Sunday, 4 October 2015

Azure Site to Site VPN on a SonicWall

Azure Site to Site VPN on a SonicWall

The first of a sequence of posts about Azure and connecting to Azure.

This one goes into the details of connecting an on premise SonicWall to Azure.
I wrote this as it changes a lot and none of the the others I read had all the details or explanations about what was happening.

Hope this helps someone.

Document describes a site to site VPN between Azure and a SonicWall TZ300.
Document put together on the 30/9/2015.
Azure is as per production portal, not the preview portal.
SonicWall is a TZ300 with SonicWall OS SonicOS Enchanced (August 14th 2015)

Azure Network Configuration

Azure > Network > Dashboard

Azure > Network > Configure

DNS Servers as given out by DHCP
 Client VPN configuration and network IP’s given
Site to Site Connectivity (Site to Site VPN)
Define the LAN (on the ground IP Network) Galway Site

Pick Site to Site Type. Express Route is a Network Provider or ISP offering.

Azure LANs. The IP ranges in use in Azure
It is important to note that it is major work to reconfigure an Azure network post production, so leave enough IP’s in there!!!

When the VPN is up, you will see the connected icons.


Azure > Network > Certificates

To connect the Client to Site VPN you need certificates to enable the connectivity


Generate Client to Site Certificates and installation

To generate certificates, use the executable makecert.exe on a suitable client to generate a certificate. You need a root certificate to upload to the Azure VPN endpoint and a client certificate to install on the end user PC.
More info will follow on another post as I’ve come across an issue with certs on Windows 10
Save makecert.exe to a suitable location and use the following command lines from there to generate the certificates.
makecert -sky exchange -r -n "CN=CustomerNameRootCert" -pe -a sha1 -len 2048 -ss My "CustomerNameRootCert.cer"
 makecert.exe -n "CN=CustomerNameClientCert" -pe -sky exchange -m 96 -ss My -in "CustomerNameRootCert" -is my -a sha1
Change the red characters for a suitable name for the certificate.
You will need to export the client certificate from the personal certificate store, complete with the private key.
The Root certificate is uploaded to the Azure platform and the client certificate is installed onto the client machines.
I’ll follow up with another post on the client VPN after I sort out my Windows 10 certificate issues.

SonicWall Configuration

System Status


Network > Address Objects

AzureLAN object – Subnet for Azure networks
Server Private object – Host IP for the server on site


VPN > Settings

This indicates a working VPN from an Azure site with the dynamic routing, an Azure Site to Site configured and an Azure Client to Site VPN (site to site and user VPN)

The properties of the VPN

VPN Policy > General

You need the Policy Type (VPN type)                           Site to Site
Authentication Type                                                       IKE using Preshared Key
IPsec Primary Gateway IP                                              From Azure Portal
Shared Secret                                                                   From Azure Portal

VPN Policy >Network

Local Network                   X0 Subnet, the local LAN network
Remote Networks           Azure Network Object

VPN Policy > Proposals

Dynamic Routing – use IKEv2 Mode
Static Routing – use Main Mode
Check the VPN script for the other configurations

VPN Policy > Advanced

Enable Keep Alive                            To keep tunnel up with no traffic
Default LAN Gateway                     Explicitly use the LAN gateway
VPN Policy bound to                       WAN Interface, Interface X1

When the tunnel is up, we should see a green dot


Try to ping your resources in Azure from the on premise resources or ping on premise from Azure.
I’ve seen the green dot indicating the VPN is up on the Sonicwall within seconds, but the Azure network can take longer, up to 20 minutes on occasions.

Client VPN Issue

So I had an issue with client VPN's that I was building and getting the following error in the Azure VPN client
A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
 (Error 0x800b0109)

I pulled the installer apart with 7ZIP and started exploring the options.

I found that the certificate from the cloud gateway is not been registered in my certificate store.

The Azure VPN client gets a cert from the gateway. in this case a file called
This is installed into the folder
C:\Users\Joe McGlynn\AppData\Roaming\Microsoft\Network\Connections\Cm\AzureSubscriptionAccessGUID
This cert should be installed by the exe....
and the inf file
AzureSubscriptionAccessGUID.inf Lines 108 and on
;Commands here will be run After setup finishes
reg add HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13 /v SelectSelfSignedCert /t REG_DWORD /d 1 /f
cmd.exe /c certutil -addstore root "%APPDATA%\Microsoft\Network\Connections\Cm\AzureSubscriptionAccessGUID\AzureSubscriptionAccessGUID.cer"
But its not....
I installed this certificate manually and it works.
Now to find out why...

No comments: