P2s vpn using Windows server 2012 R2 as Azure endpoint RRS feed

  • Question

  • Hi,

    using ARM I need to have a 2ps and I need to validate incoming requests using machine certificates.

    Only solution I could see wal a simple VM with one NIC and RRAS. Cofigured security groups to allow incoming L2TP and IKEV2, deployed certificates are requared and indeed I could get the VPN to connect.

    Only problem is that the tunnel can reach only the rras server itself!

    All other servers on the Azure vnet are unreachable and netmon shows that the virtual switch is not forwarding the traffic coming from the vpn client.

    I tried using the azure DHCP, but that does not work, so I tried static addesses (and the internal dhcp in rras) in same subnet as the azure vnet, again no luck, then tried static addesses in a different subnet and a routing table in Azure (configuring the rras server as an appliance). In this case I got a routing loop, I have no idea where or why.

    So, does anybody know how to get this to work ?


    Thursday, June 9, 2016 3:31 PM

All replies

  • Hello,

    Thank you for posting here!

    Could you please confirm as to why you are using a RRAS server for configuring a P2S VPN connection? Normally RRAS is used as a substitute to using a VPN device while setting up a S2S VPN connection.

    Also, what do you exactly mean by "Only problem is that the tunnel can reach only the rras server itself!". Does this mean that your configuration is setup as VNet > RRAS > Client? Please be aware that installing Routing and Remote Access Service (RRAS) is not supported in an Azure VM. We will not be able to help you with any issues following this. Also, if this is installed on a VM which is a part of your VNet then the tunnel will only be able to reach the VM on which RRAS is installed and not the other VM's in the VNet.

    Therefore, I suggest you follow the instructions in the Configure a Point-to-Site connection to a virtual network using PowerShell and configure the P2S and then check if the setup works for you.

    Let me know if this helps or if you have any additional questions.Regards,


    Friday, June 10, 2016 10:36 AM
  • Hello Loydon,

    1) Why am I using RRAS:

    CSP subscriptions can only use ARM, Arm gateways do no support P2S (from the GUI). Therefore I need a different way to deliver P2S. S2S is functioning perfectly in that vnet.

    2) tunnel can only reach RRAS server:

    A client that succesfully connects and establishes a IKEV2 tunnel can ping or RDP to the rras server itself using as a target the rras internal (private) ip address, but it cannot reach any other servers located in the same vnet as the rras server

    3) What is going on?

    Using netmon on the rras server I can see traffic originated by the client leaving the rras internal interface, with a destination on the vnet. Only problem is that the destination mac address is not that of the destination server but a fixed 01-23-45-67-89-ab. This is confirmed by a simple ARP -a. I assume this has to do with the with azure / hyper-v virtual switch.

    In any case I don't see response traffic and with netmon I can verify that the destination server does not receive the packets output by the rras server. Note that the rras server is generating a correct destination ip, and a destination mac that is coherent with it's arp table.

    4) Why not PS?

    I'd rather not do it all over, this is a production environment and redoing the gateway would imply several hours of downtime.

    thanks for your time!


    Friday, June 10, 2016 12:18 PM
  • Hi Gianpaolo,

    To begin with note that Remote Access (Direct Access, Routing) role is not supported in Microsoft Azure virtual machines.
    If you install RRAS in your Azure VM, it might work, however, we wouldn't be able to troubleshoot in case you encounter any issues.

    1. ARM deployments support P2S connections, though only through PowerShell and not GUI as you are already aware.
    2. If you have an S2S that's functioning perfectly using a static routing gateway and need to add a P2S connection to it, you would have to delete the static routing gateway and create a dynamic routing gateway to achieve this. This would be inevitable, as Azure does not support multiple gateways to the same VNET. A static gateway only supports a single S2S connection, whereas a dynamic gateway supports multi-site, P2S and VNET-VNET connections as well.
    3. If you already have a dynamic routing gateway in place, you do not have to take down your gateway or worry about the downtime, you would just have to make changes to add your new connection to the existing gateway.

    You could refer the following link for details on how to create a P2S connection for ARM deployments using PowerShell:

    If you need further support troubleshooting this issue, you could raise a technical support case using the following link:

    Also, even if you raise a Technical support case for in-depth troubleshooting and assistance with your issue, we would not troubleshoot any scenario/setup that is not supported by Microsoft.


    Saturday, June 11, 2016 6:02 AM
  • Hi,

    my problem with PS is that I never found a way to add a root certificate to an exisiting gateway (yes, it is dynamic)!

    I know it's not supported. Thats why I'm not opening a ticket. But it looks like it has been setup before, but not with ARM.

    Saturday, June 11, 2016 7:21 AM
  • Hi,

    another serious limit of the azure p2s vpn is that it requires elevated privileges to setup AND to run.

    This may be a showstopper in my case...


    Saturday, June 11, 2016 2:35 PM
  • Just in case somebody is interested:

    I ended creating a new vnet, classic, not ARM, setting up P2S VPN access in there and creating a site to site vpn.

    I then used most of the following to have users able to start and stop the vpn with no admin access:


    Not exacly straightforward but once it is setup it works well and you can manage certificates in the GUI.

    The real problem is that you need an azure subscription not in CSP, to be able to use classic mode...

    Tuesday, June 14, 2016 3:09 PM