This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 3%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
We have a working P2S (OpenVPN) and a working S2S both into Azure virtual environment. There's also a VM on the vnet.
We can connect to the VM in Azure via the client VPN and also ping on-prem (via S2S) from the VM. However, what we'd like to do is be able to connect to on-prem resources (e.g. RDP) over the client VPN, via the Azure gateway and back over the S2S VPN.
Client --p2s--> Azure --s2s--> On-prem
We can't use BGP on-prem at the moment. Is there any other way to route traffic via Azure?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 19%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
I'm facing the same configuration challenge. Did any of the below answers resolve your issues connecting?
Thanks,
Mike
You need to add 2 routes:
On-premises you need a route to the VPN client network
On the client you need a route to the on-premises network
Maybe this is helpful.
Regards
Andreas Baumgarten
(Please don't forget to Accept as answer if the reply is helpful)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 36%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
@Adam Smith
Unfortunately, if you do not use BGP based S2S VPN, you cannot access the S2S VPN resources via CVPN viz Azure. Please refer to document-https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing#vnetbranch for further details. Thank you!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 3%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAH%3C/text%3E%3C/svg%3E)
I know this question is old, but pops up as the first hit, so I will add a solution to it.
You simply need to advertise custom routes for P2S VPN clients and then download the client vpn installation file once again. Remember to remove the old connection on your source windows laptop, so you get a clean install. No need to remove certificate.
Add custom route:
$gw = Get-AzVirtualNetworkGateway -Name <name of gateway> -ResourceGroupName <name of resource group>
Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw -CustomRoute x.x.x.x/xx
If you need to add more subnets, simply use comma.
Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw -CustomRoute x.x.x.x/xx, y.y.y.y/xx
If you do a route print in CMD after re-install and connect, you'll see the on-prem subnets listed where the gateway is the VPN client.
This should solve the problem and give you access from Client VPN P2S -> Azure S2S -> On-prem
Remember each time after adding custom routes, the VPN client needs to be downloaded again.
Hope this helps
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 89%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAC%3C/text%3E%3C/svg%3E)
Hi! I have a question reggards this.
I already add the route to my point to site and I can see it in my client, Do I need to add the point to site subnet to the site to site (Ipsec) ?
Do you know that?
I can't do the test because the other site is a client, so I need to send the right information.
Hi,
Yes, you need to have the P2S assigned subnet in the IPSec tunnel between on-prem <-> Azure VPN Gateway.
The traffic will come from the client (P2S Subnet) Therefore the on-prem needs to know where to return the traffic.