Point to Site VPN: Unable to access resources from VNET1(P2S) to VNET2 Resources

Question

Hello, i hope someone will help me. I cannot access resources from VNET1 which is configured as point to site and peered with VNET2 which is configured as site to site. Technically my topology is this. Vnet1 with VPN Gateway for point to site -> Vnet 1 is peered to Vnet 2 -> Vnet2 has its own VPN gateway for site to site. Is it possible to access resources from vnet1 using client p2s to vnet2 azure vm resources?

Answer 1

Hello @Crister Palumpon ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

Point-to-site client connections to a virtual network gateway that is deployed in a VNet and is peered with other VNets can access other peered VNets as long as the peered VNets are using the UseRemoteGateway / AllowGatewayTransit features.

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq#can-i-configure-a-point-to-site-client-to-connect-to-multiple-virtual-networks-at-the-same-time

https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit#to-add-a-peering-and-enable-transit

However, in your case, both the Vnets have their own VPN gateways, so you cannot enable UseRemoteGateway / AllowGatewayTransit features.

Traffic will transit a peered Vnet if only one of the VNet has VPN gateway deployed.

You can configure the gateway in the peered virtual network as a transit point, but the virtual network that is using a remote gateway can't have its own gateway.

Reference: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview#gateways-and-on-premises-connectivity

To resolve this issue, you have 2 options:

Either:

• Delete the P2S VPN gateway from Vnet1.
• Configure P2S VPN on the existing VPN gateway of Vnet2.
• Peer Vnet1 & Vnet2 and then use the transit gateway feature in the Vnet peering between both Vnets to access both Vnets from the P2S clients by re-downloading the VPN client. Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing#multipeered

OR:

• Disable the Vnet peering and create a site-to-site (IPsec) connection between the two VPN gateways. Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal#site-to-site-ipsec
• The local network that is connected to Vnet1 must contain both the Vnet range of Vnet2 and the Point to Site range (address pool range) of VPN clients.
• Enable BGP on all site-to-site connections for routing and manually add routes on Windows clients for the connected VNet. Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing#multis2sbgp https://learn.microsoft.com/en-us/azure/vpn-gateway/azure-vpn-client-optional-configurations

Kindly let us know if the above helps or you need further assistance on this issue.

---

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.