Setup site-to-site tunnel with Azure Virtual Network Gateway

This article outlines the steps to establish a Site-to-Site VPN tunnel between an Azure Virtual Network and a UTunnel Access Gateway.

Azure Side Configuration

We'll start by completing the configuration on the Azure side. Setting up a VPN Gateway in Azure involves four main steps:

1. Create a Gateway Subnet within your Virtual Network
2. Set up a Virtual Network Gateway
3. Configure a Local Network Gateway
4. Create a VPN connection within the Virtual Network Gateway

Create a Gateway Subnet

If not done already, you need to create a Gateway Subnet within your Virtual Network. To do this, please follow the steps below:

1. Go to the Virtual Networks page, select your Virtual Network, and create a subnet by navigating to the Settings > Subnet section.

2. At the top of the page, click the Gateway Subnet option to open the Add a Subnet window. The name "Gateway Subnet" will be automatically populated.

3. Modify the IP address range according to your environment.

4. Leave the other settings as they are, and click the Save button at the bottom of the page to create the subnet.

Create a Virtual Network Gateway

1. Search for Virtual Network Gateway in the search bar and select Virtual Network Gateways from the Services section.

2. Click the Create button to open the Create virtual network gateway window.

3. Here, you will create the virtual network gateway for your virtual network.

The following properties need to be specified:

Name: A user-friendly name for the gateway
Region: Select your Azure region
Gateway type: VPN
SKU: Select according to your requirement
Generation: Select a generation
Virtual network: Select your network from the list
Subnet: The Gateway Subnet will be auto populated
Public IP address: Select Create new option.
Public IP address name: Give a name for the public IP address that will be used for the VPN gateway.
Enable active-active mode: Disabled
Configure BGP: Disabled

4. Click Next , add tags if needed, then select Review + Create .

5. Now, Review the gateway configuration and click the Create button.

6. Wait for the gateway to be deployed. Once the deployment is complete, return to the Virtual Network Gateways page, click on the newly created gateway, and navigate to the details page. Make a note of the public IP address assigned to the VPN gateway, as this will be needed to configure the tunnel on the UTunnel side.

7. Next, you'll need to deploy the Local Network Gateway to represent the on-premises VPN endpoint. To do this, search for “Local Network Gateway" in the search box and select Local Network Gateways from the Services section.

8. Click on the Create button on the page and enter the following properties.

Resource Group: Select the desired resource group.
Region: Select the desired region.
Name: A name to identify the local network gateway.
Endpoint: Select IP Address and enter the IP address of UTunnel Access Gateway.
Address Space: Enter the remote side encryption domain (the network on the remote side)
Configure BGP settings: No

9. Proceed, review the configuration, and click the Create button.

10. Wait for the gateway to be deployed. Once the deployment is finished, go back to the Virtual Network Gateways page, click on the virtual network gateway , and navigate to the details page. Then, select Connections from the left-hand pane.

11. Set the following properties:

Connection Type: Site-to-site (IPsec)
Name: Give a name for the connection.
Region: Select the desired region.

12. Next, configure the connection settings. Set the following parameters and create the connection.

Virtual network gateway: Select the appropriate virtual network gateway from the dropdown list.
Local network gateway: Select the appropriate local network gateway from the dropdown list.
Shared key: Enter the Pre-shared key for authentication. The same shared key needs to be configured on the UTunnel and Azure sides.
IKE Protocol: Select IKEv2.
Use Azure Private IP Address: Don't select.
Enable BGP: Don't select.

FastPath: Don't select.
IPsec/IKE policy: Select Custom.
IKE Phase 1 Encryption: AES256
IKE Phase 1 Integrity/PRF: SHA256
I KE Phase 1 DH Group: Group 14
IKE Phase 2 IPsec Encryption: AES256
IKE Phase 2 IPsec Integrity: SHA256
IKE Phase 1 PFS Group: PFS24
IPsec SA lifetime in KiloBytes: 0
IPsec SA lifetime in seconds: 3600
Use policy-based traffic selector: Disable
DPD timeout in seconds: 30
Connection Mode: Default

13. Wait for the deployment to finish. Once complete, return to the Connections page within the Virtual Network Gateway and select the newly created connection.

14. In the Connection configuration page, select Configuration from the left pane, scroll down, and modify the settings as described below.

Use policy-based traffic selector: Enable
Use custom traffic selectors: Enabled
Custom traffic selectors: Enter your virtual network subnets in the Local address range field. You can enter multiple subnets, separated by commas. Enter the UTunnel side subnets in the Remote address range field.

That’s it for the Azure side.

UTunnel Side Configuration

1. Login to your UTunnel dashboard. Then navigate to the Site-to-Site tab and click on the CREATE TUNNEL button.

Azure site-to-site configuration Create Tunnel

2. Now, select Tunnel with Non-UTunnel Server option and key in the tunnel details.

Tunnel Name : Give a desired name for the tunnel.
Local Server : Select the UTunnel Access Gateway from the dropdown.
Local ID : This is an optional field. By default, UTunnel uses the Access Gateway IP address as the Local ID. Use this field to change the default behavior.
Remote IP : Enter the Azure Gateway's Public IP address.
Remote ID : Optional field.
PSK : Enter the same key that was configured on the Azure side in Step 12.

Azure site-to-site VPN configuration on UTunnel side

3. Once the tunnel is created, you will need to define local and remote encryption domains. Click on the ‘ + ’ icon and add the remote and local subnets.

Set up site-to-site tunnel with Azure define remote and local networks

That's it, the UTunnel side configuration is now complete. You can now go ahead and start the tunnel by clicking on the START button.

Popular Support Articles

Set up site-to-site tunnel with Cisco ASA

How to create site-to-site connection with Mikrotik router

How to Create Site-to-Site Tunnel with UniFi OS

Site-to-Site tunnel with Fortinet Firewall