none
Problem connecting Azure VPN to WS 2008 R2 based VPN gateway RRS feed

  • Question

  • I am trying to setup Azure VPN against WS2008 R2 based VPN gateway. I have added Connection Security rule for IPsec tunnel, and now I can see connected status in Azure portal and also see correct Security Associations (both for Main mode and Quick mode).

    However I am not able to communicate between networks. In Azure portal I see:

    Data IN: 0 B (strange!!!)
    Data OUT: 200 kB

    Any hint or troubleshooting suggestion is highly appreciated.

    Michael

    Thursday, June 14, 2012 10:32 AM

Answers

  • Hi everyone,

    I finally made it work. I have documented all setup steps, you can find complete documentation here.

    Some caveats to watch out for:

    1. Hotfix for KB2523881 is necessary
    2. There is no connectivity (ping, telnet etc.) between gateway and cloud computers, don't get confused by this. Only computers BEHIND gateway have connectivity. This is because IPSec rule is not applied to packets originating on gateway as they always have public IP address as source IP.
    3. IPSec tunnel rule is not compatible with NAT (network address translation, either Internet Connection Sharing or RRAS option) on public interface of gateway computer because NAT modifies IP packet headers in a way that prevents IPSec rule from applying.
    Tuesday, June 26, 2012 7:41 AM

All replies

  • Hi, Michael:

    Could you please share the output of the following commands on your Win2k8 R2 box?  

    netsh advfirewall consec show rule name=all type=dynamic
    netsh advfirewall consec show rule name=all type=static

    netsh advfirewall firewall show rule name=all

    route print

    Also, could you please tell us about the configuration of our virtual network (i.e. what's the Azure network range, what's the on-premise network range, etc)?

    You can email me personally if you do not feel comfortable with sharing those on the forum:

    yuanyu NoSpamPlease microsoft.com


    Friday, June 15, 2012 12:05 AM
    Moderator
  • Thanks for the answer. I am trying to connect 10.1.0.0/16 in cloud with 192.168.0.0/24 on local. Here is the output:

    C:\Windows\system32>netsh advfirewall consec show rule name=all type=dynamic

    Rule Name:                            Azure Virtual Network Tunnel
    ----------------------------------------------------------------------
    Enabled:                              Yes
    Profiles:                             Domain,Private,Public
    Type:                                 Dynamic
    Mode:                                 Tunnel
    LocalTunnelEndpoint:                  96.31.71.71
    RemoteTunnelEndpoint:                 168.63.36.182
    Endpoint1:                            192.168.0.0/24
    Endpoint2:                            10.1.0.0/16
    Protocol:                             Any
    Action:                               RequireInRequireOut
    Auth1:                                ComputerPSK
    Auth1PSK:                             OnP2CW8uYHafysPcgXISSwbmt8dtUB5gRXZa7bZhhP
    PqZeNxDl
    MainModeSecMethods:                   DHGroup2-AES128-SHA1,DHGroup2-3DES-SHA1
    QuickModeSecMethods:                  ESP:SHA1-None+60min+100000kb,ESP:SHA1-AES1
    28+60min+100000kb,ESP:SHA1-3DES+60min+100000kb,AH:SHA1+60min+100000kb
    ExemptIPsecProtectedConnections:      No
    ApplyAuthorization:                   No
    Ok.

    C:\Windows\system32>netsh advfirewall consec show rule name=all type=static

    Rule Name:                            Azure Virtual Network Tunnel
    ----------------------------------------------------------------------
    Enabled:                              Yes
    Profiles:                             Domain,Private,Public
    Type:                                 Static
    Mode:                                 Tunnel
    LocalTunnelEndpoint:                  96.31.71.71
    RemoteTunnelEndpoint:                 168.63.36.182
    Endpoint1:                            192.168.0.0/24
    Endpoint2:                            10.1.0.0/16
    Protocol:                             Any
    Action:                               RequireInRequireOut
    Auth1:                                ComputerPSK
    Auth1PSK:                             OnP2CW8uYHafysPcgXISSwbmt8dtUB5gRXZa7bZhhP
    PqZeNxDl
    MainModeSecMethods:                   DHGroup2-AES128-SHA1,DHGroup2-3DES-SHA1
    QuickModeSecMethods:                  ESP:SHA1-None+60min+100000kb,ESP:SHA1-AES1
    28+60min+100000kb,ESP:SHA1-3DES+60min+100000kb,AH:SHA1+60min+100000kb
    ExemptIPsecProtectedConnections:      No
    ApplyAuthorization:                   No
    Ok.

    C:\Windows\system32>netsh advfirewall consec show rule name=all

    Rule Name:                            Azure Virtual Network Tunnel
    ----------------------------------------------------------------------
    Enabled:                              Yes
    Profiles:                             Domain,Private,Public
    Type:                                 Static
    Mode:                                 Tunnel
    LocalTunnelEndpoint:                  96.31.71.71
    RemoteTunnelEndpoint:                 168.63.36.182
    Endpoint1:                            192.168.0.0/24
    Endpoint2:                            10.1.0.0/16
    Protocol:                             Any
    Action:                               RequireInRequireOut
    Auth1:                                ComputerPSK
    Auth1PSK:                             OnP2CW8uYHafysPcgXISSwbmt8dtUB5gRXZa7bZhhP
    PqZeNxDl
    MainModeSecMethods:                   DHGroup2-AES128-SHA1,DHGroup2-3DES-SHA1
    QuickModeSecMethods:                  ESP:SHA1-None+60min+100000kb,ESP:SHA1-AES1
    28+60min+100000kb,ESP:SHA1-3DES+60min+100000kb,AH:SHA1+60min+100000kb
    ExemptIPsecProtectedConnections:      No
    ApplyAuthorization:                   No
    Ok.

    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0       96.31.71.1      96.31.71.71    261
           96.31.71.0    255.255.255.0         On-link       96.31.71.71    261
          96.31.71.71  255.255.255.255         On-link       96.31.71.71    261
         96.31.71.255  255.255.255.255         On-link       96.31.71.71    261
            127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
            127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
      127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
          192.168.0.0    255.255.255.0         On-link       192.168.0.1    286
          192.168.0.1  255.255.255.255         On-link       192.168.0.1    286
          192.168.0.2  255.255.255.255         On-link       192.168.0.1    286
        192.168.0.100  255.255.255.255         On-link       192.168.0.1    286
        192.168.0.255  255.255.255.255         On-link       192.168.0.1    286
            224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
            224.0.0.0        240.0.0.0         On-link       96.31.71.71    261
            224.0.0.0        240.0.0.0         On-link       192.168.0.1    286
      255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      255.255.255.255  255.255.255.255         On-link       96.31.71.71    261
      255.255.255.255  255.255.255.255         On-link       192.168.0.1    286
    ===========================================================================
    Persistent Routes:
      Network Address          Netmask  Gateway Address  Metric
              0.0.0.0          0.0.0.0       96.31.71.1  Default
    ===========================================================================

    Friday, June 15, 2012 7:46 AM
  • I am trying to setup Azure VPN against WS2008 R2 based VPN gateway. I have added Connection Security rule for IPsec tunnel, and now I can see connected status in Azure portal and also see correct Security Associations (both for Main mode and Quick mode).

    However I am not able to communicate between networks. In Azure portal I see:

    Data IN: 0 B (strange!!!)
    Data OUT: 200 kB

    Any hint or troubleshooting suggestion is highly appreciated.

    Michael

    Same problem here. Now its more like OUT:2.5Mb...

    No one knows whats the problem. And this Yuan Yuan guy is in every thread about this issue. :)

    Monday, June 18, 2012 2:44 PM
  • We found out what the problem was.

    Just follow instructions on this page:

    http://social.msdn.microsoft.com/Forums/en-US/windowsazureconnectivity/thread/eff37274-8b25-471a-bbc0-3303a0c58960/#33605e3a-ad9f-4ea1-b5e2-5bf37d0e2fa6

    Hope this solves your problem.

    Cheers

    Friday, June 22, 2012 6:02 AM
  • Hi, Vuk:

    Thanks a lot for your answer.  It's not that we forgot about Michael, : )  I took this offline with him as it could be a bit too verbose to get into all the nitty-gritties here.  We got the problem resolved as of this morning.  I will ask Michael to post a summary afterwards.

    Friday, June 22, 2012 2:47 PM
    Moderator
  • Hi everyone,

    I finally made it work. I have documented all setup steps, you can find complete documentation here.

    Some caveats to watch out for:

    1. Hotfix for KB2523881 is necessary
    2. There is no connectivity (ping, telnet etc.) between gateway and cloud computers, don't get confused by this. Only computers BEHIND gateway have connectivity. This is because IPSec rule is not applied to packets originating on gateway as they always have public IP address as source IP.
    3. IPSec tunnel rule is not compatible with NAT (network address translation, either Internet Connection Sharing or RRAS option) on public interface of gateway computer because NAT modifies IP packet headers in a way that prevents IPSec rule from applying.
    Tuesday, June 26, 2012 7:41 AM
  • Thanks a lot, Michael.  This is awesome!
    Tuesday, June 26, 2012 7:53 AM
    Moderator
  • Hi everyone!

    I followed these steps one by one and, although everything looks OK, no connection is established and no traffic flows between the two sites.  The only difference in my set up is that I am not using the 2008 R2 box as a gateway on my network, instead I have a Cisco ASA-5510 doing that.  The VPN server is just that and we're not using NAT, instead the server has a dedicated public IP with firewall rules letting through all of the traffic on the required ports for IKEv2: UDP 500 and 4500 and ESP 50.  No hits on the last one but the first two seem to flow data.

    Any ideas on what I might have missed?  All help is appreciated!

    Alex


    Thanks! Alex

    Wednesday, November 13, 2013 4:37 AM