Winodows Azure的Site to Site VPN支持主流的防火墙和路由器等接入设备。具体型号和系列请参考下表:
| VENDOR | DEVICE FAMILY | MINIMUM OS VERSION | STATIC ROUTING | DYNAMIC ROUTING |
| Allied Telesis | AR Series VPN Routers | 2.9.2 | Coming soon | Not compatible |
| Barracuda Networks, Inc. | Barracuda NG Firewall | Barracuda NG Firewall 5.4.3 | Barracuda NG Firewall | Not compatible |
| Barracuda Networks, Inc. | Barracuda Firewall | Barracuda Firewall 6.5 | Barracuda Firewall | Not compatible |
| Brocade | Vyatta 5400 vRouter | Virtual Router 6.6R3 GA | Configuration instructions | Not compatible |
| Check Point | Security Gateway | R75.40, R75.40VS | Configuration instructions | Configuration instructions |
| Cisco | ASA | 8.3 | Cisco samples | Not compatible |
| Cisco | ASR | IOS 15.1 (static), IOS 15.2 (dynamic) | Cisco samples | Cisco samples |
| Cisco | ISR | IOS 15.0 (static), IOS 15.1 (dynamic) | Cisco samples | Cisco samples |
| Citrix | CloudBridge MPX appliance, or VPX virtual appliance | N/A | Integration instructions | Not compatible |
| Dell SonicWALL | TZ Series, NSA Series, SuperMassive Series, E-Class NSA Series | SonicOS 5.8.x, SonicOS 5.9.x, SonicOS 6.x | Configuration instructions | Not compatible |
| F5 | BIG-IP series | N/A | Configuration instructions | Not compatible |
| Fortinet | FortiGate | FortiOS 5.0.7 | Configuration instructions | Configuration instructions |
| Internet Initiative Japan (IIJ) | SEIL Series | SEIL/X 4.60, SEIL/B1 4.60, SEIL/x86 3.20 | Configuration instructions | Not compatible |
| Juniper | SRX | JunOS 10.2 (static), JunOS 11.4 (dynamic) | Juniper samples | Juniper samples |
| Juniper | J-Series | JunOS 10.4r9 (static), JunOS 11.4 (dynamic) | Juniper samples | Juniper samples |
| Juniper | ISG | ScreenOS 6.3 (static and dynamic) | Juniper samples | Juniper samples |
| Juniper | SSG | ScreenOS 6.2 (static and dynamic) | Juniper samples | Juniper samples |
| Microsoft | Routing and Remote Access Service | Windows Server 2012 | Not compatible | Microsoft samples |
| Openswan | Openswan | 2.6.32 | (Coming soon) | Not compatible |
| Palo Alto Networks | All devices running PAN-OS 5.0 or greater | PAN-OS 5x or greater | Palo Alto Networks | Not compatible |
| Watchguard | All | Fireware XTM v11.x | Configuration instructions | Not compatible |
除了硬件设备外,运行Windows Server+Routing and Remote Access Service的服务器和运行Linux+Openswan的服务器也可以作为Windows Azure Site to Site VPN的接入设备使用。虽然列表中Openswan的状态是“Coming soon”,但经过测试,Openswan是的确可以连接到Windows Azure Site to Site VPN的。
- 尽量使用Linux操作系统的package repository来安装Openswan,确保Openswan的版本大于等于2.6.32。
- Openswan只支持静态路由网关,这就意味着使用Openswan不能做Multiple Site VPN。
- 将本地的公网IP地址直接绑定到Linux服务器的网卡上,尽量不要经过任何NAT设备。
以下是Openswan的参考配置文件:
sudo vi /etc/ipsec.conf
version 2.0 # conforms to second version of ipsec.conf specification
config setup
protostack=netkey
nat_traversal=yes
virtual_private=%v4:192.168.123.0/24 #本地局域网地址段
oe=off
conn branch1
auto=start
authby=secret
type=tunnel
left=[本地公网IP地址]
leftsubnet=192.168.123.0/24 #本地局域网地址段
leftnexthop=%defaultroute
right=[Windows Azure VPN Gateway的IP地址]
rightsubnet=192.168.223.0/24 #Windows Azure虚拟网络地址段
#ike=3des-sha1-modp1024,aes128-sha1-modp1024 #连接中国版Windows Azure时请将此行注释掉。连接国际版Microsoft Azure请保留此行
esp=3des-sha1,aes128-sha1
pfs=no
sudo vi /etc/ipsec.secrets
#include /etc/ipsec.d/*.secrets
[本地公网IP地址] [Windows Azure VPN Gateway的IP地址] : PSK "[Windows Azure VPN共享密钥]"
配置完成后,执行以下命令建立IPSec VPN连接
sudo ipsec secrets sudo service ipsec restart sudo service ipsec status
使用Openswan接入Windows Azure Site to Site VPN的优势是什么呢?只是为了省一个接入设备吗?NO~~~,这个方案的核心优势是:可以从任何支持Linux虚拟机的云平台建立到Windows Azure的安全连接!当然也包括连接国际版Microsoft Azure和中国版Windows Azure。为客户实施“跨云部署架构”提供了网络基础设施层面的支持。