How do I set up Site-to-Site VPN between my Synology Router and Microsoft Azure?
Last updated:Oct 28, 2021
How do I set up Site-to-Site VPN between my Synology Router and Microsoft Azure?
Purpose
Besides Site-to-Site VPN service between two Synology Router products, you may also implement a hybrid cloud solution by setting up a tunnel between a Synology Router and Microsoft Azure Virtual Network.
This tutorial shows you how to set up a Site-to-Site VPN (license required1) between a Synology Router and Microsoft Azure.
Notes:
- For more information on Synology's licensing plan of Site-to-Site VPN, please refer to this webpage.
- The instructions below are based on Microsoft Azure. The actual steps may vary according to their user-interface updates.
Environment
Before you proceed with the Site-to-Site VPN setup, make sure you have already had an adequate environment as described below:
- Set up your Synology Router and make sure its operating system is SRM 1.1.5 or above.
- Install VPN Plus Server 1.2.0 or above.
- In VPN Plus Server, activate the Site-to-Site VPN feature.
This tutorial is based on the scenario described below.
- Synology Router site
- Internal subnet: 192.168.1.0/24
- Gateway IP address (public): 36.xxx.xxx.xxx
- Microsoft Azure site
- Internal subnet: 10.1.0.0/24
- Gateway IP address (public): 52.xxx.xxx.xxx
- Pre-shared key: 123456789
- Encryption configuration:
- Phase 1:
- Encryption: AES256
- Authentication: SHA-256
- Key life: 28800
- DH Group: 2 (modp 1024)
- DPD (Dead Peer Detection): disable
- Phase 2:
- Encryption: AES256
- Authentication: SHA-256
- Key life: 3600
- DH Group: 2 (modp 1024)
- Phase 1:
Resolution
1. Site-to-Site VPN configuration on Microsoft Azure
1.1 Create a virtual network
1.2 Create a virtual network gateway
1.3 Create a local network gateway
2. Site-to-Site VPN configuration on a Synology Router
Sign in to SRM on your Synology Router, and follow the steps below:
- Go to VPN Plus Server > Site-to-Site VPN.
- Click Add > Manually.
- At the General tab, configure the following settings:
- Profile name: Enter a customized name for the profile. Here, we enter "Syno_to_Azure".
- Pre-shared key: Here, we enter "123456789".
- Under Local Site section, configure the following settings:
- Outbound IP: Enter Synology Router's public IP address. Here, we enter "36.xxx.xxx.xxx".
- Local ID: You can enter a public IP address or FQDN to specify the Local ID. Here, we enter "36.xxx.xxx.xxx".
- Private subnet: Specify the local network under the private subnet of Synology Router. Here, we select Local Network (192.168.1.0/24).
- Under Remote Site section, configure the following settings:
- IP address/FQDN: Enter the public IP address of Microsoft Azure site, e.g., "52.xxx.xxx.xxx". You can check it at the Azure portal > All resources > Your virtual network gateway > Overview > Public IP address.
- Remote ID: You can enter a public IP address or FQDN to specify the Remote ID. Here, we enter the public IP address of Microsoft Azure site, e.g., "52.xxx.xxx.xxx".
- Private subnet: Specify the local network under the private subnet of Microsoft Azure. Here, we enter "10.1.0.0/24".
- IP address/FQDN: Enter the public IP address of Microsoft Azure site, e.g., "52.xxx.xxx.xxx". You can check it at the Azure portal > All resources > Your virtual network gateway > Overview > Public IP address.
- Under Dead Peer Detection section, make sure the checkbox remains unticked.
- At the Encryption tab, make sure the following settings are identical to those on the Azure site:
- Under Phase 1 section:
- IKE version: Select IKEv2.
- Mode: Select Main mode (ID protection).
- Encryption: Select AES256.
- Authentication: Select SHA-256.
- DH group: Select 2 (modp 1024).
- Key lifetime: Select 28800 seconds.
- Under Phase 2 section:
- Encryption: Select AES256.
- Authentication: Select SHA-256.
- DH group: Select 2 (modp 1024).
- Key lifetime: Select 3600 seconds.
- Make sure the Enable Perfect Forward Secrecy (PFS) checkbox remains unticked.
- Under Phase 1 section:
3. Establish a connection between a Synology Router and Microsoft Azure
- Sign in to the Azure portal.
- Go to All resources > Your virtual network gateway > Connections, and click Add.
- Configure the following on the Add connection page:
- Name: Name the VPN connection profile. Here, we enter "Azure_to_Syno".
- Connection type: Select Site-to-site (IPsec).
- Virtual network gateway: Select the previously created "VNet1_GW".
- Local network gateway: Select the previously created "Syno_Router"
- Shared key (PSK): Specify the same pre-shared key as on Synology Router. Here, we enter "123456789".
- IKE Protocol: Here, we select IKEv2.
- Click OK when the settings are complete.
- When the settings are complete, you will see the status "Connected" on both sites. You can now connect to devices or virtual machines (VMs) on both sites.