IPSEC VPN tunnel over Express Route private peering issues

Question

IPSEC VPN tunnel over Express Route private peering issues

EKTC 21

Hello, we unsuccessfully trying to establish a VPN tunnel over existing ExR private peering for encryption purposes.
We followed the documentation
https://learn.microsoft.com/en-us/azure/vpn-gateway/site-to-site-vpn-private-peering

The documentation doesn't state the local GW configuration for encryption VPN and how customer router should announce /advertise the local encryption VPN peer IP address to Azure

In our setup we use
a) Internet VPN tunnel with BGP enabled. (works)
b) Azure Express Route private peering in the same GW subnet as Internet VPN GW a). (works)
c) Encryption VPN tunnel, built on the same Internet VPN GW , but via private IP addresses (doesn't work)

In our setup, the a) tunnel is active and prioritized over ExR by using more specific routes. ExR is configured for Backup currently. Setup works. Now we introducing another VPN tunnel to encrypt traffic over ExR connection.

But we cannot establish basic connectivity between local and remote encryption VPN gateways over Express Route.

When building c), we used private IP address, specified by Azure in VPN GW config, as the tunnel End (A IP address). We use private IP address on Customer's end (B IP address) as the tunnel end on customer side. We added B in the local GW configuration. We advertise the B IP address as /32 address to the Azure over Express Route BGP . This /32 route is received by Azure and is visible from Azure VPN Peer/ Route/ ExpressRoute routes pages. We don't advertise anything more than B/32 address on ExR from Customer to Azure.

While B/32 route is visible from Azure, and points to Azure ExR, the ping from B to A address doesn't work and VPN tunnel also fails to establish.
We believe that advertising B/32 as the Customer tunnel end over ExpressRoute peering is enough to encourage Azure to establish encryption VPN tunnel over ExR. Apparently, it isn't.

If not, what exactly is the configuration for the local GW to enable encryption VPN over private ExR? How Azure will get the B address route to try establish VPN tunnel on private addresses?

Can encryption VPN be built on the same VPN GW as for Internet VPN tunnel?

Thank you for your time.

Regards

SaiKishor-MSFT 17,336 Reputation points

2021-11-10T14:06:40.077+00:00
@EKTC Thank you for reaching out to Microsoft Q&A. I understand that you are having issues with your Site to Site VPN over Express Route where it is not connecting.

Do you see the same issues when the ExR tunnel is the Primary? Can you check the same by enabling the ExR tunnel to be the primary?

Can you confirm that BGP is in Established state over the ExR circuit? Please share the BGP status if possible.

Please see if you can capture the VPN traffic on the on-premise to check the IKE/IPSEC negotiation to verify which step is failing. Please share the capture if possible so we can troubleshoot further.

Please let us know if you have further questions in the meanwhile. Thank you!
SaiKishor-MSFT 17,336 Reputation points

2021-11-10T14:08:38.88+00:00
Regarding your questions:

If not, what exactly is the configuration for the local GW to enable encryption VPN over private ExR? How Azure will get the B address route to try establish VPN tunnel on private addresses?

Please allow me sometime to confirm the same and update you.

Can encryption VPN be built on the same VPN GW as for Internet VPN tunnel?

Yes, it is possible to deploy Site-to-Site VPN connections over ExpressRoute private peering at the same time as Site-to-Site VPN connections via the Internet on the same VPN gateway.
EKTC 21 Reputation points

2021-11-10T14:31:42.853+00:00
Hello, Thank you for prompt response.

Yes. we see the same issues, when using ExR as primary path. Also, for troubleshooting, we eventually removed Internet VPN tunnel at all to leave one working path to simplify things, But we fail to get the connectivity between VPN GW on internal IPs.

BGP is established over ExR (We use currently only one cross-connect circuit, other is not configured yet, so one Peer working ) and we see desired routes in Azure table. We also built VM in a Azure, and successfully pinged it from Internal premises through Internet VPN, later, through ExR on active path.

The issue we encounter, is that when we try to built new VPN connection on internal IPs, we don't see any packets coming from Azure to our internal IP, and when we send packets out from internal network to GW internal IP, we don't get anything back. We were able to capture the logs on FW, where we could see packets going out to internal GW IP, and see no return traffic . We even checked the public interface, but we also didn't received any traffic through public IP addresses. So VPN is failing on the first phase, when VPN peer doesn't respond. The screenshots will contain some sensitive IP information that customer is not keen to expose, is blurred Screenshot OK?
EKTC 21 Reputation points

2021-11-11T08:11:35.373+00:00

Hello, attaching the screenshots
ExR BGP connection is established and working fine

VPN log, that we don't receive the traffic for connection on internal VPN IP address A . We advertise the B/32 route over ExR BGP
EKTC 21 Reputation points

2021-11-16T11:53:21.743+00:00

@SaiKishor-MSFT , We are looking forward to the configuration steps for the local GW to enable encryption VPN over private ExR, and B address advertisement process.

Thank you,
Best Regards
SaiKishor-MSFT 17,336 Reputation points

2021-11-17T09:11:22.507+00:00

@EKTC I have reached out to our internal team regarding this and will update you soon with more details.

2 answers

Your answer

SaiKishor-MSFT 17,336 Reputation points

2021-11-10T14:06:40.077+00:00

@EKTC Thank you for reaching out to Microsoft Q&A. I understand that you are having issues with your Site to Site VPN over Express Route where it is not connecting.

Do you see the same issues when the ExR tunnel is the Primary? Can you check the same by enabling the ExR tunnel to be the primary?

Can you confirm that BGP is in Established state over the ExR circuit? Please share the BGP status if possible.

Please see if you can capture the VPN traffic on the on-premise to check the IKE/IPSEC negotiation to verify which step is failing. Please share the capture if possible so we can troubleshoot further.

Please let us know if you have further questions in the meanwhile. Thank you!
SaiKishor-MSFT 17,336 Reputation points

2021-11-10T14:08:38.88+00:00

Regarding your questions:

If not, what exactly is the configuration for the local GW to enable encryption VPN over private ExR? How Azure will get the B address route to try establish VPN tunnel on private addresses?

Please allow me sometime to confirm the same and update you.

Can encryption VPN be built on the same VPN GW as for Internet VPN tunnel?

Yes, it is possible to deploy Site-to-Site VPN connections over ExpressRoute private peering at the same time as Site-to-Site VPN connections via the Internet on the same VPN gateway.
EKTC 21 Reputation points

2021-11-10T14:31:42.853+00:00

Hello, Thank you for prompt response.

Yes. we see the same issues, when using ExR as primary path. Also, for troubleshooting, we eventually removed Internet VPN tunnel at all to leave one working path to simplify things, But we fail to get the connectivity between VPN GW on internal IPs.

BGP is established over ExR (We use currently only one cross-connect circuit, other is not configured yet, so one Peer working ) and we see desired routes in Azure table. We also built VM in a Azure, and successfully pinged it from Internal premises through Internet VPN, later, through ExR on active path.

The issue we encounter, is that when we try to built new VPN connection on internal IPs, we don't see any packets coming from Azure to our internal IP, and when we send packets out from internal network to GW internal IP, we don't get anything back. We were able to capture the logs on FW, where we could see packets going out to internal GW IP, and see no return traffic . We even checked the public interface, but we also didn't received any traffic through public IP addresses. So VPN is failing on the first phase, when VPN peer doesn't respond. The screenshots will contain some sensitive IP information that customer is not keen to expose, is blurred Screenshot OK?
EKTC 21 Reputation points

2021-11-11T08:11:35.373+00:00

Hello, attaching the screenshots
ExR BGP connection is established and working fine

VPN log, that we don't receive the traffic for connection on internal VPN IP address A . We advertise the B/32 route over ExR BGP
EKTC 21 Reputation points

2021-11-16T11:53:21.743+00:00

@SaiKishor-MSFT , We are looking forward to the configuration steps for the local GW to enable encryption VPN over private ExR, and B address advertisement process.

Thank you,
Best Regards
SaiKishor-MSFT 17,336 Reputation points

2021-11-17T09:11:22.507+00:00

@EKTC I have reached out to our internal team regarding this and will update you soon with more details.

Answer 1

@EKTC If not, what exactly is the configuration for the local GW to enable encryption VPN over private ExR? How Azure will get the B address route to try establish VPN tunnel on private addresses?

As per this document, To ensure that the IPsec path is preferred over the direct ExpressRoute path (without IPsec), you have two options:

• Advertise more specific prefixes on the VPN BGP session for the VPN-connected network. You can advertise a larger range that encompasses the VPN-connected network over ExpressRoute private peering, then more specific ranges in the VPN BGP session. For example, advertise 10.0.0.0/16 over ExpressRoute, and 10.0.1.0/24 over VPN.

• Advertise disjoint prefixes for VPN and ExpressRoute. If the VPN-connected network ranges are disjoint from other ExpressRoute connected networks, you can advertise the prefixes in the VPN and ExpressRoute BGP sessions respectively. For example, advertise 10.0.0.0/24 over ExpressRoute, and 10.0.1.0/24 over VPN.

In both of these examples, Azure will send traffic to 10.0.1.0/24 over the VPN connection rather than directly over ExpressRoute without VPN protection.

Azure will get the B address since you will be configuring the Local GW with that Address. Hope this helps.
Please let us know if you have any further questions and we will be glad to assist you further. Thank you!

Remember:

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Want a reminder to come back and check responses? Here is how to subscribe to a notification.

Answer 2

Mateen Baig 71

removing a comment

Share via

IPSEC VPN tunnel over Express Route private peering issues

2 answers

Your answer