Configure Ubiquiti EdgeRouter for Azure VPN
I recently got myself a Ubiquiti EdgeRouter Lite at home, and of course the first thing to do is establish an Azure VPN š
Since the EdgeRouter does not support route based VPN’s the configuration will be based on Policy Based Azure VPN, also known as static routing. You can refer to my guide here, to see how to configure the Azure end of the VPN, just replace “RouteBased” with “PolicyBased” when doing New-AzureVirtualNetworkGateway.
The configuration below is what I used on my EdgeRouter with EdgeOS 1.7.0. I’ve seen other configurations for Azure around the web, but they seem to be for older versions and the commands has changed a bit. You should replace the values surrounded by “<>” with your own information – without the “<>”.
[code]
set vpn ipsec esp-group esp-azure pfs disable
set vpn ipsec esp-group esp-azure mode tunnel
set vpn ipsec esp-group esp-azure proposal 1
set vpn ipsec esp-group esp-azure proposal 1 encryption aes256
set vpn ipsec esp-group esp-azure proposal 1 hash sha1
set vpn ipsec esp-group esp-azure compression disable
set vpn ipsec ike-group ike-azure
set vpn ipsec ike-group ike-azure lifetime 28800
set vpn ipsec ike-group ike-azure proposal 1
set vpn ipsec ike-group ike-azure proposal 1 dh-group 2
set vpn ipsec ike-group ike-azure proposal 1 encryption aes256
set vpn ipsec ike-group ike-azure proposal 1 hash sha1
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec logging log-modes all
set vpn ipsec nat-traversal enable
set vpn ipsec site-to-site peer <Azure GW IP>
set vpn ipsec site-to-site peer <Azure GW IP> local-address <Local GW IP or ‘any’>
set vpn ipsec site-to-site peer <Azure GW IP> authentication mode pre-shared-secret
set vpn ipsec site-to-site peer <Azure GW IP> authentication pre-shared-secret <shared secret>
set vpn ipsec site-to-site peer <Azure GW IP> connection-type initiate
set vpn ipsec site-to-site peer <Azure GW IP> default-esp-group esp-azure
set vpn ipsec site-to-site peer <Azure GW IP> ike-group ike-azure
set vpn ipsec site-to-site peer <Azure GW IP> tunnel 1
set vpn ipsec site-to-site peer <Azure GW IP> tunnel 1 esp-group esp-azure
set vpn ipsec site-to-site peer <Azure GW IP> tunnel 1 local prefix <Local subnet>
set vpn ipsec site-to-site peer <Azure GW IP> tunnel 1 remote prefix <Azure subnet>
set vpn ipsec site-to-site peer <Azure GW IP> tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer <Azure GW IP> tunnel 1 allow-public-networks disable
[/code]
To check the tunnel state, use ‘show vpn ike sa’ and ‘show vpn ipsec sa’ commands:
