Policy-Based VPN - Phase 2 problem

Marcio Henriques 5

Hey guys.

I have to connect a S2S vpn with a provider. The VPN type must be Policy-Based. My problem is that I can establish the phase 1 of the VPN, but phase 2 remains in idle status (as seen by the supplier on his side).

How can I do a troubleshoot on my side in Azure? Or any idea what my problem might be?

Thanks in advance

ChaitanyaNaykodi-MSFT 24,681 Reputation points Microsoft Employee

2023-10-23T19:22:04.36+00:00

@Marcio Henriques

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
ChaitanyaNaykodi-MSFT 24,681 Reputation points Microsoft Employee

2023-10-25T19:58:11.5733333+00:00

@Marcio Henriques

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

1 answer

ChaitanyaNaykodi-MSFT 24,681 Reputation points Microsoft Employee

2023-10-14T00:49:35.81+00:00

@Marcio Henriques

Thank you for reaching out.

I understand you are facing issue while establishing the Phase 2 connection on your policy-based VPN.

I think the underlying problem in this case might be that.

As documented here

As of Oct 1, 2023, you can't create a policy-based VPN gateway. All new VPN gateways will automatically be created as route-based.

Hope this helps! Please let me know if you have any additional questions we will gladly continue with our discussion. Thank you!

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.
Marcio Henriques 5 Reputation points

2023-10-14T01:01:05.7466667+00:00

Thanks for your answer!

I am aware of this. I read that I could only create this type of VPN Gateway through the command line and that's what I did.

I used the following command:

az network vnet-gateway create --gateway-type Vpn --location "East US" --name VNG_VPN --no-wait --public-ip-addresses VPN-IP --resource-group RG_VPN --sku Basic --vnet VNET_VPN --vpn-type PolicyBased

Then I created the local network gateway and then configured the VPN connection.

Regards,

MH

Marcio Henriques 5 Reputation points

2023-10-14T02:25:30.25+00:00

Thanks for your answer!

I am aware of this. I read that I could only create this type of VPN Gateway through the command line and that's what I did.

I used the following command:

az network vnet-gateway create --gateway-type Vpn --location "East US" --name VNG_VPN --no-wait --public-ip-addresses VPN-IP --resource-group RG_VPN --sku Basic --vnet VNET_VPN --vpn-type PolicyBased

Then I created the local network gateway and then configured the VPN connection.

However, it is not working and no troubleshoot works for this type of VPN. I would like to know a way to identify where the problem is.

Regards,

MH

ChaitanyaNaykodi-MSFT 24,681 Reputation points Microsoft Employee

2023-10-16T19:09:28.87+00:00

@Marcio Henriques

I understand not much functionality is offered for troubleshooting Policy Based VPN Gateway.

I tried a deployment on my end as well and was able to deploy a Basic SKU Policy based VPN Gateway. Let me contact the product team here and get back to you with an update. Thank you for your patience here.

Marcio Henriques 5 Reputation points

2023-10-17T18:29:22.0233333+00:00

@ChaitanyaNaykodi-MSFT

I appreciate that. I´ll wait your return.

Thanks for your support!

MH

ChaitanyaNaykodi-MSFT 24,681 Reputation points Microsoft Employee

2023-10-17T18:29:43.2466667+00:00

@Marcio Henriques

Thank you for your patience here.

I just confirmed with the product team, and they have updated the document, and it now states that.

To help troubleshoot the Phase 2 issue, please consider the following points.

Confirm with the supplier that the Phase2 parameters are set exactly as mentioned below. This is currently documented here

Vnet and Local network gateway IP ranges that are set and configured in Azure must match exactly with your on-premises configuration.

Hope this helps! Please let me if the issue still persists. Thank you!

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Marcio Henriques 5 Reputation points

2023-10-17T19:16:01.7633333+00:00

@ChaitanyaNaykodi-MSFT

By the way, I wanted to ask a question.

By using policy based I read that the protocol used would be IKEv1 ( and the portal shows me that the protocol used is V1). However, when I download the VPN configuration file it shows that the protocol used is IKEv2. Can you confirm which protocol is used? Is it the V1 or the V2?

Thanks.

Regards,

MH

Marcio Henriques 5 Reputation points

2023-10-18T02:21:33.1833333+00:00

@ChaitanyaNaykodi-MSFT

Issue regarding VPN phase 2 has been resolved. The PFS was configured as YES at the vendor side. He set it to NO and phase 2 became active. Confirmed by him.

Thanks for the help at this point.

Now I have a second problem as follows.

To create this VPN I created a vnet1 - 10.245.92.112/28 (exactly the network that my provider passed me as available). I created the subnet gateway inside that vnet (10.245.92.112/28 as well) and that vnet doesn't have a subnet.

I created a second vnet2 - 10.245.92.0/28 for my virtual machines.

My vendor's services that I need to access are configured in the Address Space(s) on the local network gateway

However when I try to close telnet on my provider's service through a virtual machine on vnet2 it doesn't work.

Do I need to create some kind of route to make it work?

ChaitanyaNaykodi-MSFT 24,681 Reputation points Microsoft Employee

2023-10-18T18:07:16.47+00:00

@Marcio Henriques

Thank you for getting back and glad to know that the Phase 2 issue was resolved.

Based on my understanding of your question.

I think you will have to peer the vnet1 and vnet2 in order to establish connectivity here. You can follow this tutorial for additional help.
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit

Hope this helps! Please let me know if you have any additional questions. Thank you!

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

ChaitanyaNaykodi-MSFT 24,681 Reputation points Microsoft Employee

2023-10-19T17:49:34.87+00:00

@Marcio Henriques

Just following up here to see if you were able take a look at my comment above. Thank you!

If it helps you can also enable diagnostic logging for policy based VPN. For Policy Based gateways, only GatewayDiagnosticLog and RouteDiagnosticLog are available.

Hope this helps! Please let me know if you have any additional questions. Thank you!

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Marcio Henriques 5 Reputation points

2023-10-19T21:03:58.4566667+00:00

Hi ChaitanyaNaykodi-MSFT!

Yeah, I saw your comment. I just haven't had time to test it yet. I will do it as soon as possible and let you know the result. Thank you so much for the support.

Best Regards,

MH

ChaitanyaNaykodi-MSFT 24,681 Reputation points Microsoft Employee

2023-10-19T23:54:31.6333333+00:00

@Marcio Henriques

Sounds good. Thank you for letting me know.

Marcio Henriques 5 Reputation points

2023-10-31T20:19:46.5533333+00:00

Hi, ChaitanyaNaykodi-MSFT!

I did a test now.

I peered the 2 networks but couldn't establish the connection. I asked my customer to start the vpn from his side, I saw the status of it connected in the azure portal, but from my virtual machine I couldn't access any service.

To peer the networks i check the option like de image in both networks. Is it correct?

Follow the details of the both networks:

Virtual network - VPN Gateway

vnet-xxx-cert - 10.245.92.112/28

GatewaySubnet - 10.245.92.112/28

no subnet ( Is it correct not to have a subnet??? )

Virtual network - Virtual Machine

vnet-vm-xxx-cert - 10.245.92.0/28

subnet - 10.245.92.0/28

Thanks in advance.

MH

ChaitanyaNaykodi-MSFT 24,681 Reputation points Microsoft Employee

2023-11-07T02:18:31.7433333+00:00

@Marcio Henriques

Apologies for delay in getting back.

I do not see an issue with the Vnet peering settings and the Subnets.

Can you please check if there is no NSG present which is blocking this connectivity? you can use IP flow verify to help troubleshoot this issue.

If any NSG is not blocking the connectivity, to troubleshoot the exact issue I think we will need specialized 1:1 session, where a support engineer can have a screen share session to pin point the issue. If you have a support plan you may file a support ticket, else could you please send an email to azcommunity@microsoft.com with the below details.

Subject : Attn Chaitanya

Thread URL: Link to this thread.

Subscription ID

Please let me know once you have done the same.
Sign in to comment

Share via

Policy-Based VPN - Phase 2 problem

1 answer