Problem connecting Azure VPN to WS 2008 R2 based VPN gateway
-
14 Juni 2012 10:32
I am trying to setup Azure VPN against WS2008 R2 based VPN gateway. I have added Connection Security rule for IPsec tunnel, and now I can see connected status in Azure portal and also see correct Security Associations (both for Main mode and Quick mode).
However I am not able to communicate between networks. In Azure portal I see:
Data IN: 0 B (strange!!!)
Data OUT: 200 kBAny hint or troubleshooting suggestion is highly appreciated.
Michael
Semua Balasan
-
15 Juni 2012 0:05
Hi, Michael:
Could you please share the output of the following commands on your Win2k8 R2 box?
netsh advfirewall consec show rule name=all type=dynamic
netsh advfirewall consec show rule name=all type=staticnetsh advfirewall firewall show rule name=all
route print
Also, could you please tell us about the configuration of our virtual network (i.e. what's the Azure network range, what's the on-premise network range, etc)?
You can email me personally if you do not feel comfortable with sharing those on the forum:
yuanyu NoSpamPlease microsoft.com
-
15 Juni 2012 7:46
Thanks for the answer. I am trying to connect 10.1.0.0/16 in cloud with 192.168.0.0/24 on local. Here is the output:
C:\Windows\system32>netsh advfirewall consec show rule name=all type=dynamic
Rule Name: Azure Virtual Network Tunnel
----------------------------------------------------------------------
Enabled: Yes
Profiles: Domain,Private,Public
Type: Dynamic
Mode: Tunnel
LocalTunnelEndpoint: 96.31.71.71
RemoteTunnelEndpoint: 168.63.36.182
Endpoint1: 192.168.0.0/24
Endpoint2: 10.1.0.0/16
Protocol: Any
Action: RequireInRequireOut
Auth1: ComputerPSK
Auth1PSK: OnP2CW8uYHafysPcgXISSwbmt8dtUB5gRXZa7bZhhP
PqZeNxDl
MainModeSecMethods: DHGroup2-AES128-SHA1,DHGroup2-3DES-SHA1
QuickModeSecMethods: ESP:SHA1-None+60min+100000kb,ESP:SHA1-AES1
28+60min+100000kb,ESP:SHA1-3DES+60min+100000kb,AH:SHA1+60min+100000kb
ExemptIPsecProtectedConnections: No
ApplyAuthorization: No
Ok.C:\Windows\system32>netsh advfirewall consec show rule name=all type=static
Rule Name: Azure Virtual Network Tunnel
----------------------------------------------------------------------
Enabled: Yes
Profiles: Domain,Private,Public
Type: Static
Mode: Tunnel
LocalTunnelEndpoint: 96.31.71.71
RemoteTunnelEndpoint: 168.63.36.182
Endpoint1: 192.168.0.0/24
Endpoint2: 10.1.0.0/16
Protocol: Any
Action: RequireInRequireOut
Auth1: ComputerPSK
Auth1PSK: OnP2CW8uYHafysPcgXISSwbmt8dtUB5gRXZa7bZhhP
PqZeNxDl
MainModeSecMethods: DHGroup2-AES128-SHA1,DHGroup2-3DES-SHA1
QuickModeSecMethods: ESP:SHA1-None+60min+100000kb,ESP:SHA1-AES1
28+60min+100000kb,ESP:SHA1-3DES+60min+100000kb,AH:SHA1+60min+100000kb
ExemptIPsecProtectedConnections: No
ApplyAuthorization: No
Ok.C:\Windows\system32>netsh advfirewall consec show rule name=all
Rule Name: Azure Virtual Network Tunnel
----------------------------------------------------------------------
Enabled: Yes
Profiles: Domain,Private,Public
Type: Static
Mode: Tunnel
LocalTunnelEndpoint: 96.31.71.71
RemoteTunnelEndpoint: 168.63.36.182
Endpoint1: 192.168.0.0/24
Endpoint2: 10.1.0.0/16
Protocol: Any
Action: RequireInRequireOut
Auth1: ComputerPSK
Auth1PSK: OnP2CW8uYHafysPcgXISSwbmt8dtUB5gRXZa7bZhhP
PqZeNxDl
MainModeSecMethods: DHGroup2-AES128-SHA1,DHGroup2-3DES-SHA1
QuickModeSecMethods: ESP:SHA1-None+60min+100000kb,ESP:SHA1-AES1
28+60min+100000kb,ESP:SHA1-3DES+60min+100000kb,AH:SHA1+60min+100000kb
ExemptIPsecProtectedConnections: No
ApplyAuthorization: No
Ok.IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 96.31.71.1 96.31.71.71 261
96.31.71.0 255.255.255.0 On-link 96.31.71.71 261
96.31.71.71 255.255.255.255 On-link 96.31.71.71 261
96.31.71.255 255.255.255.255 On-link 96.31.71.71 261
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.0.0 255.255.255.0 On-link 192.168.0.1 286
192.168.0.1 255.255.255.255 On-link 192.168.0.1 286
192.168.0.2 255.255.255.255 On-link 192.168.0.1 286
192.168.0.100 255.255.255.255 On-link 192.168.0.1 286
192.168.0.255 255.255.255.255 On-link 192.168.0.1 286
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 96.31.71.71 261
224.0.0.0 240.0.0.0 On-link 192.168.0.1 286
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 96.31.71.71 261
255.255.255.255 255.255.255.255 On-link 192.168.0.1 286
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 96.31.71.1 Default
=========================================================================== -
18 Juni 2012 14:44
I am trying to setup Azure VPN against WS2008 R2 based VPN gateway. I have added Connection Security rule for IPsec tunnel, and now I can see connected status in Azure portal and also see correct Security Associations (both for Main mode and Quick mode).
However I am not able to communicate between networks. In Azure portal I see:
Data IN: 0 B (strange!!!)
Data OUT: 200 kBAny hint or troubleshooting suggestion is highly appreciated.
Michael
Same problem here. Now its more like OUT:2.5Mb...
No one knows whats the problem. And this Yuan Yuan guy is in every thread about this issue. :)
-
22 Juni 2012 6:02
We found out what the problem was.
Just follow instructions on this page:
Hope this solves your problem.
-
22 Juni 2012 14:47
Hi, Vuk:
Thanks a lot for your answer. It's not that we forgot about Michael, : ) I took this offline with him as it could be a bit too verbose to get into all the nitty-gritties here. We got the problem resolved as of this morning. I will ask Michael to post a summary afterwards.
-
26 Juni 2012 7:41
Hi everyone,
I finally made it work. I have documented all setup steps, you can find complete documentation here.
Some caveats to watch out for:
- Hotfix for KB2523881 is necessary
- There is no connectivity (ping, telnet etc.) between gateway and cloud computers, don't get confused by this. Only computers BEHIND gateway have connectivity. This is because IPSec rule is not applied to packets originating on gateway as they always have public IP address as source IP.
- IPSec tunnel rule is not compatible with NAT (network address translation, either Internet Connection Sharing or RRAS option) on public interface of gateway computer because NAT modifies IP packet headers in a way that prevents IPSec rule from applying.
- Disarankan sebagai Jawaban oleh YuanYuan Yu (MSFT)Microsoft Employee 26 Juni 2012 7:53
- Ditandai sebagai Jawaban oleh Arwind - MSFTModerator 06 Juli 2012 8:41
-
26 Juni 2012 7:53Thanks a lot, Michael. This is awesome!
