Azure -VPN P2S Point to Site Connectivity using SSL Certificate
In this lab we will be learning Point to Site Connectivity using Certificate based Authentication as given in below diagram
Previous lab we have already setup VMs and VNet hence we will be moving to setup-
LAB Exercise 15- Gateway Subnet
Step 1 - Search for Virtual Network
Step 2 - Select- VNetEastB and open its property.Step 3- Click Subnet and Add Gateway Subnet.
Step 4- Click Add.
(You could notice there is no choice to enter name as you wanted its taking name as Gateway Subnet.)
LAB Exercise 16- Virtual Network Gateway Setup
Step 1 - Search for Virtual Network Gate Way
Step 2 - Click Add and Enter Name- EastUSP2SVPNGW
Step 3 - Select Region - EastUS
Step 4 - Gateway Type - VPN
Step 5 - VPN Type - Route-based
Step 6 - SKU - Basic
Step 7 - Virtual Network Select - EASTUSB
Step 8 - VPN Gateway New Public - VPNGW_PIP
(VPN Gateway requires a Public IP hence we will be creating new IP.)
Learn how to generate self sign point to site (P2S) Self Sign Certificate using PowerShell commands.
Step 1 - Windows 10 Local Machine open PowerShell run as Administrator and Run below command for
Step 2 - Click Add and Enter Name- EastUSP2SVPNGW
Step 3 - Select Region - EastUS
Step 4 - Gateway Type - VPN
Step 5 - VPN Type - Route-based
Step 6 - SKU - Basic
Step 7 - Virtual Network Select - EASTUSB
Step 8 - VPN Gateway New Public - VPNGW_PIP
(VPN Gateway requires a Public IP hence we will be creating new IP.)
LAB Exercise 17- Point to Site (P2S) Self Sign Certificate
Learn how to generate self sign point to site (P2S) Self Sign Certificate using PowerShell commands.
Step 1 - Windows 10 Local Machine open PowerShell run as Administrator and Run below command for
Create a self-signed root certificate
===
$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
-Subject "CN=P2SRootCert" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign
-Subject "CN=P2SRootCert" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign
===
Step 2 - Run Another command to - Generate a client certificate
====
New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature `
-Subject "CN=P2SChildCert" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" `
-Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")
===
Step 3 - On Run type - Certmgr.msc
Step 4 - Once windows opens left side go to personal and click - Certificate
Step 5 - Now needs to export - P2SRootCert
Step 6 - Right click on P2SRootCent => All Task => Export=>
Step 7 - Another windows will be pop-up Cllick Next
Step 8 - Select- no do not export the private key.
Step 9 - Select Base-64 encoded x.509 (.CER) click next.
Step 10 - Enter File name as RootCert.cer on desktop.
Step 11 - Enter File name as RootCert.cer on desktop.
Step 12 - Next and Finish. Certificate file will be exported on given location.
Same way we needs to export Child Certificate as well.
Step 13- Now needs to export - P2SChildCert
Step 14 - Right click on P2SChildCent => All Task => Export=>
Step 15 - Click Finish.
Step 16 - Click Next.
Step 17 - Enter Password remember this password it will be needed when you will be using this certificate.
Step 18 -Click next and selection the location where you had exported previous file named as P2SchiledCert, click, again next and finish.
Step 19- Right Click on P2SChild certificate file and click on InstallPFX
Step 20- Select current user and click next. it will ask password enter password which you had given while exporting.
Step 21- click next as default option given and finish.
Step 22-Now lets go to Azure Portal search for virtual network gateway and select for EastUSP2SVPNGW.
Step 23-Open its property and click point to site configuration.
Step 24- Click configure now.
Step 30 - try to conncet VPN using below connection-
Now you can acess all the VMs usign private IP.
Step 2 - Run Another command to - Generate a client certificate
====
New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature `
-Subject "CN=P2SChildCert" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" `
-Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")
===
Step 3 - On Run type - Certmgr.msc
Step 4 - Once windows opens left side go to personal and click - Certificate
Step 5 - Now needs to export - P2SRootCert
Step 6 - Right click on P2SRootCent => All Task => Export=>
Step 7 - Another windows will be pop-up Cllick Next
Step 8 - Select- no do not export the private key.
Step 9 - Select Base-64 encoded x.509 (.CER) click next.
Step 10 - Enter File name as RootCert.cer on desktop.
Step 11 - Enter File name as RootCert.cer on desktop.
Step 12 - Next and Finish. Certificate file will be exported on given location.
Same way we needs to export Child Certificate as well.
Step 13- Now needs to export - P2SChildCert
Step 14 - Right click on P2SChildCent => All Task => Export=>
Step 15 - Click Finish.
Step 16 - Click Next.
Step 17 - Enter Password remember this password it will be needed when you will be using this certificate.
Step 18 -Click next and selection the location where you had exported previous file named as P2SchiledCert, click, again next and finish.
Step 19- Right Click on P2SChild certificate file and click on InstallPFX
Step 20- Select current user and click next. it will ask password enter password which you had given while exporting.
Step 21- click next as default option given and finish.
Step 22-Now lets go to Azure Portal search for virtual network gateway and select for EastUSP2SVPNGW.
Step 23-Open its property and click point to site configuration.
Step 24- Click configure now.
Step 25- enter Address pool - 192.168.20.0/24
Step 26- Root Certificate mane i.e. - myRoot.
Step 27- Enter Value for Certificate value- as in certificate .
Step 28- Enter Value for Certificate value- as in certificate .
Step 29-Click save once done then download VPN Cleint.
Step 30 - try to conncet VPN using below connection-
Now you can acess all the VMs usign private IP.
No comments:
Post a Comment