Jump to content


Photo

Azure IPSec Tunnel

Started by Stefan Wendrich , 13 January 2017 - 03:29 PM
7 replies to this topic

Stefan Wendrich Members

Stefan Wendrich
  • 250 posts

Posted 13 January 2017 - 03:29 PM

Hello,

 

i configured a ipsec tunnel to azure with this article: https://docs.citrix.com/en-us/netscaler/11-1/system/cloudbridge-connector-introduction/cloudbridge-connector-azure.html

 

The tunnel is up and running, but i dont get any traffic to azure virtual network.

 

My netscaler has 2 nics. One in the dmz and one in my lan. I activated Mac based Forwarding, so i have only one SNIP within in my lan.

 

I configured my tunnel interface on netscaler to use a VIP (public IPv4 address). I also configured a policy based route.

 

On my lan, i added a route to my clients, if they want to reach vms in azure, they have to go to the SNIP.

 

But it doesnt work. Does PBR is working with MBF ?

If i test on the netscaler with traceroute, i see, that packets to my azure virtual networks are going to the default gateway of the netscaler and not through the tunnel.



Carl Stalhood CTP Member

Carl Stalhood
  • 12,277 posts

Posted 13 January 2017 - 07:47 PM

I believe MBF overrides PBR.



Stefan Wendrich Members

Stefan Wendrich
  • 250 posts

Posted 17 January 2017 - 01:21 PM

I believe MBF overrides PBR.

 

This could be the problem. i installed a second netscaler without MBF and it worked immediately.



nchur111 Members

Niclas Christian Chur
  • 92 posts

Posted 20 March 2017 - 12:42 PM

Stefan, how is your experience with IPSEC Site2Site VPN with Cloudbridge Connector to Azure VPN Gateway ? I had to find alternative solution, as my Tunnel to Azure went down approx. every 3-4 hours.... "something" happened in Azure i think invalidating the IKE tickets lifetime... I had to remove the tunnel configuration and start over everytime this happened.



Kai Thorsrud Members

Kai Thorsrud
  • 50 posts

Posted 21 March 2017 - 11:01 AM

As long as you use identical lifetime / timers for phase 1 and phase 2 on Azure <-> Netscaler it works fine. 



nchur111 Members

Niclas Christian Chur
  • 92 posts

Posted 21 March 2017 - 11:16 AM

Hi Kai, I am pretty sure, based on both MS documentation and Citrix, this was configured - but where can i verify the lifetime settings on Phase 1 and 2 in the new Azure Portal? 



Kai Thorsrud Members

Kai Thorsrud
  • 50 posts

Posted 21 March 2017 - 12:43 PM

I used the Azure documentation for Checkpoint when i establised the tunnel to get the timers correctly

 

Have a look here https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk101275



Kai Thorsrud Members

Kai Thorsrud
  • 50 posts

Posted 21 March 2017 - 12:46 PM

I am not sure if this document is 100% correct but atleast there is a guide now. This might help aswell.

 

https://docs.citrix.com/en-us/netscaler/11-1/system/cloudbridge-connector-introduction/cloudbridge-connector-azure.html