Azure VPN Connectivity (S2S)

Adrian-7267 21 Reputation points
2020-11-24T19:52:29.78+00:00

Hi,

I have a question regarding VPN debugging.
I have setup 2 phases for VPN:
Phase 1: 192.168.0.0/24 <-> 10.10.0.0/16
Phase 2: 172.20.0.0/24 <-> 10.10.0.0/16

I can ping the Azure environment from 192.168.0.0/24 subnet but not from 172.20.0.0/24.
Here is a network diagram:
42257-image.png

Additionally I have made screenshots for clarification:
42220-image.png
The traffic will be sent to the tunnel but never receives on the Host in Azure.

Do you have any ideas?
I have tried removing the NSG without any success.

Many thanks,
Adrian

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,422 questions
0 comments No comments
{count} votes

Accepted answer
  1. SaiKishor-MSFT 17,216 Reputation points
    2020-11-26T07:00:06.083+00:00

    @Adrian-7267 Could you try to enable "Use policy based traffic selector" option in the Azure Portal. You will find this option under the connection configuration page. Attached screenshot.

    Just FYI-
    Setting "Use policy based traffic selector" to true on a connection will configure the Azure VPN gateway to connect to policy-based VPN firewall on premises. If you enable this field, you need to ensure your VPN device has the matching traffic selectors defined with all combinations of your on-premises network (local network gateway) prefixes to/from the Azure virtual network prefixes, instead of any-to-any. For example, if your on-premises network prefixes are 10.1.0.0/16 and 10.2.0.0/16, and your virtual network prefixes are 192.168.0.0/16 and 172.16.0.0/16, you need to specify the following traffic selectors:
    10. 1.0.0/16 <====> 192.168.0.0/16
    10. 1.0.0/16 <====> 172.16.0.0/16
    10. 2.0.0/16 <====> 192.168.0.0/16
    10. 2.0.0/16 <====> 172.16.0.0/16

    The reason I ask for this is because you have multiple traffic selectors. Please let me know if enabling this option(also renegotiating VPN after doing the same) makes any difference. Thank you!42944-2020-11-25-22-53-52-testing101-microsoft-azure-and.png

    1 person found this answer helpful.
    0 comments No comments

3 additional answers

Sort by: Most helpful
  1. SaiKishor-MSFT 17,216 Reputation points
    2020-11-25T19:41:46.617+00:00

    @Adrian-7267

    To assist you further, please let me know the following-

    • What kind of S-S VPN are you using?
      If route based, please share the routes from both sides and if policy based, please share the source and destination network addresses for the security policies.

    From what I understand, the traffic is either not being accepted by Azure because of the way the VPN is setup (due to address range not being part of Security Policies) or the end machine is not accepting this traffic due to NSGs. Since you mentioned NSGs were already checked, I would look into the security policies if its a policy based tunnel.

    P.S: Please make sure that the on-premise address ranges (192.168.0.0/24 and 172.20.0.0/24 ranges have been added to the Azure side VPN configuration under the local network gateway address space option. And also make sure that there is a route for both of these networks in the route table of the VMs subnet routing table.

    Please refer to this link for setting up Azure S2S VPN and this link here if setting up Policy Based VPN.

    0 comments No comments

  2. Adrian-7267 21 Reputation points
    2020-11-25T22:00:26.943+00:00

    @SaiKishor-MSFT
    Hi Sai,

    Thanks a lot for your feedback.
    I'm using a route based S2S VPN.

    The local config is as follows:

    forti1 # show vpn ipsec phase1-interface Azure-VPN   
    config vpn ipsec phase1-interface  
        edit "Azure-VPN"  
            set interface "WAN-VL0010"  
            set ike-version 2  
            set keylife 28800  
            set peertype any  
            set net-device disable  
            set proposal aes256-sha256 aes256-sha1  
            set dhgrp 2  
            set remote-gw 51.103.129.**  
            set psksecret ENC *** HIDDEN ***  
            set dpd-retryinterval 10  
        next  
    end  
      
    forti1 # show vpn ipsec phase2-interface Azure-VPN  
    config vpn ipsec phase2-interface  
        edit "Azure-VPN"  
            set phase1name "Azure-VPN"  
            set proposal aes256-sha256 aes256-sha1  
            set pfs disable  
            set auto-negotiate enable  
            set keylifeseconds 3600  
            set src-subnet 192.168.0.0 255.255.255.0  
            set dst-subnet 10.10.0.0 255.255.0.0  
        next  
    end  
      
    forti1 # show vpn ipsec phase2-interface Azure-VPN-WLAN   
    config vpn ipsec phase2-interface  
        edit "Azure-VPN-WLAN"  
            set phase1name "Azure-VPN"  
            set proposal aes256-sha256 aes256-sha1  
            set pfs disable  
            set auto-negotiate enable  
            set keylifeseconds 3200  
            set src-subnet 172.20.0.0 255.255.255.0  
            set dst-subnet 10.10.0.0 255.255.0.0  
        next  
    end  
    

    The Azure side is configured with both of the Subnets.
    42719-image.png

    The local subnet 192.168.0.0/24 can reach the Azure Host and back (ping is working).
    As seen on the local FortiGate the ICMP request will be sent into the VPN tunnel from the 172.20.0.0/24 network but this request does not arrive on the Host in Azure.
    Is there any way to troubleshoot this issue on Azure side?
    Do I have to setup any routing inside the Azure VNET?

    Many thanks,
    Adrian

    0 comments No comments

  3. Adrian-7267 21 Reputation points
    2020-11-27T15:54:39.533+00:00

    This worked! Thank you so much for your help! 😊

    0 comments No comments