Secure Policy-Based IPsec Connectivity Between Timus and Azure Virtual WAN

Overview

This article explains how to establish a policy-based IPsec site-to-site VPN between Timus gateway and Azure Virtual WAN (vWAN).

The guide covers:

  • Creating and configuring Azure Virtual WAN, Virtual Hub, and VPN Site

  • Proper setup of policy-based IPsec parameters (no BGP)

  • How to retrieve the Azure VPN Gateway public IP

  • What must be configured on the Timus gateway

  • Validation and troubleshooting steps when the tunnel is up but traffic does not pass

1. Scenario & IP Plan

  • Timus LAN(WireGuard): 192.168.249.0/24

  • Timus gateway public IP: (your Timus WAN IP)

  • Azure VPN public IP: Retrieved later from Azure VPN config download

  • VPN type: Policy-based IPsec (no BGP)

2. Create the Virtual WAN (Azure)

  1. In Microsoft Azure Portal, search Virtual WANs

  2. Click Create

  3. Configure:

    • Name: Timus_IPsec

    • Subscription / Resource Group / Region: as required

  4. Click Create

3. Create the Virtual Hub

  1. Open Timus_IPsec

  2. Go to Hubs under Connectivity.

  3. Click + Create hub

  4. Configure:

    • Name: Timus_Hub

    • Region & Hub settings: as required

  5. Click Create

4. Create the VPN Site (Timus)

  1. Search VPN sites under the Hub you created.

  2. Click + Create new VPN site

  3. Basics:

    • Name: Timus_Site_1 (or any)

    • Device vendor: Others

    • Private address space: 192.168.249.0/24

  4. Click Next

Note: This subnet must exactly match the Timus internal LANs, WireGuard and/or OpenVPN.

5. Configure the VPN Site Link (Timus WAN)

On the Links tab:

  • Link name: Timus_Link_1

  • Link speed: 100 Mbps
    (informational only, no throughput limit)

  • Link provider name: ISP

  • Link IP address / FQDN: Timus gateway public IP
    (example: 150.150.150.150)

Important (Policy-Based IPsec):

  • BGP: Disabled

  • ASN: Leave empty

  • All BGP fields: Empty

Click Review + Create → Create

6. Connect the VPN Site to the Hub

  1. Go to:

    • Virtual WANs → Timus__IPsec

    • Hubs → Timus_Hub

    • VPN (Site-to-site)

  2. If the VPN site is not visible:

    • Remove the filter Hub Association: Connected

  3. Select Timus_Site_1

  4. Click Connect VPN sites

  5. Configure:

    • Connection name: optional

    • Pre-Shared Key (PSK): define and save (must match Timus side)

Note: S2S provisioning can take up to ~1 hour. This is normal.

7. Configure IPsec / IKE Parameters

Set policy-based IPsec values exactly as required by Timus:

  • IKE version: IKEv2

  • DH group:14

  • Encryption algorithm: AES256

  • Integrity algorithm: SHA256

  • PFS group Disabled / None

  • SA lifetime: 3600 seconds for Phase 1 and Phase 2

Critical: Azure and Timus parameters must be identical.

8. Download Azure VPN Configuration (Get Azure WAN IP)

  1. In Timus_Hub → S2S VPN

  2. Click Download VPN configuration

  3. Extract the package

  4. Locate the Azure VPN Gateway public IP

This IP is the remote peer for the Timus gateway.

9. Timus Gateway Configuration (Summary)

Configure a policy-based IPsec tunnel on Timus:

You can go to Timus Manager -> Sites -> Create New to configure Phase 1

Under General configuration: 

  • Type: Connector

  • Name: Timus_Azure_VWAN_IPsec

  • Status: Enabled

  • Tunnel Type: IPSec

Under Parameters configuration: 

  • Local Peer: Network -> Select the gateway -> Primary WAN -> Timus Gateway Public IP

  • Remote Peer: IP -> Azure VWAN Public IP/32 -> Azure VWAN Public IP

  • Key Exchange Type: IKEv2

  • Preshared Key: Please enter the preshared you defined on Azure VWAN
    Mode: Main

  • Authentication Algorithm: SHA256

  • Encryption Algorithm: AES256

  • DH Group: 14

  • Select "Create firewall rules automatically" checkbox


Under Miscellaneous configuration: 

  • Responder Only: False

  • Margin Time: 60 Seconds

  • Lifetime: 3600 seconds

  • Dead Peer Detection: Enabled

  • DPD Delay: 10

  • DPD Max Failure: 5

  • NAT Traversal: Enabled

    In Timus Manager, navigate to Sites → Extend the Gateway.
    Click the arrow icon and select the previously created connector (Timus_Azure_VWAN_IPsec) to proceed with Phase 2 configuration.

  • Name: Timus_Azure_VWAN_Phase2

  • Status: Enabled

  • Authentication Algorithm: SHA256

  • Encryption Algorithm: AES256

  • Protocol: ESP

  • Local Network: Network -> Wireguard and hit "Add"

  • NAT Status: Disabled

  • Remote Network: IP -> Enter your subnet on Azure VWAN and hit "Add"

  • Perfect Forward Secrecy (PFS): Disabled

  • PFS Group: 14

  • Lifetime: 3600 seconds

  • Tunnel Protocol: ALL

  • Select "Create firewall rules automatically"

  • Hit "Save"

    Please note that establishing the IPsec tunnel may take up to one minute.
    Kindly wait and confirm the status by refreshing the page in Timus Manager → Sites → Connector(Extend the gateway by hitting the arrow icon to see the Connector(s), aka IPsec tunnels.

10. Validation & Troubleshooting

Validation

  • Azure connection status: Connected

  • Test traffic:

    • 192.168.249.0/24 ↔ Azure subnet(s)

If tunnel is up but traffic fails:

  • Verify traffic selectors (policy-based subnets)

  • Check for overlapping IP ranges

  • Re-confirm IPsec proposals match exactly

  • Ensure no BGP is enabled anywhere

Updated

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.