CloudBridge Connector enables you to move your applications to the cloud to reduce cost and increase reliability. In addition to using CloudBridge Connector between a datacenter and a cloud, you can use it to connect two datacenters for a high-capacity secure and accelerated link.

In this post I will share some guidelines on how to extend Microsoft Azure Cloud to your network by leveraging site-to-site IPSec VPN – basically ensuring connectivity between Azure and On-Premises in a hybrid solution.

Several alternatives do indeed exist for creating site-2-site VPN tunnels to Microsoft Azure, but this post will only focus on how to use NetScaler ADC (Application Delivery Controller) for our objective.

Key takeaways and benefits:

Establish connection between two separate private networks over the public internet (low cost).
Networks connected, works like a single network transparent to the end-user, enabling delivery of infrastructure services in a Hybrid model.
Alternative to dedicated MPLS, Express Routes etc. utilizing Internet connection as opposed to dedicated expensive lines.

Connecting Public Cloud with on-premises with NetScaler:

Table of Contents

Requirements / Assumptions

NetScaler Platinum (CloudBridge Connector needed).
- Enabled Cloud Bridge Advanced Feature.
Public IP – On-Premises Firewall allows Inbound UDP traffic on 4500 / 500.
- NAT traffic to NetScaler Subnet IP (SNIP Address).
No overlapping IPs between Azure vNets and On-premises vLANs.
If On-Premises services/resources should have connectivity to Azure, proper routing rules has to be implemented.
- Local network should route traffic towards Azure vNets/Subnets through NetScaler SNIP as default gateway.

NetScaler Guidelines

Following sections will list steps required to setup NetScaler as IPSec endpoint for Microsoft Azure.

Obs. All configuration was done and tested on NetScaler 12.0 Build 57.19.

Creating the Tunnel on NetScaler

This configuration will create the IPSEC Tunnel on NetScaler.

GUI

Create IPSec Profile under System>CloudBridge Connector> IPSec Profile.

Following security parameters are currently supported and needed when running NetScaler CloudBridge Connector together with Azure Virtual Network Gateway in Policy-based mode.

Create IPSec Tunnel under System>CloudBridge Connector> IP Tunnels.

In above config, you point to the Public IP of the Azure Virtual Network Gateway, use your Subnet IP for IPSec and bind the previous created IPSec Profile.

Create PBR (Policy Based Routing) :

Above rule enables routing between internal network and Azure network thorugh the IPSec tunnel.

CLI

Here are the NetScaler commands used.

Create IPSec Profile and IPTunnel.

add ipsec profile cb-Azure-IPSec-profile -ikeVersion V1 -encAlgo AES -hashAlgo HMAC_SHA1 -lifetime 3600 -psk XXXXXXXX -livenessCheckInterval 10 -replayWindowSize 9216 -ikeRetryInterval 60 -retransmissiontime 1
add ipTunnel cb-azure-tunnel 52.138.xxx.xxx 255.255.255.255 10.50.0.xxx -protocol IPSEC -ipsecProfileName cb-Azure-IPSec-Profile

add ipsec profile cb-Azure-IPSec-profile -ikeVersion V1 -encAlgo AES -hashAlgo HMAC_SHA1 -lifetime 3600 -psk XXXXXXXX -livenessCheckInterval 10 -replayWindowSize 9216 -ikeRetryInterval 60 -retransmissiontime 1

add ipTunnel cb-azure-tunnel 52.138.xxx.xxx 255.255.255.255 10.50.0.xxx -protocol IPSEC -ipsecProfileName cb-Azure-IPSec-Profile

Create Policy Based Routing (PBR Rule)

add ns pbr pbr-local2azure-pol ALLOW -srcIP = 10.40.0.0-10.40.0.255 -destIP = 10.1.0.0-10.1.0.255 -ipTunnel cb-azure-tunnel -priority 10
apply pbrs

add ns pbr pbr-local2azure-pol ALLOW -srcIP = 10.40.0.0-10.40.0.255 -destIP = 10.1.0.0-10.1.0.255 -ipTunnel cb-azure-tunnel -priority 10

apply pbrs

If you need to delete and start over – you will need to do the following:

1. Delete PBR rule and Apply PBRS
2. Delete IPSec Tunnel
3. Delete IPSec Profile

rm pbr pbr-local2azure-pol
apply pbrs
rm iptunnel cb-Azure-Tunnel
rm ipsec profile cb-Azure-IPSec-Profile

rm pbr pbr-local2azure-pol

apply pbrs

rm iptunnel cb-Azure-Tunnel

rm ipsec profile cb-Azure-IPSec-Profile

Microsoft Azure Guidelines

All steps done via https://portal.azure.com

Add a new Address Space for Gateway Subnet

In Virtual Networks add a new address space for the Gateway Subnet:

Create a new Gateway Subnet

Create a new Gateway Subnet:

Define Gateway Subnet:

Create the Azure Virtual Network Gateway

Remember to create VPN Type of “Policy-based” for support with NS.

Add Virtual Network Gateway:

Create the Azure Local Network Gateway

Add Local Network Gateway:

Connections (Add Pre-Shared Key)

Add Connection and insert Shared Key (PSK):

Verify Tunnel connection

NetScaler:

Issue “sh ipTunnel” from CLI:

Azure:

Verify that you can ping on-premises hosts from Azure VMs and vice versa.

If any failures, check ns.log and Firewall/routing rules.

Reference Links

About VPN devices and IPsec/IKE parameters for Site-to-Site VPN Gateway connections

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices

Citrix Docs: Configuring a CloudBridge Connector Tunnel Between a Datacenter and Azure Cloud (not updated)https://docs.citrix.com/en-us/netscaler/12/system/cloudbridge-connector-introduction/cloudbridge-connector-azure.html