Creating a VPN, do I need to add a route to reach my local peer IP?

Copper Contributor

New to this Azure thing - creating my first VPN with my local office.

 

The VPN is not currently working.  I think I've got most of the config done, but I suspect the Azure VPN and the local Firewall are not talking.

 

Do I need to add a route or open a firewall port on the Azure side so it can reach my Firewall public IP?  I tried running a diagnostic and got:

 

Ingress Packets Dropped due to Traffic Selector Mismatch (since last connected) : 0 Packets
Egress Packets Dropped due to Traffic Selector Mismatch (since last connected) : 0 Packets

 

Basic VPN, Fortigate firewall at the local site.

 

Thank you,

 

Mike

12 Replies

VPN creation in Azure allready has internet access, so if the vpn tunnel is created correctly you should see an established state. Traffic to/from your vnet or local subnet may require you to allow it in your firewall and the Network security group you have applied to the Subnet or VM.

 

 

What type of VPN are your trying to create or what guide are you following ?

 

 

Hi Kent,

 

Thanks for your quick reply.

 

I have a Fortigate firewall, so was using this guide here:

 

I have a few newbie questions that might help clarify.   I'm not new to creating S2S firewalls, I've done that a lot in the past with traditional firewall appliances, the Azure aspect is new to me though.

 

1)  How can I tell if the Azure peer IP is successfully reaching the local peer?  And if it's failing, how do I tell what it's failing on (eg. Phase 1, or Phase 2, and exactly what aspect of either?).   I don't see much, all I see when I did a diagnostics on the Azure side is this:

 

  • Connectivity State : Connecting
    Remote Tunnel Endpoint : <Local Peer IP>
    Ingress Bytes (since last connected) : 0 B
    Egress Bytes (since last connected) : 0 B
    Ingress Packets (since last connected) : 0 Packets
    Egress Packets (since last connected) : 0 Packets
    Ingress Packets Dropped due to Traffic Selector Mismatch (since last connected) : 0 Packets
    Egress Packets Dropped due to Traffic Selector Mismatch (since last connected) : 0 Packets
    Bandwidth : 0 b/s
    Peak Bandwidth : 0 b/s
    Connected Since : 1/1/0001 12:00:00 AM

2) I've done a lot of work with Juniper/NetScreen firewalls, they always had a very good log.  The firewall I am using now (Fortigate) does not, so there is nothing there either, which is why it seemed the two weren't talking or reaching each other.

 

3)  I already had a VNET and subnets set up (currently empty) so didn't use a predefined JSON template to create the VPN as I've seen on Github.   But I did use the above cookbook to create everything, including a GatewaySubnet manually.

 

4)  Do I need a VM inside my GatewaySubnet to initiate traffic?   Right now I just have empty vnet and subnets, but I was trying to ping the other subnet (a random address) to bring up the tunnel.  The tunnel should be able to come up regardless of PCs on either end. (correct?  Or no?)

 

5) How do I route traffic from my GatewaySubnet to my other Subnets (Management, XenApp, etc.)?

 

6) You mentioned an NSG.  I have read repeatedly that you do not want to associate an NSG with a Gateway Subnet. (?)

 

Thank you for answering all my questions!

 

Thanks,

Thanks for the response.  I posted a very long and detailed post a few days ago and now it's gone for some reason.   Very annoying since I included a lot of detailed information).  I'll see if I can find out why I don't see it now.

My previous detailed post is gone, I'll have to re-invent the wheel.  I'll repost my specific questions and details, and troubleshooting results later.

 

Thanks

Azure has example configurations as well here: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices

 

I found your questions in a notification i received.

1)  How can I tell if the Azure peer IP is successfully reaching the local peer? 

-If your VPN is in a Connected state, then you should be able to see exposed routes in your fortinet firewall, you will not be able to ping the gateway subnet, but you could ping a VM on your subnet.

 

As it is stuck in the connecting state and no packets have been received at all, I am guessing that your are using the Wrong public ip or have a firewall rule preventing the connection 

 

2) I've done a lot of work with Juniper/NetScreen firewalls, they always had a very good log.  The firewall I am using now (Fortigate) does not, so there is nothing there either, which is why it seemed the two weren't talking or reaching each other.

-Make sure you OS is on the supported list in the link i provided before. I found a troubleshooting video for your firewall, not sure its relevant but give it a look http://cookbook.fortinet.com/ipsec-vpn-troubleshooting-video-52/

 

3)  I already had a VNET and subnets set up (currently empty) so didn't use a predefined JSON template to create the VPN as I've seen on Github.   But I did use the above cookbook to create everything, including a GatewaySubnet manually.

-this should not be a problem, if you created the VPN gateway via the portal make sure it was route based, your firewall does not support policy based.

 

4)  Do I need a VM inside my GatewaySubnet to initiate traffic?   Right now I just have empty vnet and subnets, but I was trying to ping the other subnet (a random address) to bring up the tunnel.  The tunnel should be able to come up regardless of PCs on either end.

-The tunnel should become connected regardless and always be able to route traffic

 

5) How do I route traffic from my GatewaySubnet to my other Subnets (Management, XenApp, etc.)?

-Any subnet connected to the VNET containing the VPN gateway will be able to see the routes available to them. You could also use VNET peering with gateway transit enabled on one end and Allow remote gateway on the other. this may require creating a route table.

 

6) You mentioned an NSG.  I have read repeatedly that you do not want to associate an NSG with a Gateway Subnet. (?)

-Yes do not associate a NSG to the Gateway subnet, i dont think Azure will allow you to do this (untested)

Wow, thanks for finding that - wonder what happened there?

 

I'll review your answers today - thanks much.

Hi Mike

Did you ever get it to work.

Thanks for your posts.


I had to swap out the firewall with one I know how to use, and was on the compatibility list.   It came right up.

 

 

Now that I have my VPN up and my policies set up correctly (I think), how does routing happen between my GatewaySubnet and the other Subnets in my VNET?   Do I have to set up routes or do all subnets within a subnet automatically route between each other?


Thanks

have a look at this link that explains a bit regarding the 2 VPN types.
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps

you wrote policies, does that mean you went with policy based VPN. Although they fully support policy based VPN it is the most limited of the two.

regardless the routes that you defined in your VPN should be known to all subnets within that VNET

I wrote policies on the Juniper, so it tunnels certain subnets - that's typically how I do it on the Juniper's.

The VPN says "Route Based" on the Azure side though.   So I guess it depends who you ask. :)

 

What I'm looking for is there must be some configuration in the VPN (I haven't seen it) - that tells me which subnets it can route to and which it can't.  How do I know what Subnets the GateWay subnet has access to (perhaps I'd want to limit this)?  Or perhaps it's anything in the VNET that the VPN exists in.   That's what I'm suspecting.

 

In which case, I'd obviously need to write a policy on my Juniper side to handle those various subnets.

 

Thanks Kent

 

I wrote a separate policy for another subnet that was in my VNET and it worked like a champ.

 

 

Thanks for all your posts, Kent.