none
Routing in Azure between point-to-site and site-to-site networks RRS feed

  • Question

  • I'm new to Azure and trying to use VPN to connect a single machine here to a VM on Azure. The VM is on the newer Resource Manager platform. Unfortunately, only the classic platform supports point-to-site. So I added a classic network and connected both networks with a site-to-site VPN.

    VNet1 (Resource) - 10.0.0.0/23

    VNet2 (Classic) - 10.0.10.0/23

    The VNet2 Gateway also has point-to-site enabled. Point-to-site IP range is 192.168.0.0/24.

    I downloaded the VPN client on my machine here and connected to the VPN. I'm assigned 192.168.0.5.

    All VPN connections appear to be working, but I cannot see machines on VNet1 from here. A ping/tracert to 10.0.0.4 times out.

    One article I found referenced the need for adding a line to the routes.txt for the VPN connection. The first line was already there, I added the second one and re-connected the VPN.

    ADD 10.0.10.0 MASK 255.255.254.0 default METRIC default IF default

    ADD 10.0.0.0 MASK 255.255.254.0 default METRIC default IF default

    No luck. I checked the route table and the 10.0.0.0 routing is in there.

    IPv4 Route Table
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
    <snip>
    10.0.0.0    255.255.254.0         On-link       192.168.0.7     28
    10.0.1.255  255.255.255.255         On-link       192.168.0.7    266
    10.0.10.0    255.255.254.0         On-link       192.168.0.7     28
    10.0.11.255  255.255.255.255         On-link       192.168.0.7    266
    <snip>
    

    What am I missing?

    Friday, January 8, 2016 2:08 AM

Answers

  • Hi Phil,

    I have managed to work out the PowerShell for point to site to the ARM network. I have tested and can ping a VM on the ARM network form my local machine.

    This is the best way forward as you can forget the classic network. You need to create a subnet with the name GatewaySubnet (must be called this)  before you proceed. As you might already have a gateway you might be able to skip some of the commands. If you get stuck let me know.

    # Must created a subnet called GatewaySubnet for the gateway to connect prior to creating the gateway
    $vnetname = "TestNetwork"
    $rgname = "TestRG"
    $region = "North Europe"
    $clientpool = "192.168.10.0/24"
    $RootCertName = "MyRootCert.cer"  
    $publicCertData = "<Replace_With_Your_Base64_Cert_Data>"; #Export cert as Base64, and put data into single line.
    #$publicCertData = "MIIDFDCCAgCgAwIBAgIQtCz5YGITP4ZMrYRvqfzKHTAJBgUrDgMCHQUAMB8xHTAbBgNVBAMTFFBvaW50VG9Qb2ludFJvb3RDZXJ0MB4XDTE1MDEwNjA5MTMzOVoXDTM5MTIzMTIzNTk1OVowHzEdMBsGA1UEAxMUUG9pbnRUb1BvaW50Um9vdENlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDONIScIVcbFGK/WojhRLyVtSFPhc67tKj2yDCUoaRyT8kfPAm5lvNL1WP5qWurd1ydbK/8hPGHWhkomeac6IEPd9IxmOHY3n6WfcAeCq6BcTDtvUdGSFEtB3gor0wZAIwehhmlAC9ZrdLdDRy3us1AxwJfxcoTZ4EbxKaM1HZGMTOE+2bvkvG+IshQULPScTVieLKLSZSYf57CdFl6OpoYScsrsuQuHNpSWb0kFwJwq83hWtjbojTkQyblcdI9jWG7nD0gb6Fe/BOkN8TtJ/il48X1eE5m3IpCKyU/RTzrumrtG1huwvYDqr1WzGOR5FJGtZtQxZjsg9BRepaOWB2DAgMBAAGjVDBSMFAGA1UdAQRJMEeAEGE1PUv6Gv4noBNem2xCw8ChITAfMR0wGwYDVQQDExRQb2ludFRvUG9pbnRSb290Q2VydIIQtCz5YGITP4ZMrYRvqfzKHTAJBgUrDgMCHQUAA4IBAQAEJCytWDQ9UzNl/vwT/xI+nkB/lRtRhUOKqsuCxa45PNQg6OFN4WwS+zaAZcg0UiJA324Bf4o8ivRXDML107smcakLJXPMJ7clvKga6QlG++6NwyRV6FIJnG8chxJlbxZNNVu2xmi0DZ2uqlzv8KNsLWkHuB6DjkVX82QYmPz9jjT3gTjtCML7bvJND0GTb2pEw4SAQD/h+tRaaaYETeUzQl0+wqk69/i7jQ8tKhZD5Xw38/SNU5gKp5bD4ofjFew6rfGhaPWPqRinsJ/PBYbE02rBU86NlTZ5Yvsg6sWvHTb+NVYbD0mJ7fPpKuFnNLAqyNC0kXBvfvOeCKV9U9hg"
    
    #Login to Azure RM
    Login-AzureRMAccount
    
    # Get the Virtual Network
    $vnet = Get-AzureRmVirtualNetwork -Name $vnetname -ResourceGroupName $rgname
    
    #Create IP for the gateway
    $GWIP = New-AzureRmPublicIpAddress -AllocationMethod Dynamic  -ResourceGroupName $rgname -Location $region  -Name GWIP1
    
    #Get the gateway subnet
    $GWSubnet = Get-AzureRmVirtualNetworkSubnetConfig  -Name GatewaySubnet -VirtualNetwork $vnet
    
    # Create GW Config
    $GWIPConfig = New-AzureRmVirtualNetworkGatewayIpConfig -Name GWIPConfig -SubnetId $gwsubnet.Id -PublicIpAddressId $GWIP.Id
    
    #Create Gateway
    $gw = New-AzureRmVirtualNetworkGateway -Location $region  -Name GW1 -ResourceGroupName $rgname -GatewayType Vpn  -IpConfigurations $GWIPConfig -VpnType RouteBased 
      
    # Create client VPN config
    Set-AzureRmVirtualNetworkGatewayVpnClientConfig -VirtualNetworkGateway $gw -VpnClientAddressPool $clientpool
    
    # Create Root Cert
    $rootCert = Add-AzureRmVpnClientRootCertificate  -VpnClientRootCertificateName $RootCertName  -PublicCertData $publicCertData  -VirtualNetworkGatewayName $gw.Name -ResourceGroupName $rgname
    
    #Get URL for VPN client - download the exe from here
    $packageUrl = Get-AzureRmVpnClientPackage -ResourceGroupName $rgname -VirtualNetworkGatewayName $gw.Name -ProcessorArchitecture Amd64  
    
    If this resolves your issue I would appreciate if you can mark my response as the answer.

    Kind Regards,

    Marcus

    Monday, January 11, 2016 1:01 PM
    Moderator

All replies

  • Hello,

     

    We are researching on the query and would get back to you soon on this. I apologize for the inconvenience and appreciate your time and patience in this matter.

     

    Best Regards,

    Kamalakar K

    Friday, January 8, 2016 6:13 PM
  • Hi Phil,

    I believe you can now create point to site VPNs for Azure Resource Manager Virtual networks using PowerShell. I can see the command New-AzureRmVirtualNetworkGatewayConnection now exists with the option -ConnectionType VPNClient. I cannot however find any documentation as of yet(!). I am currently creating an Azure Resource Manager vNet and will give it a go.

    Alternatively with your current design you will need a route back from the VNet1 VMs to the client on 192.168.0.0/24. Custom routes aren't supported within Azure VMs, but User Defined Routes, a relatively new feature needs to be used. Have a read of https://azure.microsoft.com/en-gb/documentation/articles/virtual-networks-udr-overview/ . Again it's not something I've needed to do, but don't see why it shouldn't work.

    Let me know how you get on, and I will update you with my findings, but it might be a few days before I find time.

    Kind Regards,

    Marcus

    Friday, January 8, 2016 6:57 PM
    Moderator
  • Thanks for the info, Marcus. To be completely honest, I'm a developer who occasionally handles ops duties. While I understand the concepts, this routing is going over my head. I'd love to just use the new powershell command, but already in over my head, reverse engineering an undocumented script is probably not feasible. Any way you could dumb down the proper creation of the UDR for me? At this point, I don't need anything pretty, I just need it to work.
    Saturday, January 9, 2016 5:57 PM
  • Hi Phil,

    I have managed to work out the PowerShell for point to site to the ARM network. I have tested and can ping a VM on the ARM network form my local machine.

    This is the best way forward as you can forget the classic network. You need to create a subnet with the name GatewaySubnet (must be called this)  before you proceed. As you might already have a gateway you might be able to skip some of the commands. If you get stuck let me know.

    # Must created a subnet called GatewaySubnet for the gateway to connect prior to creating the gateway
    $vnetname = "TestNetwork"
    $rgname = "TestRG"
    $region = "North Europe"
    $clientpool = "192.168.10.0/24"
    $RootCertName = "MyRootCert.cer"  
    $publicCertData = "<Replace_With_Your_Base64_Cert_Data>"; #Export cert as Base64, and put data into single line.
    #$publicCertData = "MIIDFDCCAgCgAwIBAgIQtCz5YGITP4ZMrYRvqfzKHTAJBgUrDgMCHQUAMB8xHTAbBgNVBAMTFFBvaW50VG9Qb2ludFJvb3RDZXJ0MB4XDTE1MDEwNjA5MTMzOVoXDTM5MTIzMTIzNTk1OVowHzEdMBsGA1UEAxMUUG9pbnRUb1BvaW50Um9vdENlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDONIScIVcbFGK/WojhRLyVtSFPhc67tKj2yDCUoaRyT8kfPAm5lvNL1WP5qWurd1ydbK/8hPGHWhkomeac6IEPd9IxmOHY3n6WfcAeCq6BcTDtvUdGSFEtB3gor0wZAIwehhmlAC9ZrdLdDRy3us1AxwJfxcoTZ4EbxKaM1HZGMTOE+2bvkvG+IshQULPScTVieLKLSZSYf57CdFl6OpoYScsrsuQuHNpSWb0kFwJwq83hWtjbojTkQyblcdI9jWG7nD0gb6Fe/BOkN8TtJ/il48X1eE5m3IpCKyU/RTzrumrtG1huwvYDqr1WzGOR5FJGtZtQxZjsg9BRepaOWB2DAgMBAAGjVDBSMFAGA1UdAQRJMEeAEGE1PUv6Gv4noBNem2xCw8ChITAfMR0wGwYDVQQDExRQb2ludFRvUG9pbnRSb290Q2VydIIQtCz5YGITP4ZMrYRvqfzKHTAJBgUrDgMCHQUAA4IBAQAEJCytWDQ9UzNl/vwT/xI+nkB/lRtRhUOKqsuCxa45PNQg6OFN4WwS+zaAZcg0UiJA324Bf4o8ivRXDML107smcakLJXPMJ7clvKga6QlG++6NwyRV6FIJnG8chxJlbxZNNVu2xmi0DZ2uqlzv8KNsLWkHuB6DjkVX82QYmPz9jjT3gTjtCML7bvJND0GTb2pEw4SAQD/h+tRaaaYETeUzQl0+wqk69/i7jQ8tKhZD5Xw38/SNU5gKp5bD4ofjFew6rfGhaPWPqRinsJ/PBYbE02rBU86NlTZ5Yvsg6sWvHTb+NVYbD0mJ7fPpKuFnNLAqyNC0kXBvfvOeCKV9U9hg"
    
    #Login to Azure RM
    Login-AzureRMAccount
    
    # Get the Virtual Network
    $vnet = Get-AzureRmVirtualNetwork -Name $vnetname -ResourceGroupName $rgname
    
    #Create IP for the gateway
    $GWIP = New-AzureRmPublicIpAddress -AllocationMethod Dynamic  -ResourceGroupName $rgname -Location $region  -Name GWIP1
    
    #Get the gateway subnet
    $GWSubnet = Get-AzureRmVirtualNetworkSubnetConfig  -Name GatewaySubnet -VirtualNetwork $vnet
    
    # Create GW Config
    $GWIPConfig = New-AzureRmVirtualNetworkGatewayIpConfig -Name GWIPConfig -SubnetId $gwsubnet.Id -PublicIpAddressId $GWIP.Id
    
    #Create Gateway
    $gw = New-AzureRmVirtualNetworkGateway -Location $region  -Name GW1 -ResourceGroupName $rgname -GatewayType Vpn  -IpConfigurations $GWIPConfig -VpnType RouteBased 
      
    # Create client VPN config
    Set-AzureRmVirtualNetworkGatewayVpnClientConfig -VirtualNetworkGateway $gw -VpnClientAddressPool $clientpool
    
    # Create Root Cert
    $rootCert = Add-AzureRmVpnClientRootCertificate  -VpnClientRootCertificateName $RootCertName  -PublicCertData $publicCertData  -VirtualNetworkGatewayName $gw.Name -ResourceGroupName $rgname
    
    #Get URL for VPN client - download the exe from here
    $packageUrl = Get-AzureRmVpnClientPackage -ResourceGroupName $rgname -VirtualNetworkGatewayName $gw.Name -ProcessorArchitecture Amd64  
    
    If this resolves your issue I would appreciate if you can mark my response as the answer.

    Kind Regards,

    Marcus

    Monday, January 11, 2016 1:01 PM
    Moderator
  • Thank you so much, Marcus. You're a rock star!

    I was able to reuse the existing gateway and just run the final 3 commands to get up and running. I wish this was better documented as I wasted a couple of days getting everything working under the assumption that we couldn't do point-to-site in RM.

    Tuesday, January 12, 2016 12:11 AM
  • Thanks for your solution Marcus.

    I have one question.  What should the Client Pool be set to?  Should it match my local subnet, the network I'm connecting to, or be something else all together?

    Thanks for any help you can provide.

    Thursday, February 11, 2016 10:05 PM
  • Hi Chris,

    Its the IP addresses assigned to the clients on their VPN interface when they connect. So it should be a unique subnet to ensure traffic can route correctly. It's like a DHCP address pool.

    Hope that helps,

    Marcus
    Friday, February 12, 2016 10:17 AM
    Moderator
  • Thanks Marcus.. that helps a lot.

    Chris

    Friday, February 12, 2016 5:25 PM