Certificate for Azure Point-To-Site VPN via Custom HostName

Keith Stein 6 Reputation points
2021-09-10T12:50:15.21+00:00

I have a feeling there's something about this I don't understand.

I have a working point-to-site VPN connection between my computer (using Windows' native rasphone component), and our Azure Virtual Network Gateway. The gateway uses a self-signed root certificate that I created, and my computer has a client certificate signed by the root which it uses to authenticate.

In the VPN configuration on my computer, I use the following destination address:
azuregateway-[GUID].vpn.azure.com

The problem is, occasionally there is cause to recreate the Azure VPN Gateway, which changes the above network address. This then requires me to change the destination address on all the VPN client machines. Instead, I thought it would be a clever idea to create a DNS entry that I could just point to the current gateway address. This way I could give the VPN client an unchanging address I control, and just update the DNS record if the gateway changes.

So, I created the subdomain azurevpngateway.[OurCompany].com, pointed it toward the gateway address, confirmed that it resolved to the correct IP, and then swapped out the destination address in the VPN configuration.

Since I'm posting here, needless to say, it didn't work. Connecting with SSTP gives this error:

The certificate's CN name does not match the passed value.

I discovered later that swapping out the azuregateway-[GUID].vpn.azure.com address for the IP address which it resolves to, also give that same error.

I'm not sure where the insistence on using that specific FQDN is coming from. It's not used anywhere in the creation of the self-signed root cert, or the subsequent child certs. No other certificates are manually installed on the client machines besides those. I tried creating a new root cert and including CN=azurevpngateway.[OurCompany].com in the subject, but the error persists.

Why does authentication only succeed when I use azuregateway-[GUID].vpn.azure.com? And how can I get it to work using the azurevpngateway.[OurCompany].com address?

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,425 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. suvasara-MSFT 10,016 Reputation points
    2021-09-13T04:15:15.217+00:00

    @Keith Stein , As of today Azure P2S don't support auto reconnect or DDNS capabilities on connection termination. Here is configuration for setting VPN as Always on for a user tunnel.

    ----------

    Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.