SOLVED

On-prem connect with S2S VPN to Azure / users on P2S to Azure cannot connect to S2S on-prem resourc

Copper Contributor

Hi!
I am trying to configure so that P2S users can access resources over at S2S end.
S2S is working and onprem can access VM at Azure. Also P2S can access VM at Azure and from that VM ofcourse access S2S. However a P2S user cannot directly access a resource at the end of the S2S.
The onprem network is advertised in the Azure VPN client but still it seems its not routing to the on-prem site. Example, onprem firewall does not see any incoming ICMP from P2S client, It does however see ICMP from VM located at Azure.

 

LocalNetworkGateway

Not using BGP. Static routes should work right?

Below is two test net 192.168.1.0/24 and 192.168.47.0/24 over at the on-prem site. (S2S works fine)

JLa026_0-1698761008380.png

VirtualNetworkGateway P2S

JLa026_1-1698761048205.png

Also added custom routes 192.168.1.0/24,172.16.100.0/24. Seems it does not matter. Without them added the client sees the routes. See below.

 

In the Azure VPN-client windows app, when connected I can se the routes:

JLa026_2-1698761089848.png

Client Route Print

JLa026_3-1698761108652.png

 


Any suggestions how I can get P2S user to access resources at S2S end? 

 


Thanks

6 Replies

@J-La026 

 

Can share a bit more on connection even diagram to elaborate? 

@Kidd_Ip 

Hi! 

Thanks for trying to help out. Hope my MSpaint skills are OK :) Else let me know if you need something more? Also see my previous screenshots. 

As for the below, the Azure P2S users (see orange box) are able to access VM at Azure no problem however they cannot directly access the windows laptop 192.168.1.110 at the onsite prem.

The FortiClient P2S users (see yellow box) are able to directly access the VM at Azure over the S2S tunnel. 

 

JLa026_0-1698830222466.png

 

I should add that accessing the windows laptop (onprem) from the Azure windows VM is no problem.

 

Thanks

JLa

According to this:
https://learn.microsoft.com/sv-se/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing#vnetbran...
Seems BGP is needed? Please let me know if thats the case and static route cant be used?

@J-La026 
That does seem to be the case as BGP being enabled is referenced in multiple Microsoft documents related to the scenario and in this document specifically referencing a 'users need access to resource in Azure and/or on-prem resources' use case: https://learn.microsoft.com/en-us/azure/vpn-gateway/work-remotely-support


Also keep in mind whenever you make changes to configurations a new point-to-site vpn profile needs to be downloaded from the azure portal to get the updated configurations.

 

JeremyWallace_2-1698938883229.png

 

 

 

best response confirmed by J-La026 (Copper Contributor)
Solution
I got it working in the end, issue was with onprem firewall S2S configuration in the regards of the P2S subnet phase2 encryption/authentication and pfs. So BGP was not needed.
Ah got it! Good to know BGP is not required, and glad you got it working!
1 best response

Accepted Solutions
best response confirmed by J-La026 (Copper Contributor)
Solution
I got it working in the end, issue was with onprem firewall S2S configuration in the regards of the P2S subnet phase2 encryption/authentication and pfs. So BGP was not needed.

View solution in original post