VPN configuration example: Azure site-to-site VPN connection
This page provides more specific values for configuring a VPN connection between Skytap and an Azure VPN. It contains sample VPN configuration parameters to enter on the Skytap VPN page, as well as the configuration values to enter in your Azure account.
For general information about the configuration process for each side of the VPN connection, first see:
- Creating a VPN connection to your Skytap account.
- Create a Site-to-Site connection in the Azure portal
Sample VPN configuration
In the Azure portal:
Follow the instructions at Create a Site-to-Site connection in the Azure portal.
- During the Create the VPN gateway step, select VPN type: Route-based.
During the Create the local network gateway step, use the following values:
- IP address: Enter the static public IP address that is (or will be) associated with your Skytap VPN. This is either automatically assigned when you click Create VPN in Skytap, or you can manually select from the available static public IP addresses in your Skytap account.
- Address space: Enter the subnet range for the IP addresses you want to access in your Skytap account. This value must match the Skytap subnet range defined in your Skytap VPN configuration.
- In the Configure your VPN device step, note the public IP address of your virtual network gateway.
Download a VPN device configuration script. For example, select one of the Juniper device files.
Skytap VPN configuration
Parameters to enter on your Skytap VPN page:
Value to enter
Name for your Skytap VPN
Remote Peer IP
Enter the public IP address of the VPN gateway in your Azure account.
N/A. This is automatically populated when you select a public IP address for the Skytap peer IP field (see below).
Skytap peer IP
An available public IP address in your Skytap account. Select a public IP address in the same region as the VMs you want to connect to.
This value is entered in the IP address field of the local network gateway in your Azure account.
This is the range of VM IP addresses in Skytap that sends and receives traffic through this VPN. This can’t overlap with the included remote subnet(s) defined below.
This must match the value in the Address space field of the local network gateway in your Azure account.
Apply NAT for Connected Networks
Phase 1 Encryption Algorithm
Phase 1 Hash Algorithm
Phase 1 pre-shared Key
[SHARED SECRET KEY]
This must match the pre-shared key in the Azure VPN connection.
Phase 1 SA lifetime
Phase 1 DH group
Phase 2 encryption algorithm
Phase 2 authentication algorithm
Phase 2 perfect forward secrecy (PFS)
Phase 2 SA lifetime
SA policy level
Specify maximum segment size
Maximum segment size
Dead peer detection
Included remote subnets
Enter the IP addresses and subnets on your Azure virtual network that will send and receive traffic through this VPN.
Excluded remote subnets
Subset of IP addresses and subnets on the Azure virtual network that should be excluded from using the VPN tunnel. This is used only to define exclusions for VPN traffic from larger included remote subnets (defined above).
If the VPN appears to not be working, try the following:
- Verify that you have a strong pre-shared key and that it’s correctly entered in both Skytap and Azure.
- Verify that the VPN settings in both Skytap and Azure match the recommended settings above.
- If you changed any settings in Skytap or Azure, the Azure VPN gateway won’t use the changed settings until you reset it. For instructions, see Reset a VPN Gateway.
In some cases, the Skytap VPN test will show failures for a correctly configured VPN. Try connecting directly from a Skytap VM to an Azure VM.
Make sure both of the VMs are connected to networks attached to the VPN.