Azure VPN Connectivity (S2S)

Adrian 21 Reputation points
2020-11-24T19:52:29.78+00:00

Hi,

I have a question regarding VPN debugging.
I have setup 2 phases for VPN:
Phase 1: 192.168.0.0/24 <-> 10.10.0.0/16
Phase 2: 172.20.0.0/24 <-> 10.10.0.0/16

I can ping the Azure environment from 192.168.0.0/24 subnet but not from 172.20.0.0/24.
Here is a network diagram:
42257-image.png

Additionally I have made screenshots for clarification:
42220-image.png
The traffic will be sent to the tunnel but never receives on the Host in Azure.

Do you have any ideas?
I have tried removing the NSG without any success.

Many thanks,
Adrian

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
905 questions
Accepted answer
  1. SaiKishor-MSFT 16,656 Reputation points Microsoft Employee
    2020-11-26T07:00:06.083+00:00

    @Adrian Could you try to enable "Use policy based traffic selector" option in the Azure Portal. You will find this option under the connection configuration page. Attached screenshot.

    Just FYI-
    Setting "Use policy based traffic selector" to true on a connection will configure the Azure VPN gateway to connect to policy-based VPN firewall on premises. If you enable this field, you need to ensure your VPN device has the matching traffic selectors defined with all combinations of your on-premises network (local network gateway) prefixes to/from the Azure virtual network prefixes, instead of any-to-any. For example, if your on-premises network prefixes are 10.1.0.0/16 and 10.2.0.0/16, and your virtual network prefixes are 192.168.0.0/16 and 172.16.0.0/16, you need to specify the following traffic selectors:
    10. 1.0.0/16 <====> 192.168.0.0/16
    10. 1.0.0/16 <====> 172.16.0.0/16
    10. 2.0.0/16 <====> 192.168.0.0/16
    10. 2.0.0/16 <====> 172.16.0.0/16

    The reason I ask for this is because you have multiple traffic selectors. Please let me know if enabling this option(also renegotiating VPN after doing the same) makes any difference. Thank you!42944-2020-11-25-22-53-52-testing101-microsoft-azure-and.png

    1 person found this answer helpful.

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. SaiKishor-MSFT 16,656 Reputation points Microsoft Employee
    2020-11-25T19:41:46.617+00:00

    @Adrian

    To assist you further, please let me know the following-

    • What kind of S-S VPN are you using?
      If route based, please share the routes from both sides and if policy based, please share the source and destination network addresses for the security policies.

    From what I understand, the traffic is either not being accepted by Azure because of the way the VPN is setup (due to address range not being part of Security Policies) or the end machine is not accepting this traffic due to NSGs. Since you mentioned NSGs were already checked, I would look into the security policies if its a policy based tunnel.

    P.S: Please make sure that the on-premise address ranges (192.168.0.0/24 and 172.20.0.0/24 ranges have been added to the Azure side VPN configuration under the local network gateway address space option. And also make sure that there is a route for both of these networks in the route table of the VMs subnet routing table.

    Please refer to this link for setting up Azure S2S VPN and this link here if setting up Policy Based VPN.

  2. Adrian 21 Reputation points
    2020-11-25T22:00:26.943+00:00

    @SaiKishor-MSFT
    Hi Sai,

    Thanks a lot for your feedback.
    I'm using a route based S2S VPN.

    The local config is as follows: 

    forti1 # show vpn ipsec phase1-interface Azure-VPN   
config vpn ipsec phase1-interface  
    edit "Azure-VPN"  
        set interface "WAN-VL0010"  
        set ike-version 2  
        set keylife 28800  
        set peertype any  
        set net-device disable  
        set proposal aes256-sha256 aes256-sha1  
        set dhgrp 2  
        set remote-gw 51.103.129.**  
        set psksecret ENC *** HIDDEN ***  
        set dpd-retryinterval 10  
    next  
end  
  
forti1 # show vpn ipsec phase2-interface Azure-VPN  
config vpn ipsec phase2-interface  
    edit "Azure-VPN"  
        set phase1name "Azure-VPN"  
        set proposal aes256-sha256 aes256-sha1  
        set pfs disable  
        set auto-negotiate enable  
        set keylifeseconds 3600  
        set src-subnet 192.168.0.0 255.255.255.0  
        set dst-subnet 10.10.0.0 255.255.0.0  
    next  
end  
  
forti1 # show vpn ipsec phase2-interface Azure-VPN-WLAN   
config vpn ipsec phase2-interface  
    edit "Azure-VPN-WLAN"  
        set phase1name "Azure-VPN"  
        set proposal aes256-sha256 aes256-sha1  
        set pfs disable  
        set auto-negotiate enable  
        set keylifeseconds 3200  
        set src-subnet 172.20.0.0 255.255.255.0  
        set dst-subnet 10.10.0.0 255.255.0.0  
    next  
end

    The Azure side is configured with both of the Subnets.
    42719-image.png

    The local subnet 192.168.0.0/24 can reach the Azure Host and back (ping is working).
    As seen on the local FortiGate the ICMP request will be sent into the VPN tunnel from the 172.20.0.0/24 network but this request does not arrive on the Host in Azure.
    Is there any way to troubleshoot this issue on Azure side?
    Do I have to setup any routing inside the Azure VNET?

    Many thanks,
    Adrian

  3. Adrian 21 Reputation points
    2020-11-27T15:54:39.533+00:00

    This worked! Thank you so much for your help! 😊