none
Azure site to site vpn routing RRS feed

  • Question

  • I have a strange azure vpn routing issue.
    Creating and connecting the site to site VPN from onprem rras to azure is done an working.

    I have client with following ip config
    ip 10.10.10.10
    gw 10.10.10.1

    i have a 2012r2 rras server with following config
    ip 10.10.10.100
    gw 10.10.10.1
    in rras i have created a route to 192.168.0.0 via VPN

    Yes RRAS is behind NAT and i know it isnt supported but this cant be the issue

    In azure i have created 192.168.0.0 subnet

    On client I did route add 192.168.0.0 via 10.10.10.100 (rras server) and I can successfully ping 192.168.0.0

    Now i want to route traffic from client to ip 132.245.55.2 via the azure site to site vpn

    On the client i did a route add 132.245.55.2 mask 255.255.255.255 10.10.10.100 (rras server)

    Then ping is OK and reply but tracert is going via 10.10.10.100 (rras) then to 10.10.10.1 (gw of the rras and not the VPN)

    So in rras i add static route 132.245.55.2 mask 255.255.255.255 via VPN  but then no ping reply and no tracert

    What am i missing?

    Thursday, November 3, 2016 12:33 PM

All replies

  • Hello,

    We are checking on this and will get back to you. Thank you for your patience.

    Regards,

    Loydon

    Thursday, November 3, 2016 6:21 PM
  • Hi

    According to your description, I tested it on my lab.

    According to my test, I don’t think Azure support your scene.

    The packets which are sent from client could transfer to AzureVPN. However, on my received PC(Internet), I could not get any packets.

    Based on my knowledge, Azure maybe have some security rules which these packets are disable to transfer from Azure VPN. However, we could not control these rules.

    If you want to achieve your scene, maybe you could create a RRAS server in Azure. You could configure RRAS to allow traffic out from Azure.

    If you still have questions, welcome to post back here. Thanks.

    Regards,

    Walter



    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 4, 2016 8:32 AM
  • Hi Walter,

    What we want to achieve is described in following blog

    http://www.cyberdrain.com/?p=198

    The blogger says he got it working so i'm suprised you say it won't work.

    So what we want and what the blogger got working is

    client -> rras -> vpn -> azure -> internet

    Regards,

    Friday, November 4, 2016 12:17 PM
  • Hi

    If I am understanding this blog correctly, maybe you could use this way to achieve your scene.

    We could contact the blog’s author to ensure the way he accesses to Internet, VPN gateway or others? Based on my knowledge, I don’t think we could use VPN gateway to connect to Internet in your scene.

    If you still have questions, welcome to post back here. Thanks.

    Regards,

    Walter


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, November 7, 2016 8:53 AM
  • We have setup like below

    client -> rras -> modem/router -> azure 

    the RRAS server sets up the VPN to Azure.

    I used guide below for VPN/Azure RM configuration.

    https://scomandothergeekystuff.com/2016/09/19/creating-a-site-to-site-vpn-with-azure-resource-manager-arm-and-windows-2012r2/

    We are getting to Azure and if we create a VM in Azure we can also ping the VM but we cannot go to internet if we route traffic over the Azure VPN.

    is this by design and why is it in the blog working? :-)

    Wednesday, November 9, 2016 3:16 PM
  • Hi

    According to the blog, it only means that the client and VM on Azure could communication. It also could not achieve your scenario. The reason is that Azure VPN gateway today does not perform outbound proxy or source-NAT functionality to the Internet directly.

    I recommend you to use the below method if you want to achieve your scenario.

    client-->rras-- >rras on Azureà Internet

    If you still have questions, welcome to post back here. Thanks.

    Regards,

    Walter



    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    • Edited by ShuiShengbao Thursday, November 10, 2016 9:20 AM
    Thursday, November 10, 2016 9:03 AM
  • Hi Walter,

    If i create a VM on azure and install RRAS on it and run the RRAS wizard and select Custom and then VPN (as in following blog https://blogs.technet.microsoft.com/jletsch/2016/03/15/lets-configure-azure-site-to-site-vpn-with-rras-in-azure-resource-manager/ the paragraph "The Routing and Remote Access Server Setup Wizard will appear.")  i get a prompt i only have one NIC in the VM.

    Have you personally tested this scenario?

    Regards,

    DV

    Thursday, November 10, 2016 10:48 AM