Point-to-Site VPN Peering

TXS-DEV 1 Reputation point
2021-11-24T22:44:21.25+00:00

I have the following setup and need assistance with routing

Ultimate end goal of all of this is to allow Azure Files to be accessible on a non domain joined Windows 10 PC to authenticate using Azure AD (synced on from on prem AD in DR vNet). I'm able to successfully connect & authenticate to Azure Files on domain joined PC however for SMB traffic to be allowed for remote/home PC's an Azure P2S route was recommended but as of now I'm unable to successfully authenticate while connected to Azure Point to Site VPN because I don't have line of sight to my Azure VM running AD DS in DR vNet (192.168.39.0/24) network?

Virutal Network#1
DR
address space 192.168.39.0/24
DR subnet 192.168.39.128/25
GatewaySubnet 192.168.39.0/29
VM with AD DS role (192.168.39.100)
DR-P2S Peering enabled with Gateway Transit Enabled
This network also has a policy based VPN to on prem

Virutal Network#2
P2S
address space 10.0.0.0/16
default 10.0.0.0/24
GatewaySubnet 10.0.1.0/24
P2S-DR Peering enabled 192.168.39.0/24 with gateway transit enabled

Virtual Network Gateway with Point-to-Site configuration
Route-based with P2SvNet virtual network
Address Pool 10.1.1.0/24

Client Windows 10 Machine
Azure VPN Marketplace client software successfully connects to the P2SVNet gets an ip address in space 10.1.1.2 and can connect to 10.0.0.0/16 space however it does not connect to 192.168.39.0/29 network

I can ping and rdp to resources on 10.0.0.0/16 vNet but no luck with DR route.

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,162 questions
Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,379 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. GitaraniSharma-MSFT 47,316 Reputation points Microsoft Employee
    2021-12-07T04:54:26.887+00:00

    Thank you for the confirmation, @TXS-DEV .

    Now I know the root cause of the issue. It is the VPN gateways deployed in both Vnets.

    Traffic is not transiting your peered VNet because of the VPN gateways deployed in both VNets. Traffic will transit a peered Vnet if only one of the VNet has VPN gateway deployed.
    You can configure the gateway in the peered virtual network as a transit point to an on-premises network, but the virtual network that is using a remote gateway can't have its own gateway.
    Reference : https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview#gateways-and-on-premises-connectivity

    To resolve this issue, I would advise you to follow the below:
    Either:
    Delete the P2S VPN gateway from Virutal Network#2.
    Configure P2S on the existing VPN gateway of Virutal Network#1.
    Peer Virutal Network#1 & Virutal Network#2 and then use the transit gateway feature in the Vnet peering between both Vnets to access both Vnets from the P2S clients by re-downloading the XML file.
    Refer : https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing#multipeered

    OR:
    Disable the Vnet peering and create a site-to-site (IPsec) connection between the two VPN gateways.
    Refer : https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal#site-to-site-ipsec
    The local network that is connected to Virutal Network#1 must contain both the Vnet range of Virutal Network#2 and the Point to Site range (address pool range) of VPN clients.
    The point to site client must be injected with a proper route for Virutal Network#1, as by default the VPN package will only provide a route for Virutal Network#2.
    You can leverage the Add-VpnConnectionRoute powershell cmdlet to add the route for Virutal Network#1.
    Refer : https://learn.microsoft.com/en-us/powershell/module/vpnclient/add-vpnconnectionroute?view=windowsserver2019-ps

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
  2. GitaraniSharma-MSFT 47,316 Reputation points Microsoft Employee
    2021-11-25T11:05:09.41+00:00

    Hello @TXS-DEV ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    If you have enabled Vnet peering after the P2S configuration and are using a windows machine, then the VPN client must be downloaded again for the peered Vnet routes to be propagated to your local machine.
    Please refer : https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing#multipeered

    In your case, since you are using the VPN client from MS store, you need to download the P2S VPN client profile from the Azure portal (VPN gateway > Point-to-site configuration > Download VPN client) and import/replace the new VpnSettings.xml file on the VPN client in your machine. This will make sure that the routes for your peered Vnets are included in your client profile and then you will be able to access the peered Vnet.
    NOTE : Make sure to take a back-up of your existing VPN client profile before replacing it with the new XML file for any future issues.

    To download the VPN client profile and import the XML file, please refer the below docs:
    https://learn.microsoft.com/en-us/azure/vpn-gateway/about-vpn-profile-download
    https://learn.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-client#import

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.