0

I did have a good hunt around for a similar post but couldn't find the same scenario. I am trying to connect to a 3rd party URL from an on-prem machine, through Azure. So:

on-prem -> (point-to-site) -> Azure VPN Gateway -> (site-to-site) -> 3rd party URL

  • Point to site address space: 172.16.0.0/24
  • Azure vnet address space: 10.3.0.0/16
  • 3rd party address space: 10.100.0.0/16

I have put a VM in the Azure network as a middleman for testing, and I can connect from on-prem to the VM, and from the VM to the 3rd party site, however for some reason I can't get all the way through. The weirdest part is that the 3rd party IP resolves correctly from the hostname, I just can't connect to the URL (it's HTTPS/443 if that matters). If I run a tracert from on-prem I can see that 'tracert VM' first hop goes straight to the VPN gateway, however 'tracert 3rdparty' goes to my router->isp->fail, so it seems my routing is messed up somehow.

I would have thought this would be pretty standard routing for the VPN gateway, but hopefully there's a way to make this work as it's vital to the project I'm working on. I'm happy to try custom routes, or whatever it takes. Appreciate any suggestions.

Jason
  • 101
  • 1
  • 4
  • I'm pretty sure the routing is not automatic with the VPN gateways, so you may need to actually build a router in Azure and have that forward the packets. – Todd Wilcox Nov 22 '17 at 21:51

1 Answers1

0

Thanks for the replies. After playing around a bit and some help from Microsoft support, apparently what I had to do was enable BGP on both gateways (Azure and 3rd party), and add a custom route on my on-prem machine.

To add the custom route, after downloading the VPN client from the Azure portal from the VPN Gateway blade and unzipping and installing, edit the routes.txt file %AppData%\Microsoft\Network\Connections\Cm\yourGuid\routes.txt. Add a route to the 3rd party network address space (in my case 10.100.0.0/16) that goes through the Azure router (10.3.200.5).

In our case we also wanted Azure web apps to be able to do the same thing through integrating with the VNet, in which case we also had to uncheck the 'IKEv2 VPN' checkbox in the Azure gateway point-to-site blade.

Jason
  • 101
  • 1
  • 4
  • I would make a comment, but I have not enough reputation yet. Sorry... I came along a [similar problem](https://serverfault.com/questions/993728/azure-site-to-point-vpn-accessing-ressources-connected-through-site-to-site-vpn). I don't know to which IP adresse I have to route my traffic. So, where can I (or did you) find the address of the azure router? – M4SX5 Nov 29 '19 at 08:34
  • [M4SX5](https://serverfault.com/users/436041/m4sx5) It's been a long time since I posted this, and the new gateways are slightly different, but when you create a VPN gateway you assign it to a public IP resource (new or existing). From memory your routes.txt file would have `route add
    ` so in this case `route add 10.100.0.0 MASK 255.255.0.0 10.3.200.5`
     – Jason Dec 03 '19 at 02:08
  • @Jason do you have the information required for the BGP element of the fix? I have a Draytek router on-premise and can't get from client P2S VPN to the on-premise infrastructure, I can only hit the azure machines. – Lucero79 Dec 04 '19 at 10:35
  • Can you ping from the Azure machine to on-prem router or machines? Double check your NSGs to ensure traffic (especially ICMP for testing ping) is allowed. – Jason Dec 05 '19 at 04:04
  • Sorry for slow reply, Yes. If I am in Azure, I can ping the on-prem machines, even RDP to them, and from on-prem to Azure. The issue is when the clients connect via VPN to Azure. They can see/ping/rdp Azure, but not on-prem. Annoying! – Lucero79 May 26 '20 at 15:40