P2S cannot reach resources at onsite prem over S2S

Jonas Larsson 0 Reputation points
2023-11-02T09:58:30.6666667+00:00

Hi,

I have a onsite fortigate firewall configured S2S to Azure. This works fine, I can access the VM at Azure. I have now created P2S at Azure (OpenVPN). The clients can connect to a VM at Azure. BUT cannot connect to resources at onsite via already configured S2S tunnel. Is BGP needed for this to work or can static routing be used? Id rather be using static routing. Thanks

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,719 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. GitaraniSharma-MSFT 49,891 Reputation points Microsoft Employee
    2023-11-02T10:14:03.3033333+00:00

    Hello @Jonas Larsson ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you have an existing site to site VPN connection from your on-premises to Azure and you added a point to site VPN configuration on it and are able to access the Azure VMs from the VPN client but are unable to connect to your on-premises resources.

    In order for you to be able to access your on-prem network (which is connected to Azure VPN by site-to-site connection) from your Point to site VPN client, your Site-to-Site VPN connection should be running BGP.

    If your site-to-site connection between Azure and On-prem uses BGP, then you can just manually add the routes for your on-prem network to the Windows P2S client and will be able to access the on-prem network from your point to site connection/client. For non-windows clients, you do not need to add the manual routes as BGP is enough for the routes to be propagated.

    To manually add the On-prem network route, you can browse to %AppData%\Microsoft\Network\Connections\Cm*yourGuid\routes.txt* (C:\Users\userID\AppData\Roaming\Microsoft\Network\Connections\Cm*VPNGuid\routes.txt*) in your client machine and add the route in this text file.

    Please refer: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing#vnetbranchbgp

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


  2. Jonas Larsson 0 Reputation points
    2023-11-02T16:20:19.88+00:00

    I got it working in the end, issue was with onprem firewall S2S configuration in the regards of the P2S subnet phase2 encryption/authentication and pfs. So BGP was not needed.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.