IPSEC VPN tunnel over Express Route private peering issues

EKTC 21 Reputation points
2021-11-09T15:06:23.037+00:00

Hello, we unsuccessfully trying to establish a VPN tunnel over existing ExR private peering for encryption purposes.
We followed the documentation
https://learn.microsoft.com/en-us/azure/vpn-gateway/site-to-site-vpn-private-peering

The documentation doesn't state the local GW configuration for encryption VPN and how customer router should announce /advertise the local encryption VPN peer IP address to Azure

In our setup we use
a) Internet VPN tunnel with BGP enabled. (works)
b) Azure Express Route private peering in the same GW subnet as Internet VPN GW a). (works)
c) Encryption VPN tunnel, built on the same Internet VPN GW , but via private IP addresses (doesn't work)

In our setup, the a) tunnel is active and prioritized over ExR by using more specific routes. ExR is configured for Backup currently. Setup works. Now we introducing another VPN tunnel to encrypt traffic over ExR connection.

But we cannot establish basic connectivity between local and remote encryption VPN gateways over Express Route.

When building c), we used private IP address, specified by Azure in VPN GW config, as the tunnel End (A IP address). We use private IP address on Customer's end (B IP address) as the tunnel end on customer side. We added B in the local GW configuration. We advertise the B IP address as /32 address to the Azure over Express Route BGP . This /32 route is received by Azure and is visible from Azure VPN Peer/ Route/ ExpressRoute routes pages. We don't advertise anything more than B/32 address on ExR from Customer to Azure.

While B/32 route is visible from Azure, and points to Azure ExR, the ping from B to A address doesn't work and VPN tunnel also fails to establish.
We believe that advertising B/32 as the Customer tunnel end over ExpressRoute peering is enough to encourage Azure to establish encryption VPN tunnel over ExR. Apparently, it isn't.

If not, what exactly is the configuration for the local GW to enable encryption VPN over private ExR? How Azure will get the B address route to try establish VPN tunnel on private addresses?

Can encryption VPN be built on the same VPN GW as for Internet VPN tunnel?

Thank you for your time.

Regards

Azure Storage
Azure Storage
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,543 questions
{count} votes

2 answers

Sort by: Most helpful
  1. SaiKishor-MSFT 17,336 Reputation points
    2021-12-01T06:14:58.317+00:00

    @EKTC If not, what exactly is the configuration for the local GW to enable encryption VPN over private ExR? How Azure will get the B address route to try establish VPN tunnel on private addresses?

    As per this document, To ensure that the IPsec path is preferred over the direct ExpressRoute path (without IPsec), you have two options:

    • Advertise more specific prefixes on the VPN BGP session for the VPN-connected network. You can advertise a larger range that encompasses the VPN-connected network over ExpressRoute private peering, then more specific ranges in the VPN BGP session. For example, advertise 10.0.0.0/16 over ExpressRoute, and 10.0.1.0/24 over VPN.

    • Advertise disjoint prefixes for VPN and ExpressRoute. If the VPN-connected network ranges are disjoint from other ExpressRoute connected networks, you can advertise the prefixes in the VPN and ExpressRoute BGP sessions respectively. For example, advertise 10.0.0.0/24 over ExpressRoute, and 10.0.1.0/24 over VPN.

    In both of these examples, Azure will send traffic to 10.0.1.0/24 over the VPN connection rather than directly over ExpressRoute without VPN protection.

    Azure will get the B address since you will be configuring the Local GW with that Address. Hope this helps.
    Please let us know if you have any further questions and we will be glad to assist you further. Thank you!

    Remember:

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

    Want a reminder to come back and check responses? Here is how to subscribe to a notification.

    0 comments No comments

  2. Mateen Baig 71 Reputation points
    2022-12-08T13:15:07.333+00:00

    removing a comment

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.