forked from erjosito/azcli
-
Notifications
You must be signed in to change notification settings - Fork 0
/
vpn.azcli
376 lines (340 loc) · 13.9 KB
/
vpn.azcli
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
#############################################
# Created by [email protected]
#
# July 2020
#############################################
rg=vpntest
location=westeurope
psk=Microsoft123!
###############
# Functions #
###############
# Example create_gw 1 2
# <no_of_gws> is 1 for active/passive, 2 for active/active
function create_gw {
id=$1
no_of_gws=$2
vnet_name=vnet${id}
vnet_prefix=10.${id}.0.0/16
subnet_prefix=10.${id}.0.0/24
vm_subnet_prefix=10.${id}.1.0/24
az network vnet create -g $rg -n $vnet_name --address-prefix $vnet_prefix --subnet-name GatewaySubnet --subnet-prefix $subnet_prefix -o none --only-show-errors
az network vnet subnet create -g $rg -n vm --vnet-name $vnet_name --address-prefix $vm_subnet_prefix -o none --only-show-errors
az network public-ip create -g $rg -n pip0 -o none --only-show-errors
if [[ $no_of_gws == "1" ]]
then
az network public-ip create -g $rg -n pip${id} -o none --only-show-errors
az network vnet-gateway create -g $rg --sku VpnGw1 --gateway-type Vpn --vpn-type RouteBased --vnet vnet${id} -n vng${id} --asn 6500${id} --public-ip-address pip${id} --no-wait -o none --only-show-errors
else
az network public-ip create -g $rg -n pip${id}a
az network public-ip create -g $rg -n pip${id}b
az network vnet-gateway create -g $rg --sku VpnGw1 --gateway-type Vpn --vpn-type RouteBased --vnet vnet${id} -n vng${id} --asn 6500${id} --public-ip-address pip${id}a pip${id}b --no-wait -o none --only-show-errors
fi
}
function connect_gws {
gw1_id=$1
gw2_id=$2
az network vpn-connection create -g $rg --shared-key $psk --enable-bgp -n ${gw1_id}to${gw2_id} --vnet-gateway1 vng${gw1_id} --vnet-gateway2 vng${gw2_id} -o none --only-show-errors
}
################
# Create GWs #
################
# Create RG
az group create -n $rg -l $location -o none --only-show-errors
# Create VPN GW in one vnet
create_gw 1 1 # active/passive
# create_gw 1 2 # active/active
# Create test VM
azurevm_name=testvm
azurevm_pip_name="${azurevm_name}-pip"
vm_size=Standard_B1s
az network nsg create -n "${azurevm_name}-nsg" -g $rg -o none --only-show-errors
az vm create -n $azurevm_name -g $rg -l $location --image ubuntuLTS --generate-ssh-keys \
--public-ip-address $azurevm_pip_name --vnet-name vnet1 --size $vm_size --subnet vm -o none --only-show-errors
# Connection between Azure VNGs
# az network vpn-connection create -g $rg --shared-key $psk --enable-bgp -n 0to11 --vnet-gateway1 vng0 --vnet-gateway2 vng11
# Connection between VNG and LocalGW
# Local GW without BGP
# az network local-gateway create -g $rg -n vng0 --gateway-ip-address 1.2.3.4 --local-address-prefixes 192.168.0.0/24
# Local GW with BGP
# az network local-gateway create -g $rg -n lgw0 --gateway-ip-address 1.2.3.4 --local-address-prefixes 192.168.0.0/24 --asn 65101 --bgp-peering-address 192.168.0.1 --peer-weight 0
#####################
# Simulate onprem #
#####################
# Variables
publisher=cisco
offer=cisco-csr-1000v
sku=16_12-byol
nva_size=Standard_B2ms
version=$(az vm image list -p $publisher -f $offer -s $sku --all --query '[0].version' -o tsv)
branch_prefix=172.16.200.0/24
branch_subnet=172.16.200.0/26
branch_gateway=172.16.200.1
branch1_bgp_ip=172.16.200.11
branch2_bgp_ip=172.16.200.12
branch_asn=65500
username=$(whoami)
# Create CSR to simulate a branch
az vm create -n branch-nva1 -g $rg -l $location --size $nva_size --image ${publisher}:${offer}:${sku}:${version} --admin-username "$username" --generate-ssh-keys \
--public-ip-address branch1-pip --public-ip-address-allocation static --public-ip-sku Standard \
--vnet-name branch --vnet-address-prefix $branch_prefix --subnet nva --subnet-address-prefix $branch_subnet --private-ip-address $branch1_bgp_ip -o none
branch1_ip=$(az network public-ip show -n branch1-pip -g $rg --query ipAddress -o tsv) && echo $branch1_ip
# With BGP
az network local-gateway create -g $rg -n branch1 --gateway-ip-address $branch1_ip --local-address-prefixes "${branch1_bgp_ip}/32" --asn $branch_asn --bgp-peering-address $branch1_bgp_ip --peer-weight 0 -l $location
az network vpn-connection create -g $rg --shared-key $psk --enable-bgp -n branch1 --vnet-gateway1 vng1 --local-gateway2 branch1 -l $location
# Without BGP
# az network local-gateway create -g $rg -n branch1 --gateway-ip-address $branch1_ip --local-address-prefixes $branch_prefix
# az network vpn-connection create -g $rg --shared-key $psk -n branch1 --vnet-gateway1 vng1 --local-gateway2 branch1
# Get VPNGW config data
gw_name=vng1
vpngw_pip_0=$(az network vnet-gateway show -n $gw_name -g $rg --query 'bgpSettings.bgpPeeringAddresses[0].tunnelIpAddresses[0]' -o tsv) && echo $vpngw_pip_0
vpngw_private_ip_0=$(az network vnet-gateway show -n $gw_name -g $rg --query 'bgpSettings.bgpPeeringAddresses[0].defaultBgpIpAddresses[0]' -o tsv) && echo $vpngw_private_ip_0
vpngw_pip_1=$(az network vnet-gateway show -n $gw_name -g $rg --query 'bgpSettings.bgpPeeringAddresses[1].tunnelIpAddresses[0]' -o tsv) && echo $vpngw_pip_1
vpngw_private_ip_1=$(az network vnet-gateway show -n $gw_name -g $rg --query 'bgpSettings.bgpPeeringAddresses[1].defaultBgpIpAddresses[0]' -o tsv) && echo $vpngw_private_ip_1
vpngw_asn=$(az network vnet-gateway show -n $gw_name -g $rg --query 'bgpSettings.asn' -o tsv) && echo $vpngw_asn
# Configure CSR (active/active VNG)
ssh -o BatchMode=yes -o StrictHostKeyChecking=no $branch1_ip <<EOF
config t
crypto ikev2 proposal azure-proposal
encryption aes-cbc-256 aes-cbc-128 3des
integrity sha1
group 2
exit
!
crypto ikev2 policy azure-policy
proposal azure-proposal
exit
!
crypto ikev2 keyring azure-keyring
peer $vpngw_pip_0
address $vpngw_pip_0
pre-shared-key $psk
exit
peer $vpngw_pip_1
address $vpngw_pip_1
pre-shared-key $psk
exit
exit
!
crypto ikev2 profile azure-profile
match address local interface GigabitEthernet1
match identity remote address $vpngw_pip_0 255.255.255.255
match identity remote address $vpngw_pip_1 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local azure-keyring
exit
!
crypto ipsec transform-set azure-ipsec-proposal-set esp-aes 256 esp-sha-hmac
mode tunnel
exit
crypto ipsec profile azure-vti
set transform-set azure-ipsec-proposal-set
set ikev2-profile azure-profile
set security-association lifetime kilobytes 102400000
set security-association lifetime seconds 3600
exit
!
interface Tunnel0
ip unnumbered GigabitEthernet1
ip tcp adjust-mss 1350
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel destination $vpngw_pip_0
tunnel protection ipsec profile azure-vti
interface Tunnel1
ip unnumbered GigabitEthernet1
ip tcp adjust-mss 1350
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel destination $vpngw_pip_1
tunnel protection ipsec profile azure-vti
exit
!
router bgp $branch_asn
bgp router-id interface GigabitEthernet1
bgp log-neighbor-changes
neighbor $vpngw_private_ip_0 remote-as $vpngw_asn
neighbor $vpngw_private_ip_0 ebgp-multihop 5
neighbor $vpngw_private_ip_0 update-source GigabitEthernet1
neighbor $vpngw_private_ip_1 remote-as $vpngw_asn
neighbor $vpngw_private_ip_1 ebgp-multihop 5
neighbor $vpngw_private_ip_1 update-source GigabitEthernet1
!
ip route $vpngw_private_ip_0 255.255.255.255 Tunnel0
ip route $vpngw_private_ip_1 255.255.255.255 Tunnel1
!
end
!
wr mem
EOF
# Configure CSR (active/passive VNG)
ssh -o BatchMode=yes -o StrictHostKeyChecking=no $branch1_ip <<EOF
config t
crypto ikev2 proposal azure-proposal
encryption aes-cbc-256 aes-cbc-128 3des
integrity sha1
group 2
exit
!
crypto ikev2 policy azure-policy
proposal azure-proposal
exit
!
crypto ikev2 keyring azure-keyring
peer $vpngw_pip_0
address $vpngw_pip_0
pre-shared-key $psk
exit
exit
!
crypto ikev2 profile azure-profile
match address local interface GigabitEthernet1
match identity remote address $vpngw_pip_0 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local azure-keyring
exit
!
crypto ipsec transform-set azure-ipsec-proposal-set esp-aes 256 esp-sha-hmac
mode tunnel
exit
crypto ipsec profile azure-vti
set transform-set azure-ipsec-proposal-set
set ikev2-profile azure-profile
set security-association lifetime kilobytes 102400000
set security-association lifetime seconds 3600
exit
!
interface Tunnel0
ip unnumbered GigabitEthernet1
ip tcp adjust-mss 1350
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel destination $vpngw_pip_0
tunnel protection ipsec profile azure-vti
exit
!
router bgp $branch_asn
bgp router-id interface GigabitEthernet1
bgp log-neighbor-changes
neighbor $vpngw_private_ip_0 remote-as $vpngw_asn
neighbor $vpngw_private_ip_0 ebgp-multihop 5
neighbor $vpngw_private_ip_0 update-source GigabitEthernet1
!
ip route $vpngw_private_ip_0 255.255.255.255 Tunnel0
!
end
!
wr mem
EOF
# Diagnostics
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $branch1_ip "sh ip int b"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $branch1_ip "sh ip bgp summ"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $branch1_ip "sh ip route bgp"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $branch1_ip "sh ip bgp"
###############################
# Optional, create second CSR #
###############################
# Create CSR to simulate a branch
az vm create -n branch-nva2 -g $rg -l $location --image ${publisher}:${offer}:${sku}:${version} --admin-username "$username" --generate-ssh-keys \
--public-ip-address branch2-pip --public-ip-address-allocation static \
--vnet-name branch --subnet nva --private-ip-address $branch2_bgp_ip
branch2_ip=$(az network public-ip show -n branch2-pip -g $rg --query ipAddress -o tsv)
# Local GW
az network local-gateway create -g $rg -n branch2 --gateway-ip-address $branch2_ip --local-address-prefixes $branch_prefix
az network vpn-connection create -g $rg --shared-key $psk -n branch2 --vnet-gateway1 vng1 --local-gateway2 branch2
# Configure IPsec
ssh -o BatchMode=yes -o StrictHostKeyChecking=no $branch2_ip <<EOF
config t
crypto ikev2 proposal azure-proposal
encryption aes-cbc-256 aes-cbc-128 3des
integrity sha1
group 2
exit
!
crypto ikev2 policy azure-policy
proposal azure-proposal
exit
!
crypto ikev2 keyring azure-keyring
peer $vpngw_pip_0
address $vpngw_pip_0
pre-shared-key $psk
exit
peer $vpngw_pip_1
address $vpngw_pip_1
pre-shared-key $psk
exit
exit
!
crypto ikev2 profile azure-profile
match address local interface GigabitEthernet1
match identity remote address $vpngw_pip_0 255.255.255.255
match identity remote address $vpngw_pip_1 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local azure-keyring
exit
!
crypto ipsec transform-set azure-ipsec-proposal-set esp-aes 256 esp-sha-hmac
mode tunnel
exit
crypto ipsec profile azure-vti
set transform-set azure-ipsec-proposal-set
set ikev2-profile azure-profile
set security-association lifetime kilobytes 102400000
set security-association lifetime seconds 3600
exit
!
interface Tunnel0
ip unnumbered GigabitEthernet1
ip tcp adjust-mss 1350
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel destination $vpngw_pip_0
tunnel protection ipsec profile azure-vti
exit
!
ip route 10.1.0.0 255.255.0.0 Tunnel0
!
end
!
wr mem
EOF
####################
# IPsec policies #
####################
# Policy-Based Connection
az network vpn-connection create -g $rg -n mycx --vnet-gateway1 vpntest --local-gateway2 lgw0 --shared-key $psk --use-policy-based-traffic-selectors
# ERROR:
# Conflict when enabling policy-based traffic selectors for the connection /blah/mycx
# due to IPSec policies or traffic selector policies being defined
# IPsec/IKE policies at gw level (P2S)
az network vnet-gateway ipsec-policy add -g $rg --gateway-name vpntest \
--dh-group DHGroup14 --ike-encryption AES256 --ike-integrity SHA384 \
--ipsec-encryption DES3 --ipsec-integrity GCMAES256 --pfs-group PFS2048 \
--sa-lifetime 27000 --sa-max-size 102400000
# IPsec/IKE policies at connection level (S2S)
az network vpn-connection ipsec-policy add -g $rg --connection-name mycx \
--dh-group DHGroup14 --ike-encryption AES256 --ike-integrity SHA384 \
--ipsec-encryption DES3 --ipsec-integrity GCMAES256 --pfs-group PFS2048 \
--sa-lifetime 27000 --sa-max-size 102400000
###############
# Diagnostics #
###############
# Azure VPN GW resources
az network vnet-gateway list -g $rg -o table
az network local-gateway list -g $rg -o table
az network vpn-connection list -g $rg -o table --query '[].{Name:name, EnableBgp:enableBgp, ProvisioningState:provisioningState}'
az network vpn-connection ipsec-policy list -g $rg --connection-name mycx -o table
# Effective routes
testvm_nic_id=$(az vm show -n $azurevm_name -g "$rg" --query 'networkProfile.networkInterfaces[0].id' -o tsv)
az network nic show-effective-route-table --ids $testvm_nic_id -o table
# CSR
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $branch1_ip "sh ip int b"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $branch2_ip "sh ip int b"
###########
# Cleanup #
###########
# az group delete -n $rg -y --no-wait