Azure VM - Unable to connect to remote site network over IPSEC VPN

Will Armstrong 0 Reputation points
2024-11-25T16:26:36.1266667+00:00

I have created a site-to-site VPN over public IP to a Fortinet gw at remote site, and built a VM jumphost in the same Vnet. The connection is up and from the remote site we can get to the VM, but from the VM via bastion we cannot get to the remote site

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,792 questions
{count} votes

1 answer

Sort by: Most helpful
  1. rvinnakota 4,760 Reputation points Moderator
    2024-11-25T21:45:45.39+00:00

    Hi Will Armstrong,

    Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

    Based on our understanding of your issue, there are several factors to consider. Please review the following suggestions.

    • Verify the shared key

    Compare the shared key for the on-premises VPN device to the Azure Virtual Network VPN to make sure that the keys match.

    • Verify the VPN peer Ips

      The IP definition in the Local Network Gateway object in Azure should match the on-premises device IP. The Azure gateway IP definition that is set on the on-premises device should match the Azure gateway IP.

    • Check UDR and NSGs on the gateway subnet

    Check for and remove user-defined routing (UDR) or Network Security Groups (NSGs) on the gateway subnet, and then test the result. If the problem is resolved, validate the settings that UDR or NSG applied.

    • Check the on-premises VPN device external interface address

    If the Internet-facing IP address of the VPN device is included in the Local network definition in Azure, you might experience sporadic disconnections.

    Verify that the subnets match exactly (Azure policy-based gateways)

    Verify that the virtual network address space(s) match exactly between the Azure virtual network and on-premises definitions. Verify that the subnets match exactly between the Local Network Gateway and on-premises definitions for the on-premises network.

    • Verify the Azure gateway health probe
    • Check whether the on-premises VPN device has the perfect forward secrecy feature enabled

    The perfect forward secrecy feature can cause disconnection problems. If the VPN device has perfect forward secrecy enabled, disable the feature. Then update the VPN gateway IPsec policy.

    •  Review firewall policies on both FortiGate devices. Ensure that policies allow traffic from the VM's subnet to the remote site's subnet.

    Refer this link for more details: Troubleshoot an Azure S2S VPN connection that cannot connect - Azure VPN Gateway | Microsoft Learn
    Note: similar issue https://stackoverflow.com/questions/68284293/azure-vm-cant-reach-remote-network-with-connected-vpn

    Kindly let us know if the above helps or you need further assistance on this issue.

    Thanks,
    Rohith.
    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.