P2S Gurus

Soldato
Joined
28 Sep 2008
Posts
14,215
Location
Britain
Hi all,

Just labbing some bits and I'm hitting a wall (probably a firewall) for one issue.

I have a S2S connection using ikev2 from my OnPrem Draytek to Azure
This has connectivity both ways (ie can ping from Azure VM to onprem machine, vice versa, RDP, etc)

Now, I wanted to create an Azure P2S Client VPN to connect into Azure. I've done this, and when the connection is dialled, I can access all the stuff in Azure, but I can't access back down to the Onprem stuff.

I'm probably missing a route somewhere, but not sure where, presumably because the P2S subnet doesn't know about the local site subnet.

Local Site - 10.0.20.0/24 < ---- Site to Site VPN ----> Azure Site - 10.0.40.0/24
|
|
|
Azure Point-to-Site VPN - 10.0.50.0/24

Any help gratefully received.
 
Does this describe your setup?

https://docs.microsoft.com/en-us/az...ateway-about-point-to-site-routing#vnetbranch

You might be better off deploying something like an OpenVPN appliance in your vnet, and having it NAT your VPN clients rather than routing.

Hmm, yes. So it's not technically possible unless (if you scroll down) you enable BGP. That kind of makes sense.

As you say, the alternative is to add something like a Virtual Appliance like a CSR but I'm trying to keep this nice and cheap. I'll look at the OpenVPN setting if I can't get the BGP working.
 
You could probably terminate VPNs on whatever device is handling the on-prem end of your tunnel, but this then obviously means that if your internet goes down you can't get into Azure resources either. However, it won't cost anything to do.

What's the aim with this? What services are you trying to expose?
 
From lab to real life, there are some on-prem file shares and SCCM DPs that would need to be accessed by people remotely and as most of the infrastructure will move to the cloud. Going forward, even if in the office, users will VPN to azure for internet access using the office WiF as just a bearer (ie, it would have no internet access except the route through to Azure with a forced tunnel VPN on the clients).

This is why I don't really want to terminate the client VPN to the on-prem router.
 
I'd rethink using Azure as your gateway out to the internet, you usage charges will get quite severe.

It's only for those users who require access to VPN in for now, but yes, in future I will probably stand up a CSR of some description.

I've found this
https://www.altitude365.com/2016/04/26/azure-p2s-vpn-how-to-route-between-vnets/

Which is the closest I've found to doing what I want, I just don't know where or what to put in for the static routes for the DrayTek
 
Back
Top Bottom