Azure VPN P2S

Greg M 20

I have gone through a ton of docs as well as trial and error. I am stuck and would welcome assistance. What I am trying to accomplish seems like it should be straightforward. Easiest for me to express as if I am writing up a bug, so here it goes:

Steps to reproduce:
1 setup vnet
  a address space 10.0.0.0/16
  b default subnet 10.0.0.0.0/24

2 setup vnet gateway
  a vpngw2
  b virtual network from step 1
  c subnet range 10.0.1.0/24
  d create new public IP

3 configure point to site within vnet gateway
  a IKEv2 and OpenVPN protocols
  b 172.16.201.0/24 address pool
  c configure certificate authentication

4 configure clients
  a install root authority key from step 3
  b install client private key from step 3
  c use downloaded Azure files to configure client

5 attempt to connect to azure vnet gateway from client

Expected results:
Client connects to Azure VPN and has access to resources on vnet from step 1

Actual results:
Both Mac and Windows clients timeout when attempting to connect to VPN

KapilAnanth-MSFT 44,931 Reputation points Microsoft Employee

2023-05-23T06:31:08.85+00:00
@Greg M

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you are using Azure P2S VPN with certificate authentication and IKEV2-OpenVPN Protocols.

The remote machines are using Azure VPN Client from MS Store. (Windows).

When you say timeout,

What exactly is the error you are seeing in the VPN Client when you hit Connect?

Can you share a screenshot of the error?

I am interested in "Failure Reason" and "Status Logs"

Navigate to the VPN Connection name from the VPN Client

Click the ellipsis icon and click Diagnose

And the click "Run Diagnostics" and share the output from the right window on what's the error.

Cheers,

Kapil
Greg M 20 Reputation points

2023-05-23T10:25:58.11+00:00

Hi Kapil,

Thank you for responding to my message thread. To configure clients my first step is to download from Azure. Here is a screen capture:

When I try to use the Azure VPN client, I import the xml from the above downloaded. I cannot save the configuration however.

When I run the executable that is included in the Azure download it configures the built-in Windows client. When I attempt to connect using the Windows built in client, it simply never connects and I see the indeterminate progress.
KapilAnanth-MSFT 44,931 Reputation points Microsoft Employee

2023-05-23T17:17:09.9933333+00:00
@Greg M

Thanks for the update.

In the VPN Client, can you select the Certificate information as "DigiCert Global Root CA" and give it a try?

Please uninstall the VPN Client App and reinstall it from MS Store

To make sure we have the latest version.

In case that does not help, download it directly from https://aka.ms/azvpnclientdownload

If the issue persists, can you please repeat the steps from a different windows machine (to make sure this is not a OS issue)

Cheers, Kapil
Greg M 20 Reputation points

2023-05-23T19:28:01.8166667+00:00

I setup a VM in Azure to test. Windows 11 Pro. I used the Azure client as you suggested. I also imported the xml as I had previously. The client connected immediately!

Here is my question now. Did it connect for some because it was a clean OS? Did it connect because the VM is in Azure and already a part of my virtual network?

Is it possible I have some routing configured on my virtual network preventing VPN connections? What would I look for in my vnet to see if there is a problem there?
KapilAnanth-MSFT 44,931 Reputation points Microsoft Employee

2023-05-24T04:00:57.15+00:00
@Greg M

Did it connect because the VM is in Azure and already a part of my virtual network?

No

It connected using Internet only, not because it was in same VNet as VPN gateway

In case you suspect this, you can simply create a new dummy Vnet with a single VM and test the same.

Is it possible I have some routing configured on my virtual network preventing VPN connections?

No

The fact that a VM in Azure is connecting to your VPN but not your local server indicates there is a problem with your OS/local machine.

There might be some third party applications preventing your VPN Connection.

Or even company policies (if yours is a GPO managed)

Can you confirm if above two are not the case?

Cheers,

Kapil
Greg M 20 Reputation points

2023-05-24T17:49:10.3366667+00:00

Done and done!

Your suggestion to try another Windows machine was quite good and pointed me in the right direction. I had tried on a Mac, but I will assume I configured the client incorrectly.

Setting up a Windows VM in Azure showed me a successful use case. All I had to do was find the differences. Your answers to my last questions were very helpful. I was not sure if there was special routing for Azure VMs.

Here was my root cause: the rasman service was disabled. It's why I could not save the configuration in the Azure VPN client. I started the rasman service. I imported the configuration downloaded from Azure for the VPN. I clicked connect and it immediately connected.

Thank you Kapil - I consider the issue resolved. Cheers!
KapilAnanth-MSFT 44,931 Reputation points Microsoft Employee

2023-05-25T03:49:41.5266667+00:00

@Greg M

That is wonderful Greg :)

I have summarized our discussion and posted it as an answer.

Request you to please "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread.

Cheers,

Kapil

Accepted answer

KapilAnanth-MSFT 44,931 Reputation points Microsoft Employee

2023-05-25T03:48:24.2766667+00:00
@Greg M

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you are using Azure P2S VPN with certificate authentication and IKEV2-OpenVPN Protocols.

The remote machines are using Azure VPN Client from MS Store. (Windows).

I suggested to check "Run Diagnostics" and share the output from the right window on what's the error.

However, you informed the imported xml configuration could not be saved to begin with and you were using Native windows client.

Then I suggested, in the VPN Client, can you select the Certificate information as "DigiCert Global Root CA" and give it a try?

Please uninstall the VPN Client App and reinstall it from MS Store

To make sure we have the latest version.

In case that does not help, download it directly from https://aka.ms/azvpnclientdownload

If the issue persists, can you please repeat the steps from a different windows machine (to make sure this is not a OS issue)

You informed this was working from an Azure VM and a different server - indicating there is something in the OS blocking the profile addition.

Then you checked the difference between the devices and found that the rasman service was disabled.

It's why we could not save the configuration in the Azure VPN client. I started the rasman service.

Post this, importing the configuration downloaded from Azure for the VPN connected successfully.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
Please sign in to rate this answer.

1 person found this answer helpful.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

1 additional answer

risolis 8,721 Reputation points

2023-05-20T04:14:49.3666667+00:00
Hello @Greg M

Thank you for posting this concern on this community.

I wonder if you might answer following questions down below:

Are you using Azure VPN Client?

Are you using OpenVPN client?

which one is the Azure VPN Client version used?

which one is the OpenVPN Client version used?

Did you check the MTU value for each OS PC? If i am not mistaken it might be 1400... I know that the default one is 1500

I hope that can be useful for you.

Looking forward to hearing from you

Cheers,

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.
Greg M 20 Reputation points

2023-05-20T14:20:24.0766667+00:00

Hi Risolis - thanks for responding! Let's take each question in turn.

Yes, tried the Azure VPN client as well as the built-in Windows client, for Mac it was the built in Mac client

Did not try OpenVPN at all, but intent to try it using the Ubuntu built in client

Used the Azure VPN client from the Microsoft store, not sure the specific version.

Again, have not tried the OpenVPN connectivity yet

Default MTU, I will assume 1500, but not sure

For some additional context, this is my first time doing such things myself. Overall, it feels like there is something everyone else knows you are supposed to do, but is non-obvious to someone who spends most of his (or her) time writing code and not building infrastructure. The docs are straight forward. Seems like it should 'just work' but, well ...

Let me know your thoughts on what I might do or how I might debug the issue. The diagnostic tools within Azure tell me it's setup correctly and that it should be running fine.

risolis 8,721 Reputation points

2023-05-20T18:05:34.3433333+00:00

Hello @Greg M

Thank you for your quick response.

I fully understand that most of your duties might be writing code and not building infra but I am glad to know that you are developing this skill as well.

Now I wonder where the certificate was coming from... You can either use a Self-Signed certificate or CA certificate and so on....

Furthermore, I believe that if you are using more than 128 active sessions on the P2S VPN, this is the limit sessions that can be operating at the same time.

When I was talking about the MTU value is because I did realize that the MTU value was 1400 as per lab replication shown below:

C:\Users\rsolis>netsh interface ipv4 show interfaces Idx Met MTU State Name --- ---------- ---------- ------------ --------------------------- 49 25 1400 connected vnet-southcentralus-testing-csc-001 1 75 4294967295 connected Loopback Pseudo-Interface 1 8 35 1500 connected Wi-Fi 18 5 1500 disconnected Ethernet 12 25 1500 disconnected Local Area Connection* 1 5 25 1500 disconnected Local Area Connection* 2 C:\Users\rsolis>

risolis 8,721 Reputation points

2023-05-20T18:18:03.2766667+00:00

Another observation is the one below:

Remember that Azure Vnet shall use some IP addresses available from your pool range... So that means that your first valid IP address is going to be 10.0.0.4/24 or 10.0.1.4/24...

Moreover, which subnet is going to be used... Is either 10.0.0.0/24 or 10.0.1.0/24?

Cheers

Greg M 20 Reputation points

2023-05-21T19:46:03.93+00:00

Here is a screen snip of the vnet setup.

Greg M 20 Reputation points

2023-05-21T19:46:45.8133333+00:00

Here is the vnet gateway setup

Greg M 20 Reputation points

2023-05-21T19:46:59.1033333+00:00

Here is the P2S setup

Greg M 20 Reputation points

2023-05-21T19:49:44.2533333+00:00

I tried OpenVPN using Ubuntu 22.04 built in client. It did not work, and here is the log

May 21 12:09:44 apone NetworkManager[739]: <info> [1684685384.2004] vpn[0x5643967364a0,b7f3e769-4f3d-4afc-b520-b238ae011783,"VPN 1"]: starting openvpn May 21 12:09:44 apone NetworkManager[739]: <info> [1684685384.2009] audit: op="connection-activate" uuid="b7f3e769-4f3d-4afc-b520-b238ae011783" name="VPN 1" pid=2205 uid=1000 result="success" May 21 12:09:44 apone nm-openvpn[11066]: --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers. May 21 12:09:44 apone nm-openvpn[11066]: OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 14 2022 May 21 12:10:44 apone NetworkManager[739]: <warn> [1684685444.8756] vpn[0x5643967364a0,b7f3e769-4f3d-4afc-b520-b238ae011783,"VPN 1"]: connect timeout exceeded May 21 12:11:04 apone NetworkManager[739]: <info> [1684685464.7481] vpn[0x564396736720,b7f3e769-4f3d-4afc-b520-b238ae011783,"VPN 1"]: starting openvpn May 21 12:11:04 apone NetworkManager[739]: <info> [1684685464.7486] audit: op="connection-activate" uuid="b7f3e769-4f3d-4afc-b520-b238ae011783" name="VPN 1" pid=2205 uid=1000 result="success" May 21 12:11:04 apone nm-openvpn[11260]: --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers. May 21 12:11:04 apone nm-openvpn[11260]: OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 14 2022 May 21 12:12:04 apone NetworkManager[739]: <warn> [1684685524.8703] vpn[0x564396736720,b7f3e769-4f3d-4afc-b520-b238ae011783,"VPN 1"]: connect timeout exceeded

risolis 8,721 Reputation points

2023-05-22T00:50:29.09+00:00

Many thanks for those logs, buddy.

The issue seems to be a cipher suite mismatch issue.

Or could be that the cipher suite used on your Linux server is deprecated.

Please keep me posted it.

Cheers!

risolis 8,721 Reputation points

2023-05-22T01:11:56.16+00:00

Buddy,

I found this info below:

https://bugzilla.redhat.com/show_bug.cgi?id=2093069 >> community discussion about that error log

https://bodhi.fedoraproject.org/updates/FEDORA-2023-0097fde807 >> If I am not mistaken this might be the fix for it.

Cheers!

Greg M 20 Reputation points

2023-05-22T11:33:02.42+00:00

Both of those articles reference OpenVPN server. Server side is controlled by Azure. The only settings I have available are those I have posted images for. I don't think the articles apply to my problem.

I can try setting a specific cipher on the Linux client. Which would you recommend?

Most of my P2S users would be Mac or Windows, and not Linux. Any thoughts on why the Mac and Windows clients cannot connect?

risolis 8,721 Reputation points

2023-05-22T20:55:06.9133333+00:00

risolis 8,721 Reputation points

2023-05-22T20:55:42.2566667+00:00

risolis 8,721 Reputation points

2023-05-22T21:18:39.0133333+00:00

Greg M 20 Reputation points

2023-05-24T17:51:16.2333333+00:00

Risolis - thank you for sticking with it for me. Asking questions and having me explore unfamiliar areas is exactly what I needed. I consider the issue resolved - cheers!
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Azure VPN P2S

1 additional answer

Your answer