使用Openswan接入Windows Azure Site to Site VPN

Winodows Azure的Site to Site VPN支持主流的防火墙和路由器等接入设备。具体型号和系列请参考下表：

VENDOR	DEVICE FAMILY	MINIMUM OS VERSION	STATIC ROUTING	DYNAMIC ROUTING
Allied Telesis	AR Series VPN Routers	2.9.2	Coming soon	Not compatible
Barracuda Networks, Inc.	Barracuda NG Firewall	Barracuda NG Firewall 5.4.3	Barracuda NG Firewall	Not compatible
Barracuda Networks, Inc.	Barracuda Firewall	Barracuda Firewall 6.5	Barracuda Firewall	Not compatible
Brocade	Vyatta 5400 vRouter	Virtual Router 6.6R3 GA	Configuration instructions	Not compatible
Check Point	Security Gateway	R75.40, R75.40VS	Configuration instructions	Configuration instructions
Cisco	ASA	8.3	Cisco samples	Not compatible
Cisco	ASR	IOS 15.1 (static), IOS 15.2 (dynamic)	Cisco samples	Cisco samples
Cisco	ISR	IOS 15.0 (static), IOS 15.1 (dynamic)	Cisco samples	Cisco samples
Citrix	CloudBridge MPX appliance, or VPX virtual appliance	N/A	Integration instructions	Not compatible
Dell SonicWALL	TZ Series, NSA Series, SuperMassive Series, E-Class NSA Series	SonicOS 5.8.x, SonicOS 5.9.x, SonicOS 6.x	Configuration instructions	Not compatible
F5	BIG-IP series	N/A	Configuration instructions	Not compatible
Fortinet	FortiGate	FortiOS 5.0.7	Configuration instructions	Configuration instructions
Internet Initiative Japan (IIJ)	SEIL Series	SEIL/X 4.60, SEIL/B1 4.60, SEIL/x86 3.20	Configuration instructions	Not compatible
Juniper	SRX	JunOS 10.2 (static), JunOS 11.4 (dynamic)	Juniper samples	Juniper samples
Juniper	J-Series	JunOS 10.4r9 (static), JunOS 11.4 (dynamic)	Juniper samples	Juniper samples
Juniper	ISG	ScreenOS 6.3 (static and dynamic)	Juniper samples	Juniper samples
Juniper	SSG	ScreenOS 6.2 (static and dynamic)	Juniper samples	Juniper samples
Microsoft	Routing and Remote Access Service	Windows Server 2012	Not compatible	Microsoft samples
Openswan	Openswan	2.6.32	(Coming soon)	Not compatible
Palo Alto Networks	All devices running PAN-OS 5.0 or greater	PAN-OS 5x or greater	Palo Alto Networks	Not compatible
Watchguard	All	Fireware XTM v11.x	Configuration instructions	Not compatible

除了硬件设备外，运行Windows Server+Routing and Remote Access Service的服务器和运行Linux+Openswan的服务器也可以作为Windows Azure Site to Site VPN的接入设备使用。虽然列表中Openswan的状态是“Coming soon”，但经过测试，Openswan是的确可以连接到Windows Azure Site to Site VPN的。

• 尽量使用Linux操作系统的package repository来安装Openswan，确保Openswan的版本大于等于2.6.32。
• Openswan只支持静态路由网关，这就意味着使用Openswan不能做Multiple Site VPN。
• 将本地的公网IP地址直接绑定到Linux服务器的网卡上，尽量不要经过任何NAT设备。

以下是Openswan的参考配置文件：

sudo vi /etc/ipsec.conf
version 2.0     # conforms to second version of ipsec.conf specification
config setup
        protostack=netkey
        nat_traversal=yes
        virtual_private=%v4:192.168.123.0/24 #本地局域网地址段
        oe=off

conn branch1
        auto=start
        authby=secret
        type=tunnel
        left=[本地公网IP地址]
        leftsubnet=192.168.123.0/24 #本地局域网地址段
        leftnexthop=%defaultroute
        right=[Windows Azure VPN Gateway的IP地址]
        rightsubnet=192.168.223.0/24 #Windows Azure虚拟网络地址段
        #ike=3des-sha1-modp1024,aes128-sha1-modp1024 #连接中国版Windows Azure时请将此行注释掉。连接国际版Microsoft Azure请保留此行
        esp=3des-sha1,aes128-sha1
        pfs=no

sudo vi /etc/ipsec.secrets
#include /etc/ipsec.d/*.secrets
[本地公网IP地址] [Windows Azure VPN Gateway的IP地址] : PSK "[Windows Azure VPN共享密钥]"

配置完成后，执行以下命令建立IPSec VPN连接

sudo ipsec secrets
sudo service ipsec restart
sudo service ipsec status

使用Openswan接入Windows Azure Site to Site VPN的优势是什么呢？只是为了省一个接入设备吗？NO~~~，这个方案的核心优势是：可以从任何支持Linux虚拟机的云平台建立到Windows Azure的安全连接！当然也包括连接国际版Microsoft Azure和中国版Windows Azure。为客户实施“跨云部署架构”提供了网络基础设施层面的支持。