I setup a Site to Site VPN, but I want to add a Point 2 Site connection now.

Question

So I created, Virtual Network Gateway, Connection, Local Network Gateway, and Virtual Network, I Managed to set up a connection with my Edgerouter with Success and then I created a server behind it with no outside address. My Site to Site works fine and it is stable.

My next issue is, I Went into my Virtual Network Gateway and click on Point to site and it doesn't really give me a proper setup... as you can see below. What I am trying to achieve is to Have clients use the L2PT\preshared key option and I do not see that anywhere? I am wondering if I have to move my VNG from Basic to standard... now with that said I tried and I get an error doing that as well ERROR is ""Deployment to resource group 'ITC' failed.
Additional details from the underlying API that might be helpful: At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details""

Not sure if I have to delete it and recreate the VNG with VPNGW1 option to get my point to Site working... again the Below is the only options I have.

Address pool

Root certificates

Name	Public certificate data

Revoked certificates

Name	Thumbprint

Additional routes to advertise

Answer 1

Hello @William Bondy ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you created a VPN gateway and configured a site-to-site connection successfully and now you would like to configure point-to-site VPN connection on the gateway for remote clients to connect to Azure using L2TP/Pre-shared key option, but you don't see the option.

First, I would like to draw your attention towards the P2S VPN support on Basic VPN gateway. Point to site VPN gateway can only be configured on a RouteBased Basic VPN Gateway and only SSTP connections are supported. If you are using a PolicyBased Basic VPN Gateway, then point to site VPN configuration will not be available.

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways#gwsku

https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-skus-legacy#config

Another thing to note here is Azure Point-to-site VPN can use one of the following protocols: OpenVPN, Secure Socket Tunneling Protocol (SSTP) and IKEv2 VPN.

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-about#protocol

Azure Point-to-site VPN doesn't support L2TP protocol. The pre-shared key authentication option is only available for site-to-site connections.

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq#how-does-my-vpn-tunnel-get-authenticated

For point-to-site VPN, we have the below available authentication mechanisms:

• Azure certificate authentication
• Azure Active Directory authentication
• RADIUS - certificate
• RADIUS - password
• RADIUS - other methods

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-about#authentication

From your screenshot, it looks like you have a RouteBased Basic VPN Gateway. For a RouteBased Basic VPN Gateway, the protocol is by default set to SSTP, and you cannot see a tunnel type option. You will only see a "Root Certificate" option to upload root certificates for P2S VPN connectivity.

You can use either a root certificate that was generated with an enterprise solution (recommended) or generate a self-signed certificate.

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal#generatecert

After you upload the root certificate to your Point to site VPN configuration, you need to install the client certificate on the machine from where you want to connect to Azure and then download the VPN client from the portal to install it on the machine.

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-vpn-client-cert-windows#ike

If you don't want to use SSTP protocol or Azure certificate authentication, then you need to upgrade your VPN gateway to a SKU which supports other protocols such as IKEv2/OpenVPN and authentication such as AzureAD/Radius.

With the exception of the Basic SKU, you can resize your gateway to a gateway SKU within the same SKU family. For example, if you have a Standard SKU, you can resize to a HighPerformance SKU. However, you can't resize your VPN gateway between the old SKUs and the new SKU families. For example, you can't go from a Standard SKU to a VpnGw2 SKU, or a Basic SKU to VpnGw1.

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-skus-legacy#resize

The resizing of VpnGw SKUs is allowed within the same generation, except resizing of the Basic SKU. The Basic SKU is a legacy SKU and has feature limitations. In order to move from Basic to another SKU, you must delete the Basic SKU VPN gateway and create a new gateway with the desired Generation and SKU size combination.

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#benchmark

Meaning you cannot re-size or upgrade your Basic SKU to any other SKU via Portal. To change to the new gateway SKU, you need to delete the existing VPN gateway and create a new VPN gateway.

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-skus-legacy#change

Kindly let us know if the above helps or you need further assistance on this issue.

---

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.