smallstep_full_white

Configure Azure Virtual Network Gateway VPN with Smallstep

This tutorial describes how to deploy and configure an Azure Virtual Network Gateway for certificate-based IPSec IKEv2 VPN authentication with Smallstep. The Smallstep app can will configure and issue certificates to your clients.

Introduction

You can use an Azure Point-to-Site VPN to connect clients to your Azure virtual network.

In this tutorial, we'll set up client certificate authenticatin with Smallstep, using an IPSec IKEv2 VPN.

You will need the step CLI tool.

Step-by-step instructions

  1. Start by deploying a Virtual Network Gateway. Follow the steps in Create the VPN Gateway section of Microsoft's tutorial. Deploy the gateway, but do not generate any certificates yet.

  2. Once the Gateway is deployed, gather the following properties for your Virtual Network Gateway:

    • The gateway's Public IP Address
    • The gateway's Remote ID and Root CA Certificate. These are loacated inside the Point-to-Site configuration settings file. To find these values, in the Point-to-Site Configuration tab of the Virtual Network Gateway settings, choose Download VPN Client.

    When you choose "Download VPN Client", you will receive a ZIP file containing two crucial configuration parameters:

    • Your gateway's Remote ID, located in Generic/VpnSettings.xml. The Remote ID is the value inside the <VpnServer> XML tag. It will look like this:

      azuregateway-90fe1132-27af-6789-8aa9-4993ac57dd5b-7981e7988384.vpn.azure.com

    • Your gateway's Root CA Certificate, located in Generic/VpnServerRoot.cer_0

      This file is in DER (binary) certificate format. Before you upload it to Smallstep, convert it to PEM format. In the CLI, run:

      step certificate format VpnServerRoot.cer_0 > VpnServerRoot.pem

  3. In Smallstep's Protect tab, create a VPN resource:

    • VPN Server: Azure Virtual Network
    • Remote address: Use the server name or remote IP of your Azure VPN
    • Remote ID: Use the Remote ID you located earier.

  4. Choose "Next"

  5. Under Certificate authorities, choose "Upload external root" and upload the VpnServerRoot.pem file you created earlier.

  6. Finish creating the resource.

  7. On the VPN resource page, download your Smallstep Root Certificate for your Accounts CA. This is the CA that will authenticate your devices.

  8. In Azure, follow the instructions in Upload root certificate public key information to add the Smallstep Root Certifcate to the Root certificates section of your VPN's Point-to-site Configuration.

You're now ready to verify your VPN connection.

Further reading

Microsoft's "Configure a point-to-site VPN" tutorial provides the basis for this tutorial:

Last updated on June 11, 2024