P2S cannot reach resources at onsite prem over S2S

Question

P2S cannot reach resources at onsite prem over S2S

Jonas Larsson 0

Hi,

I have a onsite fortigate firewall configured S2S to Azure. This works fine, I can access the VM at Azure. I have now created P2S at Azure (OpenVPN). The clients can connect to a VM at Azure. BUT cannot connect to resources at onsite via already configured S2S tunnel. Is BGP needed for this to work or can static routing be used? Id rather be using static routing. Thanks

2 answers

Your answer

Answer 1

Hello @Jonas Larsson ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you have an existing site to site VPN connection from your on-premises to Azure and you added a point to site VPN configuration on it and are able to access the Azure VMs from the VPN client but are unable to connect to your on-premises resources.

In order for you to be able to access your on-prem network (which is connected to Azure VPN by site-to-site connection) from your Point to site VPN client, your Site-to-Site VPN connection should be running BGP.

If your site-to-site connection between Azure and On-prem uses BGP, then you can just manually add the routes for your on-prem network to the Windows P2S client and will be able to access the on-prem network from your point to site connection/client. For non-windows clients, you do not need to add the manual routes as BGP is enough for the routes to be propagated.

To manually add the On-prem network route, you can browse to %AppData%\Microsoft\Network\Connections\Cm*yourGuid\routes.txt* (C:\Users\userID\AppData\Roaming\Microsoft\Network\Connections\Cm*VPNGuid\routes.txt*) in your client machine and add the route in this text file.

Please refer: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing#vnetbranchbgp

Kindly let us know if the above helps or you need further assistance on this issue.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Jonas Larsson 0 Reputation points

2023-11-02T10:28:07.0166667+00:00

Hi @GitaraniSharma-MSFT !

Thank you for your answer. So is BGP needed or can it be achived with static routes?

Thanks

Regards

Jonas
GitaraniSharma-MSFT 49,891 Reputation points Microsoft Employee

2023-11-02T12:01:50.6233333+00:00

Hello @Jonas Larsson , the recommended setup is to use BGP.

Static routes may work but we have not tested such scenario and do not recommend it.

There is an option to advertise custom routes to all of your point-to-site VPN clients.

https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-p2s-advertise-custom-routes

If interested, you may give it a try. You need to make sure that the on-premises have a route for the P2S VPN address pool range.

Regards,

Gita

Answer 2

Jonas Larsson 0

I got it working in the end, issue was with onprem firewall S2S configuration in the regards of the P2S subnet phase2 encryption/authentication and pfs. So BGP was not needed.

GitaraniSharma-MSFT 49,891 Reputation points Microsoft Employee

2023-11-02T16:29:58.2+00:00

Thank you for the update, @Jonas Larsson . Glad to hear that your setup is working now. May I know what all changes you made?

Did you advertise custom routes on your point-to-site configuration and add the P2S subnet in your on-prem firewall? Or did you make any other changes?

Regards,

Gita

Share via

P2S cannot reach resources at onsite prem over S2S

2 answers

Your answer