I'm working with a supplier to implement Active/Active Site-to-Site IPSec tunnels to two different regions in the same geography. The supplier is using Palo Alto firewalls.
We've managed to establish both tunnels just fine - IKE and IPSec parameters are configured correctly and I can route bidirectionally between Azure and the supplier premises.
Now we're trying to get the route preferences configured so that if the primary tunnel goes down then traffic will automatically be sent over the second tunnel to the second region.
The supplier has requested that we use APIPA addresses for probing whether the tunnels are up are not. No problem, Azure supports APIPA addresses for BGP - but do they respond to ICMP?
What I'm not clear on - despite reading all the MS documentation - is whether the APIPA address configured in the VPN Gateway resource BGP settings is the receiver address or the neighbor address. I'm assuming it's the receiver, and the peer address is configured in the BGP settings of the Local Network Gateway. Correct me if this isn't correct.
The Microsoft documentation says:
Azure VPN Gateway will choose the custom APIPA address if the corresponding local network gateway resource (on-premises network) has an APIPA address as the BGP peer IP.
Does this suggest I can leave the VPN Gateway APIPA empty and Azure will choose one for me? If so, this could be a problem, since the supplier has to specify 2 x /30 address spaces, one for each tunnel and is depending on Azure having a specific address, and the Palo Alto having a specific one. I guess this means I need to configure the address in the VPN first, then configure the peer address in the local gateway?
Aside from that, the supplier only wants to use these addresses for probing by pinging them. I've created BGP configurations in ExpressRoute circuits and can confirm the B-End (Azure) BGP neighbor addresses do respond to ICMP Echo, but I do believe that is only once a successful BGP session has been established.
So my question is, is it possible to specify in an Azure VPN Resource, for example, an APIPA address of 169.254.21.2, a peer address of 169.254.21.1, and without an actual BGP session being established get a ping response from 169.254.21.2. I know it should have TCP 179 open for BGP establishment, but I don't think the Palo Altos can do a port test instead of ping.
I checked with the Azure VPN Product Group team and below is their response on this query:
While Azure VPN gateways allow specific APIPA addresses for each VPN instance, we cannot utilize a prefix-based approach (/30 with fixed allocation). We are looking into allowing more APIPA addresses on the Azure VPN side to workaround this constraint. But we are still in the design phase right now.
At present, the VPN gateway will initiate BGP peering sessions to the on-premises BGP peer IP addresses specified in the local network gateway resources using the private IP addresses on the VPN gateways. This is irrespective of whether the on-premises BGP IP addresses are in the APIPA range or regular private IP addresses.
Reference : https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-bgp-overview#do-azure-vpn-gateways-initiate-bgp-peering-sessions-or-connections
We can have multi APIPA (support in-works) created and configured on the gateway without actually have the BGP peers connected but the requirement for Ping is something that we do not support/recommend.
Related
Is there a VPN solution in Azure that can assign a static public IP to the clients connected for me to achieve full tunnelling? may be in P2S VPN?
P2S VPN does not have full tunneling. Is there any other alternate solution?
• No, you can’t assign a static public IP address to the clients for a VPN solution in Azure as the client address pool that needs to be defined while deploying a VPN gateway in Azure is a subnet of the IP address spaces that the virtual network is created out of.
But you can configure forced tunnelling in your Azure virtual network on your VPN gateway subnets as illustrated below. In the below image, forced tunnelling is shown for Site-to-Site VPN scenario but it can also be implemented for Point-to-Site VPN scenarios in the same way. The Frontend subnet is not force tunneled. The workloads in the Frontend subnet can continue to accept and respond to customer requests from the Internet directly. The Mid-tier and Backend subnets are forced tunneled. Any outbound connections from these two subnets to the Internet will be forced or redirected back to an on-premises site via one of the Site-to-site (S2S) VPN tunnels as shown below.
This allows you to restrict and inspect Internet access from your virtual machines or cloud services in Azure, while continuing to enable your multi-tier service architecture required. If there are no Internet-facing workloads in your virtual networks, you also can apply forced tunneling to the entire virtual networks.: -
• Also, please note that you can *configure the above for your P2S clients by securing the Internet traffic via Firewall Manager and advertising the 0.0.0.0/0 route to your VPN clients. This makes your clients send all internet bound traffic to Azure for inspection. Then, firewall SNATs the packet to the PIP of Azure Firewall for egress to Internet. For this purpose, setup the Azure Firewall Policy to allow P2S traffic to Internet and to advertise all the traffic from 0.0.0.0/0 to your VPN clients, you would need to break them into two smaller subnets 0.0.0.0/1 and 128.0.0.0/1 as mentioned in the below documentation: -
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-p2s-advertise-custom-routes#forced-tunneling
Also, you can add the code below in your ‘azurevpnconfig.xml’ file that can be directly downloaded from the templates section if the above said subnets cannot be added in ‘Default Routes’ on the portal.
<clientconfig>
<includeroutes>
<route>
<destination>0.0.0.0</destination><mask>1</mask>
</route>
<route>
<destination>128.0.0.0</destination><mask>1</mask>
</route>
</includeroutes>
</clientconfig>
Here a Data engineer who needs your help to setup a connection to an on-premise environment :)!
I have created a virtual network (10.0.0.0/16) with a default subnet (10.0.0.0/24).
Then I created a (Windows) virtual machine which is connected to the vnet/subnet and has allowed ICMP inbound and outbound rules for the ping test. Ping google.com is no problem.
The next step was to create a Virtual network gateway & Local network gateway to connect to an on-premise environment.
The Local network gateway has an Site-to-site (IPsec) connection to a VPN device from a third party (over which I have no control). Status in the Azure portal = 'Connected'.
The third party is able to ping the Virtual Machine in Azure, the 'data in' property on the VPN connection shows that 2 kb (ping) has been received. So that works!
When i try to send a ping command to the ip-address (within the 'address space' specified from the Local network gateway) the ping command fails (Request timed out.).
After a lot of searching on google/stackoverflow I found out that I need to configure a Route Table in Azure because of the BGP = disabled setting. So hopefully I did a good job configure the Routing Table Routes but still I can't perform a successful ping :(!
Do you guys/girls know which step/configuration I have forgotten or where I made a mistake?
I would like to understand why I cannot perform a successful ping to the on-premise environment. If you need more information, please let me know
Site-to-site (IPsec) connection screenshot/config
Routing Table setup screenshot/config
Routing Table Routes in more detail
If you are NOT using BGP between the Azure VPN gateway and this particular network, you must provide a list of valid address prefixes for the Address space in your local network gateway. The address prefixes you specify are the prefixes located on your on-premises network.
In this case, it looks like you have added the address prefixes. Make sure that the ranges you specify here do not overlap with ranges of other networks that you want to connect to. Azure will route the address range that you specify to the on-premises VPN device IP address. There are no other operations that we can do. We don't need to set UDR, especially we don't associate a route table to the Gateway Subnet. Also, avoid associating a network security group (NSG) to the Gateway Subnet. You can check the route table by selecting Effective routes for a network interface in Azure VM. Read more details here.
If you would like to verify the connection from Azure VNet to an on-premise network, ensure that you PING a real private IP address from your on-premise network(I mean the IP address is assigned to an on-premise machine), you can check the IP address with ipconfig/all in local CMD. Moreover, you could Enable ICMP through the Windows firewall inside the Azure VM with the PowerShell command New-NetFirewallRule –DisplayName "Allow ICMPv4-In" –Protocol ICMPv4. Or, instead of using PING, you can use the PowerShell command Test-NetConnection to test a connection to a remote host.
If the problem persists, you could try to reset the Azure VPN gateway and reset the tunnel from the on-premises VPN device. To go further, you could follow these steps to identify the cause of the problem.
My VNet won't allow me to connect to the s2s location via p2s connection.
I'm trying to connect the Azure VPN client on my machine and reach a site that is allowed in a network which I have a s2s connection to.
Here's the thing, I can't get traffic to flow from my pc running the VPN client, out to the target site.
Topology
PC > VPN Client > VNet via p2s > Remote network via s2s > FTP server
I'd like to be able to ping the FTP server from my machine.
Currently only devices in the VNet can ping.
I tried setting up BGP but it broke the connection, as I don't really know how things should be set.
I don't have access to the remote site or it's devices.
I have a Azure local network gateway which is configured as the s2s location.
I'm sorry if that doesn't make sense.
Edit: here is the picture of the network
BGP is the standard routing protocol which enables the Azure VPN Gateways and your on-premise VPN devices to exchange "routes" that will inform both gateways on the availability and reachability for those prefixes to go through the gateways or routers involved.
To configure the BGP, your on-premise device should also support BGP. Read
What address does Azure VPN gateway use for BGP Peer IP?
What are the requirements for the BGP Peer IP addresses on my VPN device?
What should I specify as my address prefixes for the Local Network Gateway when I use BGP?
Without BGP, If you add the point-to-site addresses after you create your site-to-site VPN connection, you need to update the routes manually. You need to manually add the routes to the remote network on your machine.
For more information, you could refer to configure and validate virtual network or VPN connections. Except the Ping tool, you prefer to use TCping tool, see the detailed steps.
Generally, you could troubleshoot the issue by searching the common issue and solution in the virtual network gateway---Diagnose and solve problems on Azure portal. It's recommended to new a support ticket to get your issue resolved quickly.
My solution to this as I can't enable BPG is to use a proxy server within the VNet.
I am trying to pull the IP addresses of BGP speakers that establish a peering with an ExpressRoute gateway. For instance, if I create a VirtualNetworkGatewayConnection between my ExpressRoute circuit and an ER gateway, how do I get the IP addresses of the BGP endpoints on the circuit that peer with my gateway?
You could take a look at ExpressRoute REST API and Virtual Network Gateways API
For example, you could get all peerings information in a specified express route circuit here via clicking the Green Try it on that page. Or try to retrieve a list of routes the virtual network gateway has learned, including routes learned from BGP peers here. It might display the IP address of BGP endpoints in the routing table.
I have a strange requirement for IKEv1 VPN to a Cisco ASA and Checkpoint system with Azure.
We setup two Azure policy based VNet gateways, virtual networks and associated virtual machines.
The connection has to be IKEv1 AES-256-SHA1-DHGroup2 site-to-site connection per their test and production environments so we setup one for test and production.
The third party system does not support RFC1918 addressing within VPN
tunnels (encryption domain) and/or Peers. There must be publicly
assigned IP addresses for the VPN tunnel, as well as a publicly routed
IP address for the peer.
They recommend using subnets within the tunnel negotiations, and using
your access-lists to narrow this down to specific hosts (subnet SA’s
vs. host SA’s). In the event you need to “hide” multiple hosts behind
a single IP address, you should PAT using a publicly assigned address
to be included in the VPN tunnel. NAT-T (UDP Encapsulation of IPSEC)
is not supported due to global configuration items which affect
multiple customers.
My question is when is NAT-T performed when connecting to an Azure virtual network gateway in policy-based (IKEv1) mode on site-to-site (S2S) connections? Is it done at all or when is it performed? Is it only performed if there is a load balancer out front?
I think I tried to answer the same questions on the MSDN forum. Just re-iterate the answers:
NAT-T is performed on the outer packets/addresses of IPsec packets.
Azure VPN gateway does NOT perform any NAT/PAT functionality on the inner packets in/out of IPsec tunnels. So if you use public IP addresses inside of your on-premises network and your Azure virtual network they will stay the same to/from the Azure VPN gateways and IPsec tunnels.
You can use public IP address spaces as "private" IP addresses on your Azure VMs / Azure virtual network. These will be treated like "private" addresses by the Azure VPN gateways. We will not NAT those inner packets.
Hope this helps.
Thanks,
Yushun [MSFT]
To clarify: Have you gone through this suggestion :
Site-to-Site – VPN connection over IPsec (IKE v1 and IKE v2). This type of connection requires a VPN device or RRAS. For more information, see Site-to-Site:
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal
Point-to-Site – VPN connection over SSTP (Secure Socket Tunneling Protocol). This connection does not require a VPN device. For more information, see Point-to-Site:
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal
VNet-to-VNet – This type of connection is the same as a Site-to-Site configuration. VNet to VNet is a VPN connection over IPsec (IKE v1 and IKE v2). It does not require a VPN device. For more information, see VNet-to-VNet:
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal
Multi-Site – This is a variation of a Site-to-Site configuration that allows you to connect multiple on-premises sites to a virtual network.
Only the traffic that has a destination IP that is contained in the virtual network Local Network IP address ranges that you specified will go through the virtual network gateway. Traffic has a destination IP located within the virtual network stays within the virtual network. Other traffic is sent through the load balancer to the public networks, or if forced tunneling is used, sent through the Azure VPN gateway