Forum Discussion

J-La026's avatar
J-La026
Copper Contributor
Oct 31, 2023
Solved

On-prem connect with S2S VPN to Azure / users on P2S to Azure cannot connect to S2S on-prem resourc

Hi!
I am trying to configure so that P2S users can access resources over at S2S end.
S2S is working and onprem can access VM at Azure. Also P2S can access VM at Azure and from that VM ofcourse access S2S. However a P2S user cannot directly access a resource at the end of the S2S.
The onprem network is advertised in the Azure VPN client but still it seems its not routing to the on-prem site. Example, onprem firewall does not see any incoming ICMP from P2S client, It does however see ICMP from VM located at Azure.

 

LocalNetworkGateway

Not using BGP. Static routes should work right?

Below is two test net 192.168.1.0/24 and 192.168.47.0/24 over at the on-prem site. (S2S works fine)

VirtualNetworkGateway P2S

Also added custom routes 192.168.1.0/24,172.16.100.0/24. Seems it does not matter. Without them added the client sees the routes. See below.

 

In the Azure VPN-client windows app, when connected I can se the routes:

Client Route Print

 


Any suggestions how I can get P2S user to access resources at S2S end? 

 


Thanks

azure
networking
  • J-La026's avatar
    J-La026
    Nov 02, 2023
    I got it working in the end, issue was with onprem firewall S2S configuration in the regards of the P2S subnet phase2 encryption/authentication and pfs. So BGP was not needed.

7 Replies

    • J-La026's avatar
      J-La026
      Copper Contributor
      Nov 01, 2023

      Kidd_Ip 

      Hi! 

      Thanks for trying to help out. Hope my MSpaint skills are OK 🙂 Else let me know if you need something more? Also see my previous screenshots. 

      As for the below, the Azure P2S users (see orange box) are able to access VM at Azure no problem however they cannot directly access the windows laptop 192.168.1.110 at the onsite prem.

      The FortiClient P2S users (see yellow box) are able to directly access the VM at Azure over the S2S tunnel. 

       

       

      I should add that accessing the windows laptop (onprem) from the Azure windows VM is no problem.

       

      Thanks

      JLa

      • J-La026's avatar
        J-La026
        Copper Contributor
        Nov 01, 2023

        According to this:
        https://learn.microsoft.com/sv-se/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing#vnetbranch
        Seems BGP is needed? Please let me know if thats the case and static route cant be used?

Resources