Using the DrayTek Vigor2862 Modem's VPN to Connect to Azure - Garybro/Tips GitHub Wiki

I have found that the DrayTek Vigor2862 ADSL modem is ideally suited to site-to-site VPN to Azure VPN Gateway.

These Microsoft documents may be useful:

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings

This How-To is not too bad either:

http://docs.hillstonenet.com/en/Content/Cookbook/cb29-Site-to-Site%20VPN.htm

I don't describe setting up Azure resources here except for this:

I configured a virtual network for my AADDS using the address range 10.100.1.0/24. I determined that I would use the address range 10.100.2.0/27 for the Gateway. There's no particular reason for using these, I just like the look of it. This is important because you have to use this info in the setup of the modem.

When you set up a VPN Gateway on Azure, it will be assigned a public IP address as the connection point for the Azure end of the Route-based tunnel. You need this information in the setup of the modem. Create the Local Network Gateway. You will provide connection addresses and a shared secret for the LN Gateway which you will need to use in the modem configuration.

Setting up the modem VPN connection:

Log in to the modem as the administrator. Go to 'VPN and Remote Access > LAN to LAN'.

Select an unused Index number.

In '1. Common Settings', give the new profile a name, such as 'Azure' and check the 'Enable this profile' check box. Check the 'Dial-Out' radio button in the 'Call Direction' panel and check the 'Always on' checkbox. 'Idle Timeout' will change to -1 seconds.

In '2. Dial-Out Settings', check the 'L2TP with IPSec Policy' radio button and choose 'Must' in the policy option dropdown list. In the 'Server IP/Host Name for VPN' field, enter the Azure VPN Gateway connection point public IP address. In the 'IKE Authentication Method' panel, check the 'Pre-Shared Key' radio button. Click on the 'IKE Pre-Shared Key' button and enter the pre-shared key provided during the Azure VPN Gateway setup.

In the 'IPsec Security Method' panel, check the 'High(ESP)' radio button and 'DES with Authentication' in the dropdown list. Click the 'Advanced' button and choose: IKE phase 1 proposal - AES256_SHA256_G2 IKE phase 2 proposal - DES_[SHA1,MD5,SHA256] IKE phase 1 key lifetime - 28800 IKE phase 2 key lifetime - 27000 Perfect Forward Secret - Disable Click 'OK' to save the settings and return to the configuration page.

3 and 4 are not relevant.

In '5. TCP/IP Network Settings', enter the public IP address of your modem in 'My WAN IP'. In 'Remote Gateway IP', enter the Azure Gateway connection end point public IP address. In 'Remote Network IP', enter the network address for the AADDS virtual network subnet (10.100.1.0 in this example). Note: Do not use the network address range of the Azure Gateway because you are not trying to route to the Gateway subnet. In 'Remote Network Mask', choose the appropriate mask for your AADDS virtual network subnet. In 'Local Network IP', enter the network address for the local network (such as 192.168.0.0). In 'Local Network Mask', choose the appropriate mask for your local network.

Click 'OK' to save the configuration. All things being equal, the modem will immediately connect to Azure.

I've had great success with this configuration and my modem has been connected continuously since it was configured 5 days ago.

Azure will graph the connection for you when you click on the Gateway in your tenant's resources list on the Home page (portal.azure.com/#home).