Configure a S2S VPN Gateway certificate authentication connection - Preview

In this article, you use the Azure portal to create a site-to-site (S2S) certificate authentication VPN gateway connection between your on-premises network and your virtual network. The steps for this configuration use Managed Identity, Azure Key Vault, and certificates. If you need to create a site-to-site VPN connection that uses a shared key instead, see Create a S2S VPN connection.

Prerequisites

Note

Site-to-site certificate authentication isn't supported on Basic SKU VPN gateways.

• You already have a virtual network and a VPN gateway. If you don't, follow the steps to Create a VPN gateway, then return to this page to configure your site-to-site certificate authentication connection.

• Make sure you have a compatible VPN device and someone who can configure it. For more information about compatible VPN devices and device configuration, see About VPN devices.

• Verify that you have an externally facing public IPv4 address for your VPN device.

• If you're unfamiliar with the IP address ranges located in your on-premises network configuration, you need to coordinate with someone who can provide those details for you. When you create this configuration, you must specify the IP address range prefixes that Azure routes to your on-premises location. None of the subnets of your on-premises network can overlap with the virtual network subnets that you want to connect to.

Create a Managed Identity

This configuration requires a managed identity. For more information about managed identities, see What are managed identities for Azure resources? If you already have a user-assigned managed identity, you can use it for this exercise. If not, use the following steps to create a managed identity.

1. In the Azure portal, search for and select Managed Identities.
2. Select Create.
3. Input the required information. When you create the name, use something intuitive. For example, site-to-site-managed or vpngwy-managed. You need the name for key vault configuration steps. The Resource group doesn't have to be the same as the resource group that you use for your VPN gateway.
4. Select Review + create.
5. The values validate. When validation completes, select Create.

Enable VPN Gateway for Key Vault and Managed Identity

In this section, you enable the gateway for Azure Key Vault and the managed identity you created earlier. For more information about Azure Key Vault, see About Azure Key Vault.

1. In the portal, go to your virtual network gateway (VPN gateway).
2. Go to Settings -> Configuration. On the Configuration page, specify the following authentication settings:
   • Enable Key Vault Access: Enabled.
   • Managed Identity: Select the Managed Identity you created earlier.
3. Save your settings.

Create a local network gateway

The local network gateway is a specific object that represents your on-premises location (the site) for routing purposes. You give the site a name by which Azure can refer to it, and then specify the IP address of the on-premises VPN device to which you create a connection. You also specify the IP address prefixes that are routed through the VPN gateway to the VPN device. The address prefixes you specify are the prefixes located on your on-premises network. If your on-premises network changes or you need to change the public IP address for the VPN device, you can easily update the values later.

Note

The local network gateway object is deployed in Azure, not to your on-premises location.

Create a local network gateway by using the following values:

• Name: Site1
• Resource Group: TestRG1
• Location: East US

Configuration considerations:

• VPN Gateway supports only one IPv4 address for each FQDN. If the domain name resolves to multiple IP addresses, VPN Gateway uses the first IP address returned by the DNS servers. To eliminate the uncertainty, we recommend that your FQDN always resolve to a single IPv4 address. IPv6 isn't supported.
• VPN Gateway maintains a DNS cache that's refreshed every 5 minutes. The gateway tries to resolve the FQDNs for disconnected tunnels only. Resetting the gateway also triggers FQDN resolution.
• Although VPN Gateway supports multiple connections to different local network gateways with different FQDNs, all FQDNs must resolve to different IP addresses.

1. In the portal, go to Local network gateways and open the Create local network gateway page.

2. On the Basics tab, specify the values for your local network gateway.

   

   • Subscription: Verify that the correct subscription is showing.
   • Resource group: Select the resource group that you want to use. You can either create a new resource group or select one that you've already created.
   • Region: Select the region for this object. You might want to select the same location where your virtual network resides, but you aren't required to do so.
   • Name: Specify a name for your local network gateway object.
   • Endpoint: Select the endpoint type for the on-premises VPN device as IP address or FQDN (Fully Qualified Domain Name).
     • IP address: If you have a static public IP address allocated from your internet service provider (ISP) for your VPN device, select the IP address option. Fill in the IP address as shown in the example. This address is the public IP address of the VPN device that you want Azure VPN Gateway to connect to. If you don't have the IP address right now, you can use the values shown in the example. Later, you must go back and replace your placeholder IP address with the public IP address of your VPN device. Otherwise, Azure can't connect.
     • FQDN: If you have a dynamic public IP address that could change after a certain period of time, often determined by your ISP, you can use a constant DNS name with a Dynamic DNS service to point to your current public IP address of your VPN device. Your Azure VPN gateway resolves the FQDN to determine the public IP address to connect to.
   • Address space: The address space refers to the address ranges for the network that this local network represents. You can add multiple address space ranges. Make sure that the ranges you specify here don't overlap with ranges of other networks that you want to connect to. Azure routes the address range that you specify to the on-premises VPN device IP address. Use your own values here if you want to connect to your on-premises site, not the values shown in the example.

3. On the Advanced tab, you can configure BGP settings, if needed.

4. After you specify the values, select Review + create at the bottom of the page to validate the page.

5. Select Create to create the local network gateway object.

Certificates

Site-to-site certificate authentication architecture relies on both inbound and outbound certificates.

Note

The inbound and outbound certificates don't need to be generated from the same root certificate.

Outbound certificate

• The outbound certificate is used to verify connections coming from Azure to your on-premises site.
• The certificate is stored in Azure Key Vault. You specify the outbound certificate path identifier when you configure your site-to-site connection.
• You can create a certificate using a certificate authority of your choice, or you can create a self-signed root certificate.

When you generate an outbound certificate, the certificate must adhere to the following guidelines:

• Minimum key length of 2048 bits.
• Must have a private key.
• Must have server and client authentication.
• Must have a subject name.

Inbound certificate

• The inbound certificate is used when connecting from your on-premises location to Azure.
• The subject name value is used when you configure your site-to-site connection.
• The certificate chain public key is specified when you configure your site-to-site connection.

Generate certificates

Use PowerShell locally on your computer to generate certificates. The following steps show you how to create a self-signed root certificate and leaf certificates (inbound and outbound). When using the following examples, don't close the PowerShell window between creating the self-signed Root CA and the leaf certificates.

Create a self-signed root certificate

Use the New-SelfSignedCertificate cmdlet to create a self-signed root certificate. For more information about parameters, see New-SelfSignedCertificate.

1. From a computer running Windows 10 or later, or Windows Server 2016, open a Windows PowerShell console with elevated privileges.

2. Create a self-signed root certificate. The following example creates a self-signed root certificate named 'VPNRootCA01', which is automatically installed in 'Certificates-Current User\Personal\Certificates'. Once the certificate is created, you can view it by opening certmgr.msc, or Manage User Certificates.

   Make any needed modifications before using this example. The 'NotAfter' parameter is optional. By default, without this parameter, the certificate expires in one year.

   $params = @{
       Type = 'Custom'
       Subject = 'CN=VPNRootCA01'
       KeySpec = 'Signature'
       KeyExportPolicy = 'Exportable'
       KeyUsage = 'CertSign'
       KeyUsageProperty = 'Sign'
       KeyLength = 2048
       HashAlgorithm = 'sha256'
       NotAfter = (Get-Date).AddMonths(120)
       CertStoreLocation = 'Cert:\CurrentUser\My'
       TextExtension = @('2.5.29.19={critical}{text}ca=1&pathlength=4')
   }
   $cert = New-SelfSignedCertificate @params
   

3. To generate leaf certificates, leave the PowerShell console open and proceed with the next steps.

Generate leaf certificates

These examples use the New-SelfSignedCertificate cmdlet to generate outbound and inbound leaf certificates. Certificates are automatically installed in 'Certificates - Current User\Personal\Certificates' on your computer.

Outbound certificate

   $params = @{
       Type = 'Custom'
       Subject = 'CN=Outbound-certificate'
       KeySpec = 'Signature'
       KeyExportPolicy = 'Exportable'
       KeyLength = 2048
       HashAlgorithm = 'sha256'
       NotAfter = (Get-Date).AddMonths(120)
       CertStoreLocation = 'Cert:\CurrentUser\My'
       Signer = $cert
       TextExtension = @(
        '2.5.29.37={text}1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.1')
   }
   New-SelfSignedCertificate @params

Inbound certificate

   $params = @{
       Type = 'Custom'
       Subject = 'CN=Inbound-certificate'
       KeySpec = 'Signature'
       KeyExportPolicy = 'Exportable'
       KeyLength = 2048
       HashAlgorithm = 'sha256'
       NotAfter = (Get-Date).AddMonths(120)
       CertStoreLocation = 'Cert:\CurrentUser\My'
       Signer = $cert
       TextExtension = @(
        '2.5.29.37={text}1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.1')
   }
   New-SelfSignedCertificate @params

Outbound certificate - export private key data

Export the outbound certificate information (with the private key) to a .pfx or .pem file. You upload this certificate information securely to Azure Key Vault in later steps. To export to .pfx using Windows, use the following steps:

1. To get the certificate .cer file, open Manage user certificates.

2. Locate the outbound certificate, typically in Certificates - Current User\Personal\Certificates, and right-click. Select All Tasks -> Export. This opens the Certificate Export Wizard.

3. In the wizard, select Next.

4. Select Yes, export the private key, and then select Next.

5. On the Export File Format page, select Personal Information Exchange - PKCS #12 (PFX). Select the following items:

   • Include all certificates in the certification path if possible
   • Export all extended properties
   • Enable certificate privacy

6. Select Next. On the Security page, select Password and an encryption method. Then, select Next.

7. Specify a file name and browse to the location to which you want to export.

8. Select Finish to export the certificate.

9. You see a confirmation saying The export was successful.

Inbound certificate - export public key data

Export the public key data for the inbound certificate. The information in the file is used for the inbound certificate chain field when you configure your site-to-site connection. Exported files must be in the .cer format. Don't encrypt the certificate value.

1. To get the certificate .cer file, open Manage user certificates.
2. Locate the certificate, typically in Certificates - Current User\Personal\Certificates, and right-click. Select All Tasks -> Export. This opens the Certificate Export Wizard.
3. In the wizard, select Next.
4. Select No, do not export the private key. Then select Next.
5. Select Base-64 encoded X.509 (.CER), then select Next.
6. Specify a file name and browse to the location to which you want to export.
7. Select Finish to export the certificate.
8. You see a confirmation saying The export was successful.
9. This .cer file is used later, when you configure your connection.

Root certificate - export public key data

Export the public key data for the root certificate. Exported files must be in the .cer format. Don't encrypt the certificate value.

1. To get the certificate .cer file, open Manage user certificates.
2. Locate the certificate, typically in Certificates - Current User\Personal\Certificates, and right-click. Select All Tasks -> Export. This opens the Certificate Export Wizard.
3. In the wizard, select Next.
4. Select No, do not export the private key. Then select Next.
5. Select Base-64 encoded X.509 (.CER), then select Next.
6. Specify a file name and browse to the location to which you want to export.
7. Select Finish to export the certificate.
8. You see a confirmation saying The export was successful.
9. This .cer file is used later, when you configure your connection.

Create a key vault

This configuration requires Azure Key Vault. The following steps create a key vault. You add your certificate and Managed Identity to your key vault later. For more comprehensive steps, see Quickstart - Create a key vault using the Azure portal.

1. In the Azure portal, search for Key Vaults. On the Key vaults page, select +Create.
2. On the Create a key vault page, fill out the required information. The resource group doesn't have to be the same as the resource group that you used for your VPN gateway.
3. On the Access configuration tab, for Permission model, select Vault access policy.
4. Don't fill out any of the other fields.
5. Select Review + create, then Create the key vault.

Add the outbound certificate file to your key vault

The following steps help you upload the outbound certificate information to Azure Key Vault.

1. Go to your key vault. In the left pane, open the Certificates page.
2. On the Certificates page, select +Generate/Import.
3. For Method of Certificate Creation, select Import from the dropdown.
4. Input an intuitive certificate name. This doesn't need to be the certificate CN or the certificate file name.
5. Upload your outbound certificate file. The certificate file must be in one of the following formats:
   • .pfx
   • .pfm
6. Input the password used to protect the certificate information.
7. Select Create to upload the certificate file.

Add the Managed Identity to your key vault

1. Go to your key vault. In the left pane, open the Access policies page.
2. Select +Create.
3. On the Create an access policy page, for Secret Management Options and Certificate Management Operations, select Select all.
4. Select Next to move to the Principal* page.
5. On the Principal page, search and select the Managed Identity that you created earlier.
6. Select Next and advance to the Review + create page. Select Create.

Configure your VPN device

Site-to-site connections to an on-premises network require a VPN device. In this step, configure your VPN device. When you configure your VPN device, you need the following values:

• Certificate: You'll need the certificate data used for authentication. This certificate will also be used as the inbound certificate when creating the VPN connection.
• Public IP address values for your virtual network gateway: To find the public IP address for your VPN gateway VM instance using the Azure portal, go to your virtual network gateway and look under Settings -> Properties. If you have an active-active mode gateway (recommended), make sure to set up tunnels to each VM instance. Both tunnels are part of the same connection. Active-active mode VPN gateways have two public IP addresses, one for each gateway VM instance.

Depending on the VPN device that you have, you might be able to download a VPN device configuration script. For more information, see Download VPN device configuration scripts.

For more configuration information, see the following links:

• For information about compatible VPN devices, see VPN devices.
• Before you configure your VPN device, check for any Known device compatibility issues for the VPN device that you want to use.
• For links to device configuration settings, see Validated VPN devices. The device configuration links are provided on a best-effort basis. It's always best to check with your device manufacturer for the latest configuration information. The list shows the versions we've tested. If your OS isn't on that list, it's still possible that the version is compatible. Check with your device manufacturer to verify that the OS version for your VPN device is compatible.
• For an overview of VPN device configuration, see Overview of third-party VPN device configurations.
• For information about editing device configuration samples, see Editing samples.
• For cryptographic requirements, see About cryptographic requirements and Azure VPN gateways.
• For information about IPsec/IKE parameters, see About VPN devices and IPsec/IKE parameters for site-to-site VPN gateway connections. This link shows information about IKE version, Diffie-Hellman Group, authentication method, encryption and hashing algorithms, SA lifetime, PFS, and DPD, in addition to other parameter information that you need to complete your configuration.
• For IPsec/IKE policy configuration steps, see Configure IPsec/IKE policy for site-to-site VPN or VNet-to-VNet connections.
• To connect multiple policy-based VPN devices, see Connect Azure VPN gateways to multiple on-premises policy-based VPN devices using PowerShell.

Create the site-to-site connection

In this section, you create a site-to-site VPN connection between your virtual network gateway and your on-premises VPN device.

Gather configuration values

Before moving forward, gather the following information for the required configuration values.

• Outbound Certificate path: This is the path to the outbound certificate. The outbound certificate is the certificate used when connecting from Azure to your on-premises location. This information is from the same certificate you uploaded to Azure Key Vault.

  1. Go to Key Vaults and click your key vault. In the left pane, expand Objects and select Certificates.
  2. Locate and click your certificate to open the certificate page.
  3. Click the line for your certificate version.
  4. Copy the path next to Key Identifier. The path is specific to the certificate.

  Example: https://s2s-vault1.vault.azure.net/certificates/site-to-site/<certificate-value>

• Inbound certificate subject name: This is the CN for the inbound certificate. To locate this value:

  1. If you generated the certificate on your Windows computer, you can locate it using Certificate Management.
  2. Go to the Details tab. Scroll and click Subject. You see the values in the lower pane.
  3. Don't include CN= in the value.

• Inbound Certificate Chain: This certificate information is used only to verify the incoming inbound certificate and doesn't contain private keys. You should always have at least two certificates in the inbound certificate section of the portal.

  If you have intermediate CAs in your certificate chain, first add the root certificate as the first intermediate certificate, then follow that with the inbound intermediate certificate.

  Use the following steps to extract certificate data in the required format for the inbound certificate field.

  1. To extract the certificate data, make sure that you exported your inbound certificate as a Base-64 encoded X.509 (.CER) file in the previous steps. You need to export the certificate in this format so you can open the certificate with text editor.

  2. Locate and open the .cer certificate file with a text editor. When copying the certificate data, make sure that you copy the text as one continuous line.

  3. Copy the data that's listed between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- as one continuous line to the Inbound Certificate Chain field when you create a connection.

     Example:

     

Create a connection

1. Go to the virtual network gateway you created and select Connections.

2. At the top of the Connections page, select + Add to open the Create connection page.

3. On the Create connection page, on the Basics tab, configure the values for your connection:

   • Under Project details, select the subscription and the resource group where your resources are located.

   • Under Instance details, configure the following settings:

     • Connection type: Select Site-to-site (IPSec).
     • Name: Name your connection. Example: VNet-to-Site1.
     • Region: Select the region for this connection.

4. Select the Settings tab.

   

   Configure the following values:

   • Virtual network gateway: Select the virtual network gateway from the dropdown list.
   • Local network gateway: Select the local network gateway from the dropdown list.
   • Authentication Method: Select Key Vault Certificate.
   • Outbound Certificate Path: The path to the outbound certificate that's located in Key Vault. The method to get this information is at the beginning of this section.
   • Inbound Certificate Subject Name: The CN for the inbound certificate. The method to get this information is at the beginning of this section.
   • Inbound Certificate Chain: The certificate data you copied from the .cer file. Copy and paste the certificate information for the inbound certificate. The method to get this information is at the beginning of this section.
   • IKE Protocol: Select IKEv2.
   • Use Azure Private IP Address: Don't select.
   • Enable BGP: Only enable if you want to use BGP.
   • IPsec/IKE policy: Select Default.
   • Use policy based traffic selector: Select Disable.
   • DPD timeout in seconds: Select 45.
   • Connection Mode: Select Default. This setting is used to specify which gateway can initiate the connection. For more information, see VPN Gateway settings - Connection modes.
   • For NAT Rules Associations, leave both Ingress and Egress as 0 selected.

5. Select Review + create to validate your connection settings, then select Create to create the connection.

6. After the deployment is finished, you can view the connection on the Connections page of the virtual network gateway. The status changes from Unknown to Connecting and then to Succeeded.

Next steps

Once your connection is complete, you can add virtual machines to your VNets. For more information, see Virtual Machines. To understand more about networking and virtual machines, see Azure and Linux VM network overview.

For P2S troubleshooting information, Troubleshooting Azure point-to-site connections.