How do I set up Site-to-Site VPN between my Synology Router and Microsoft Azure?

How do I set up Site-to-Site VPN between my Synology Router and Microsoft Azure?

Purpose

Besides Site-to-Site VPN service between two Synology Router products, you may also implement a hybrid cloud solution by setting up a tunnel between a Synology Router and Microsoft Azure Virtual Network.

This tutorial shows you how to set up a Site-to-Site VPN (license required1) between a Synology Router and Microsoft Azure.

Notes:

  1. For more information on Synology's licensing plan of Site-to-Site VPN, please refer to this webpage.
  2. The instructions below are based on Microsoft Azure. The actual steps may vary according to their user-interface updates.

Environment

Before you proceed with the Site-to-Site VPN setup, make sure you have already had an adequate environment as described below:
1.png

  • Set up your Synology Router and make sure its operating system is SRM 1.1.5 or above.
  • Install VPN Plus Server 1.2.0 or above.
  • In VPN Plus Server, activate the Site-to-Site VPN feature.

This tutorial is based on the scenario described below.

  • Synology Router site
    • Internal subnet: 192.168.1.0/24
    • Gateway IP address (public): 36.xxx.xxx.xxx
  • Microsoft Azure site
    • Internal subnet: 10.1.0.0/24
    • Gateway IP address (public): 52.xxx.xxx.xxx
  • Pre-shared key: 123456789
  • Encryption configuration:
    • Phase 1:
      • Encryption: AES256
      • Authentication: SHA-256
      • Key life: 28800
      • DH Group: 2 (modp 1024)
      • DPD (Dead Peer Detection): disable
    • Phase 2:
      • Encryption: AES256
      • Authentication: SHA-256
      • Key life: 3600
      • DH Group: 2 (modp 1024)

Resolution

1. Site-to-Site VPN configuration on Microsoft Azure

1.1 Create a virtual network

1.2 Create a virtual network gateway

1.3 Create a local network gateway

2. Site-to-Site VPN configuration on a Synology Router

Sign in to SRM on your Synology Router, and follow the steps below:

  1. Go to VPN Plus Server > Site-to-Site VPN.
  2. Click Add > Manually.
    12.png
  3. At the General tab, configure the following settings:
    13.png
    • Profile name: Enter a customized name for the profile. Here, we enter "Syno_to_Azure".
    • Pre-shared key: Here, we enter "123456789".
    • Under Local Site section, configure the following settings:
      • Outbound IP: Enter Synology Router's public IP address. Here, we enter "36.xxx.xxx.xxx".
      • Local ID: You can enter a public IP address or FQDN to specify the Local ID. Here, we enter "36.xxx.xxx.xxx".
      • Private subnet: Specify the local network under the private subnet of Synology Router. Here, we select Local Network (192.168.1.0/24).
    • Under Remote Site section, configure the following settings:
      • IP address/FQDN: Enter the public IP address of Microsoft Azure site, e.g., "52.xxx.xxx.xxx". You can check it at the Azure portal > All resources > Your virtual network gateway > Overview > Public IP address.
        14.png
      • Remote ID: You can enter a public IP address or FQDN to specify the Remote ID. Here, we enter the public IP address of Microsoft Azure site, e.g., "52.xxx.xxx.xxx".
      • Private subnet: Specify the local network under the private subnet of Microsoft Azure. Here, we enter "10.1.0.0/24".
    • Under Dead Peer Detection section, make sure the checkbox remains unticked.
  4. At the Encryption tab, make sure the following settings are identical to those on the Azure site:
    15.png
    • Under Phase 1 section:
      • IKE version: Select IKEv2.
      • Mode: Select Main mode (ID protection).
      • Encryption: Select AES256.
      • Authentication: Select SHA-256.
      • DH group: Select 2 (modp 1024).
      • Key lifetime: Select 28800 seconds.
    • Under Phase 2 section:
      • Encryption: Select AES256.
      • Authentication: Select SHA-256.
      • DH group: Select 2 (modp 1024).
      • Key lifetime: Select 3600 seconds.
      • Make sure the Enable Perfect Forward Secrecy (PFS) checkbox remains unticked.

3. Establish a connection between a Synology Router and Microsoft Azure

  1. Sign in to the Azure portal.
  2. Go to All resources > Your virtual network gateway > Connections, and click Add.
    16.png
  3. Configure the following on the Add connection page:
    17.png
    • Name: Name the VPN connection profile. Here, we enter "Azure_to_Syno".
    • Connection type: Select Site-to-site (IPsec).
    • Virtual network gateway: Select the previously created "VNet1_GW".
    • Local network gateway: Select the previously created "Syno_Router"
    • Shared key (PSK): Specify the same pre-shared key as on Synology Router. Here, we enter "123456789".
    • IKE Protocol: Here, we select IKEv2.
  4. Click OK when the settings are complete.
  5. When the settings are complete, you will see the status "Connected" on both sites. You can now connect to devices or virtual machines (VMs) on both sites.
    18.png19.png
Purpose
Environment
Contents
Resolution
1. Site-to-Site VPN configuration on Microsoft Azure
2. Site-to-Site VPN configuration on a Synology Router
3. Establish a connection between a Synology Router and Microsoft Azure
Further reading