Forum Discussion

Mike Meyer's avatar
Mike Meyer
Copper Contributor
Jan 19, 2018

Creating a VPN, do I need to add a route to reach my local peer IP?

New to this Azure thing - creating my first VPN with my local office.   The VPN is not currently working.  I think I've got most of the config done, but I suspect the Azure VPN and the local Fire...
azure
Mike Meyer's avatar
Mike Meyer
Copper Contributor
Jan 21, 2018

Thanks for the response.  I posted a very long and detailed post a few days ago and now it's gone for some reason.   Very annoying since I included a lot of detailed information).  I'll see if I can find out why I don't see it now.

  • Mike Meyer's avatar
    Mike Meyer
    Copper Contributor
    Jan 21, 2018

    My previous detailed post is gone, I'll have to re-invent the wheel.  I'll repost my specific questions and details, and troubleshooting results later.

     

    Thanks

    • Kent Gaardmand's avatar
      Kent Gaardmand
      Iron Contributor
      Jan 22, 2018

      Azure has example configurations as well here: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices

       

      I found your questions in a notification i received.

      1)  How can I tell if the Azure peer IP is successfully reaching the local peer? 

      -If your VPN is in a Connected state, then you should be able to see exposed routes in your fortinet firewall, you will not be able to ping the gateway subnet, but you could ping a VM on your subnet.

       

      As it is stuck in the connecting state and no packets have been received at all, I am guessing that your are using the Wrong public ip or have a firewall rule preventing the connection 

       

      2) I've done a lot of work with Juniper/NetScreen firewalls, they always had a very good log.  The firewall I am using now (Fortigate) does not, so there is nothing there either, which is why it seemed the two weren't talking or reaching each other.

      -Make sure you OS is on the supported list in the link i provided before. I found a troubleshooting video for your firewall, not sure its relevant but give it a look http://cookbook.fortinet.com/ipsec-vpn-troubleshooting-video-52/

       

      3)  I already had a VNET and subnets set up (currently empty) so didn't use a predefined JSON template to create the VPN as I've seen on Github.   But I did use the above cookbook to create everything, including a GatewaySubnet manually.

      -this should not be a problem, if you created the VPN gateway via the portal make sure it was route based, your firewall does not support policy based.

       

      4)  Do I need a VM inside my GatewaySubnet to initiate traffic?   Right now I just have empty vnet and subnets, but I was trying to ping the other subnet (a random address) to bring up the tunnel.  The tunnel should be able to come up regardless of PCs on either end.

      -The tunnel should become connected regardless and always be able to route traffic

       

      5) How do I route traffic from my GatewaySubnet to my other Subnets (Management, XenApp, etc.)?

      -Any subnet connected to the VNET containing the VPN gateway will be able to see the routes available to them. You could also use VNET peering with gateway transit enabled on one end and Allow remote gateway on the other. this may require creating a route table.

       

      6) You mentioned an NSG.  I have read repeatedly that you do not want to associate an NSG with a Gateway Subnet. (?)

      -Yes do not associate a NSG to the Gateway subnet, i dont think Azure will allow you to do this (untested)

      • Mike Meyer's avatar
        Mike Meyer
        Copper Contributor
        Jan 22, 2018

        Wow, thanks for finding that - wonder what happened there?

         

        I'll review your answers today - thanks much.

Resources