A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device located on-premises that has an externally facing public IP address assigned to it.
The communication between your on-premises VPN device and an Azure VPN gateway is sent through an encrypted tunnel over the internet.
Also it exists two others possibilities to connect a cloud environnement with an on-prem one which are P2S (Point-to-site) and ExpressRoute.
P2S establish a connection between Azure and an individual computer using the SSTP protocol with certificate. This is a practical solution when you only need few people to connect to your environnement in Azure.
ExpressRoute is the top notch connection and is a private connection that does not go over internet. It offers offers more reliability, faster bandwidth speeds, lower latencies and higher security.
Lets starts with the configuration in Azure.
Create a VNET in Azure
Go to the portal, search Virtual Networks in the service and click Add
Select a name for your virtual network.
Address space :10.1.0.0/16 – The complete range of IP that define your virtual network.
Subnet : FrontEnd 10.1.0.0/24 – A logical partition that define your virtual network.
Address range for the subnet : 10.1.0.0/24 – The range of IP that define your subnet.
Keep the other options as is.
Create the VPN Gateway
Go the portal and select Virtual Network Gateways in the services and click Add
Create a name
Gateway type / VPN Type : Keep the default options
SKU : Select Basic
Virtual network : Select your Vnet previously created
Public IP address : Create new and assign a name
The VPN gateway must be in the same region as the VNET and only one VPN gateway is possible per VNET.
Create the local network gateway
In the portal, search local network gateways service, click Add and set a name
Create a new one and set a name
IP Address : This is the public IP of the on-premise. This IP cannot be behind a NAT.
Address space : Those are the ranges of IP that is defined in the on-premise and that need to be accessible
Keep the other options as is.
Complete the VPN gateway configuration
Return to the Virtual network gateways service
Select the VPN Gateway, click Connections, click Add and set a name
Connection type : Site-to-Site IPSEC
Local Network Gateway : Select the one previously created
Shared key : Define a key
Keep the other options as is.
Configure the RRAS 2016 server (on-premise)
Im using a Vmware workstation for the test purpose with one NIC.
This NIC is in NAT with my host computer so i dont have to configure anything network wise and my network is in the range 192.168.2.0/24 with automatic DHCP.
Install the necessary tool on the server
In Server Manager, click Add Roles and Features
Once installed, start the wizard and select VPN Only
Click on the Network Interfaces and New Demand-dial interface
Set a name for the interface
Select connect using a Virtual private Networking (VPN)
Select IKE V2
Set the host name IP : This is the Public IP of the VPN gateway in Azure
Keep Route IP Packets on the interface options
Static Route : 10.1.0.0 This represent the range of IP previously created in Azure
Once completed, select the demand-dial interface and click Properties
Set the pre-shared key that you previously set in the Azure VPN Gateway.
All you have to do is to connect 🙂
You can return to Azure and see that you have connectivity.
Test from Azure to on-premise and from on-premise to Azure
I use a simple telnet on port 3389 on both machines to test if the network is correctly interconnected. Beforehand, be sure 3389 is correctly opened on both machines.
From the VM in Azure that is under the same Vnet as the VPN Gateway
telnet 192.168.2.52 3389
From a local machine on-premise the VM Azure.
telnet 10.1.0.4 3389
To see the route table : route print -4
Troubleshoot to connect the VPN Gateway
If it doesnt work, there is few options to validate if the configuration is properly working. First is to determine if the vpn gateway in Azure is “really” reachable.
I encountered few issues to make mine works and here are what i used.
NMAP : https://nmap.org/
The tunnel use the port 4500 and 500 by UDP. You cannot use a simple telnet to validate if the port is reachable due to the fact that UDP is unreliable and the sender wont have any validation if the transmission of packets has been successful.
In NMAP, run : nmap -T4 -A -v IP OF THE VPN GATEWAY
Test it outside and from the RRAS server in case you would have messed up with a static route that you could have previously set on the RRAS server.
If you have an unreachable VPN as i encountered, you can reset it from Azure and retry the nmap again.
There is also a health probe to validate if the VPN is healthy. Replace the IP address with your public IP.
https://X.X.X.X:8081/healthprobe
Primary Instance: GatewayTenantWorker_IN_0 GatewayTenantVersion: X.X.X.X OSVersion: Windows Server 2012 R2 Datacenter