Forum Discussion

Mike Meyer's avatar
Mike Meyer
Copper Contributor
Jan 19, 2018

Creating a VPN, do I need to add a route to reach my local peer IP?

New to this Azure thing - creating my first VPN with my local office.   The VPN is not currently working.  I think I've got most of the config done, but I suspect the Azure VPN and the local Fire...
azure
Kent Gaardmand's avatar
Kent Gaardmand
Iron Contributor
Jan 19, 2018

VPN creation in Azure allready has internet access, so if the vpn tunnel is created correctly you should see an established state. Traffic to/from your vnet or local subnet may require you to allow it in your firewall and the Network security group you have applied to the Subnet or VM.

 

 

What type of VPN are your trying to create or what guide are you following ?

 

 

  • Mike Meyer's avatar
    Mike Meyer
    Copper Contributor
    Jan 19, 2018

    Hi Kent,

     

    Thanks for your quick reply.

     

    I have a Fortigate firewall, so was using this guide here:

    • http://cookbook.fortinet.com/ipsec-vpn-microsoft-azure-54/

     

    I have a few newbie questions that might help clarify.   I'm not new to creating S2S firewalls, I've done that a lot in the past with traditional firewall appliances, the Azure aspect is new to me though.

     

    1)  How can I tell if the Azure peer IP is successfully reaching the local peer?  And if it's failing, how do I tell what it's failing on (eg. Phase 1, or Phase 2, and exactly what aspect of either?).   I don't see much, all I see when I did a diagnostics on the Azure side is this:

     

    • Connectivity State : Connecting
      Remote Tunnel Endpoint : <Local Peer IP>
      Ingress Bytes (since last connected) : 0 B
      Egress Bytes (since last connected) : 0 B
      Ingress Packets (since last connected) : 0 Packets
      Egress Packets (since last connected) : 0 Packets
      Ingress Packets Dropped due to Traffic Selector Mismatch (since last connected) : 0 Packets
      Egress Packets Dropped due to Traffic Selector Mismatch (since last connected) : 0 Packets
      Bandwidth : 0 b/s
      Peak Bandwidth : 0 b/s
      Connected Since : 1/1/0001 12:00:00 AM

    2) I've done a lot of work with Juniper/NetScreen firewalls, they always had a very good log.  The firewall I am using now (Fortigate) does not, so there is nothing there either, which is why it seemed the two weren't talking or reaching each other.

     

    3)  I already had a VNET and subnets set up (currently empty) so didn't use a predefined JSON template to create the VPN as I've seen on Github.   But I did use the above cookbook to create everything, including a GatewaySubnet manually.

     

    4)  Do I need a VM inside my GatewaySubnet to initiate traffic?   Right now I just have empty vnet and subnets, but I was trying to ping the other subnet (a random address) to bring up the tunnel.  The tunnel should be able to come up regardless of PCs on either end. (correct?  Or no?)

     

    5) How do I route traffic from my GatewaySubnet to my other Subnets (Management, XenApp, etc.)?

     

    6) You mentioned an NSG.  I have read repeatedly that you do not want to associate an NSG with a Gateway Subnet. (?)

     

    Thank you for answering all my questions!

     

    Thanks,

Resources