Can I create a site to site vpn using the same resouces (Gateway subnet, public IP, VNet Gateway, Vnet),that I used to create my Point to Site VPN?

Leanna Maloney 0

I Am setting up a Site-to-Site VPN. I have already set up a Point to Site VPN. The same Virtual machine would be accessible using the two types of VPN. Site to Site to join it to the on-premise domain and Point to site to have my users who work from home access it. The same resources I created (Vnet, GW Subnet, Public IP and VNet GW) for the Point to Site VPN. Can it be used to set up my Site to site VPN?

1 answer

TP 82,656 Reputation points

2024-02-26T20:27:56.67+00:00

Hi Leanna,

Yes, you can have both Point-to-Site and Site-to-Site using same VPN Gateway resources.

From the VPN Gateway FAQ:

Can I have Site-to-Site and point-to-site configurations coexist for the same virtual network? Yes. For the Resource Manager deployment model, you must have a RouteBased VPN type for your gateway. For the classic deployment model, you need a dynamic gateway. We don't support point-to-site for static routing VPN gateways or PolicyBased VPN gateways.

Please see tutorial article below for setting up Site-to-Site. Since you already have existing VPN Gateway, you can review Prerequisites and then skip down to Create a local network gateway step and continue from there.

Tutorial: Create a site-to-site VPN connection in the Azure portal

Please click Accept Answer and upvote if the above was helpful.

Thanks.

-TP
Please sign in to rate this answer.
TP 82,656 Reputation points

2024-02-27T19:42:05.0733333+00:00

@Leanna Maloney Any update?

Leanna Maloney 0 Reputation points

2024-02-28T18:47:32.82+00:00

Hi, I continued with the setup as recommended. But when I completed the RRA configuration on my local server and chose to connect, it said "An error occurred during connection of the interface. IKE authentication credentials are unacceptable.".

TP 82,656 Reputation points

2024-02-28T20:12:46.3366667+00:00

On the VPN demand-dial interface in RRAS, Properties, Security tab, did you select Use preshared key for authentication and enter the same key you used on the connection in Azure portal?

Leanna Maloney 0 Reputation points

2024-02-29T12:39:47.1333333+00:00

Hi, Yes I did. And it's the same preshared key in Azure.

TP 82,656 Reputation points

2024-02-29T12:56:50.7866667+00:00

Thanks. What operating system version is your on premises RRAS?

Off the top of your head, can you think of the places where you didn't go with the defaults? Reason I ask is, yesterday I did quick test whereby I created VPN gateway and set up Server 2019 RRAS server on-prem, using almost all default settings, and it worked straight away.

Might be helpful if you could gather up your settings (obfuscate certain things like public IPs, server names, etc.) so I could look them over.

Leanna Maloney 0 Reputation points

2024-03-01T16:28:22.58+00:00

Hi its win2019 on prem.

TP 82,656 Reputation points

2024-03-04T10:07:59.05+00:00

Thank you for posting all those screenshots. When you created the Site to Site connection, did you leave all the settings at default? See screenshot below:

I think for next step you will need to enable full logging on the RRAS server, attempt to connect, and then examine the log files as well as event viewer.

GitaraniSharma-MSFT 49,001 Reputation points Microsoft Employee

2024-03-07T10:23:06.39+00:00

Hello @Leanna Maloney ,

Do you have any new updates on this issue?

You could refer the below blog for the setup of the S2S connection between RRAS and Azure VPN gateway:

https://learn.microsoft.com/en-us/archive/blogs/jletsch/lets-configure-azure-site-to-site-vpn-with-rras-in-azure-resource-manager

You could also take a look at this 3rd party blog for more information.

And if you are still facing issue, you can refer the below troubleshooting doc:

https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/troubleshoot-vpn

Regards,

Gita

GitaraniSharma-MSFT 49,001 Reputation points Microsoft Employee

2024-03-15T12:47:30.6466667+00:00

Hello @Leanna Maloney , could you please provide an update on this post?

Leanna Maloney 0 Reputation points

2024-05-30T18:29:03.5866667+00:00

Hi, the issue was caused by not creating a tunnel on my firewall, once it was made the VPN showed connected on Azure. I now have another problem with this situation my RRAS when choosing to connect tells me "An error occurred during connection of the interface. Policy match error." See pic below. Also, you will see that it's shows connected on Azure.

GitaraniSharma-MSFT 49,001 Reputation points Microsoft Employee

2024-06-12T11:10:59.8433333+00:00

Hello @Leanna Maloney ,

Apologies for the delay in response.

The error seems to be related to policy mismatch, so you would need to make sure that the IPsec parameters match on both Azure VPN gateway and on-premises device side.

You can find the default IPsec/IKE parameters used by the Azure VPN gateway in the below document:

https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices#ipsec

To set the IPsec parameters of a VPN connection in your windows server, you can use Set-VpnS2SInterface command.

Refer: https://learn.microsoft.com/en-us/powershell/module/remoteaccess/set-vpns2sinterface?view=windowsserver2019-ps

The Set-VpnS2SInterace cmdlet is used to update parameters for a site-to-site (S2S) interface. If the connection is already connected, the changes take effect after disconnection. You can use the CustomPolicy parameter to customize Internet Protocol security (IPSec) settings. If the AuthenticationMethod parameter is set to pre-shared key (PSK), then only one interface can be enabled per destination and the initiator and responder policies are governed by what is specified for each interface.

-CustomPolicy parameter: Specifies custom Internet Key Exchange (IKE) IPsec policies, must be a separate parameter set.

Refer: https://learn.microsoft.com/en-us/powershell/module/remoteaccess/set-vpns2sinterface?view=windowsserver2019-ps#description

You can also check the Azure VPN logs (IKEDiagnosticLog) to check what's the mismatch, if you've enabled the diagnostic logs for your Azure VPN gateway.

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/troubleshoot-vpn-with-azure-diagnostics

Regards,

Gita
Sign in to comment