Fix s2s connection

Taylor, Kevin 20

My vpn gateway has one connection to my local network. When I try to connect with the Azure default settings, the connection never happens. When the vpn gateway is setup as responder, I get a connection. I want to correct the configuration of my local network gateway, but I have questions about that. It seems the LNG is sending all of the routes listed in the route table, plus all of the vnets that peer with the vnet the vpn gateway is connected to. Does that seem accurate? Because the LNG doesn't seem to accurately represent the networks I have on my on-prem network.

Hopefully that makes sense.

Taylor, Kevin 20 Reputation points

2024-08-13T15:58:01.3233333+00:00

Thanks again for responding. Hopefully I'm not being a burden. I'm including a section of the proposed traffic selector payload from Azure that I receive (edited of course). The 10.1 addresses represent the vnet deployed in and peered vnets. The 10.11 addresses represent the MPLS network I mentioned. The 192 addresses are for my sites and the 172 addresses are for my remote users. I'm also including a diagram that might help.

---Remote 12.xxx.yyy.zzz:500: Local 52.aaa.bbb.ccc:500: Proposed(send) Traffic Selector payload will be:

StartAddress 10.1.iii.0 EndAddress 10.1.jjj.255 PortStart 0 PortEnd 65535 Protocol 0,

StartAddress 10.1.kkk.0 EndAddress 10.1.lll.255 PortStart 0 PortEnd 65535 Protocol 0,

StartAddress 10.1.mmm.0 EndAddress 10.1.nnn.255 PortStart 0 PortEnd 65535 Protocol 0,

StartAddress 10.0.ooo.0 EndAddress 10.0.ppp.255 PortStart 0 PortEnd 65535 Protocol 0 Number of TSRs 17:

StartAddress 10.11.aaa.0 EndAddress 10.11.bbb.3 PortStart 0 PortEnd 65535 Protocol 0,

StartAddress 10.11.ccc.8 EndAddress 10.11.ddd.11 PortStart 0 PortEnd 65535 Protocol 0,

StartAddress 10.11.eee.0 EndAddress 10.11.fff.3 PortStart 0 PortEnd 65535 Protocol 0,

StartAddress 10.11.ggg.4 EndAddress 10.11.hhh.7 PortStart 0 PortEnd 65535 Protocol 0,

Thanks again for your assistance and patience.
Taylor, Kevin 20 Reputation points

2024-08-20T13:46:28.0966667+00:00
This response helped clear things up for me. Now I can move forward with making adjustments, testing and making the connection stable.

"Route table" is not the proper term, it is misleading.

We can use "Routes" or "Address prefixes" as this would represent the environment more precisely.

LNG is supposed to represent the Address Prefixes of the OnPrem to which you want to communicate from Azure

i.e, consider the example given in Create a site-to-site VPN connection.

In this example, LNG should have 10.0.0.0/24 and 20.0.0.0/24

Now, in the same example,

Let's say you only want to communicate to 20.0.0.0/24 and not 10.0.0.0/24

Then the LNG should have only 20.0.0.0/24"Route table" is not the proper term, it is misleading. We can use "Routes" or "Address prefixes" as this would represent the environment more precisely. LNG is supposed to represent the Address Prefixes of the OnPrem to which you want to communicate from Azure i.e, consider the example given in Create a site-to-site VPN connection.

In this example, LNG should have 10.0.0.0/24 and 20.0.0.0/24

Now, in the same example,

Let's say you only want to communicate to 20.0.0.0/24 and not 10.0.0.0/24

Then the LNG should have only 20.0.0.0/24
KapilAnanth-MSFT 46,016 Reputation points Microsoft Employee

2024-08-21T16:42:58.6833333+00:00

@Taylor, Kevin ,

I'm glad that you were able to get a understanding about this!

Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I have summarized our discussions and posted as an answer if you'd like to "Accept" the answer.

Cheers,

Kapil

Accepted answer

KapilAnanth-MSFT 46,016 Reputation points Microsoft Employee

2024-08-13T05:42:03.7133333+00:00
@Taylor, Kevin ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that your S2S Connection gets established only when you set the Gateway as Responder only.

LNG is a virtual representation of your OnPremise Network.

This means, this should ideally contain the on prem network address range

To address your query, "LNG is sending all of the routes listed in the route table, plus all of the vnets that peer with the vnet the vpn gateway is connected to"

This is incorrect

VPN Gateway would send the address range of VNET where it is deployed, and the VNETs peered to this VNET to OnPrem

LNG would not send anything, the actual OnPrem device is the one that would send the configuration settings.

NOTE : A VPN gateway accepts any traffic selectors proposed by a remote gateway (on-premises VPN device). This behavior is consistent among all connection modes (Default, InitiatorOnly, and ResponderOnly).

See : FAQ | Can I specify my own policy-based traffic selectors?

If you use your own Custom IPsec/IKE policy with Azure VPN, you must make sure whatever policy you define is supported in the OnPrem device as well.

If you find that in this case, the connection is not getting established,

You can leverage VPN Gateway diagnostic logs

Especially, "IKEDiagnosticLog"

Cheers,

Kapil
Please sign in to rate this answer.
Taylor, Kevin 20 Reputation points

2024-08-13T12:25:03.8533333+00:00

Thank you for the response. What you say makes sense to me, but I'm still a little shaky on how the LNG plays into this scenario. When I see the transform set proposal from the VPN gateway, I also see all of the routes listed in the LNG, that is why I said the LNG is sending. However, many of the routes that are currently configured in the LNG represent a managed BGP/MPLS network that we don't particularly route to. Traffic traverses the MPLS network to get to each of my remote locations, so should these connections be listed in the LNG? My firewall, which the site2site connection terminates with, uses static routes to direct traffic to the MPLS network, so I would possibly be sending overlapping information to my on-prem or am I mistaken?

Thanks again for responding.

KapilAnanth-MSFT 46,016 Reputation points Microsoft Employee

2024-08-13T13:19:37.4466667+00:00

@Taylor, Kevin , you are welcome and glad we could assist.

When you say "When I see the transform set proposal from the VPN gateway, I also see all of the routes listed in the LNG, that is why I said the LNG is sending."

Do you mean the actual OnPrem device is sending?

Because LNG represents the "other side" and this is configurable by the customer at the Portal.

It only represents, it does not send - the OnPrem is the one that actually sends.

many of the routes that are currently configured in the LNG represent a managed BGP/MPLS network that we don't particularly route to.

LNG consists of 2 parts.

The "EndPoint IP Address" and "Address Space(s)"

The former represents the OnPrem's IP to which Tunnel gets established

The latter is for the entire address range to which you want to establish the S2S

Wrt, "Traffic traverses the MPLS network to get to each of my remote locations, so should these connections be listed in the LNG? My firewall, which the site2site connection terminates with, uses static routes to direct traffic to the MPLS network, so I would possibly be sending overlapping information to my on-prem"

I am afraid we cannot answer this from Azure perspective

Ideally, just the OnPrem (site's) address range should be enough

But we do not have any idea on how the MPLS Network is internally establishing the Tunnel (that is, from the endpoint IP to actual OnPrem site)

You have to work with your OnPrem network team to understand how and why this is configured.

Also,

Whatever you configure on LNG is actually sent to Azure, not to OnPrem

LNG itself is a virtual representation of OnPrem

Meaning, the routes you specify in LNG are actually being learnt by Azure (provided the Traffic selector negotiation was successful)

So, "I would possibly be sending overlapping information to my on-prem" is not quite correct

See : Local network gateway

Hope this helps

Thanks,

Kapil

Please Accept an answer if correct.

Original posters help the community find answers faster by identifying the correct answer.

KapilAnanth-MSFT 46,016 Reputation points Microsoft Employee

2024-08-15T07:12:18.2433333+00:00

@Taylor, Kevin no problem , we are happy to assist :)

Unfortunately, I am afraid I am not sure what your question/ask here is.

From the logs, yes, I can see Azure proposes Traffic Selectors,

TSI - based on VNET and peered VNETs

TSR - based on LNG's address ranges

This is the expected behavior as well.

Also, from your logs

I don't see 192 addresses and 172 addresses

Is the question is that why MPLS network range is included and not the 192 range?

Cheers,

Kapil

Taylor, Kevin 20 Reputation points

2024-08-19T12:57:10.3433333+00:00

Thanks for all of the feedback, it has really helped me get a better understanding of my original question. I would like to stay on this topic but rephrase the question.

The LNG is supposed to represent my on-prem device that the vpn gateway is communicating with. Should the route table in the LNG match the route table of the on-prem device the IPSec tunnel terminates at? I'm not confident with the configuration of the network I've inherited and haven't been able to find documentation to support or deny my suspicions.

Thanks again

Kevin

KapilAnanth-MSFT 46,016 Reputation points Microsoft Employee

2024-08-19T17:06:52.4566667+00:00

Hi @Taylor, Kevin ,

"Route table" is not the proper term, it is misleading.

We can use "Routes" or "Address prefixes" as this would represent the environment more precisely.

LNG is supposed to represent the Address Prefixes of the OnPrem to which you want to communicate from Azure

i.e, consider the example given in Create a site-to-site VPN connection.

In this example, LNG should have 10.0.0.0/24 and 20.0.0.0/24

Now, in the same example,

Let's say you only want to communicate to 20.0.0.0/24 and not 10.0.0.0/24

Then the LNG should have only 20.0.0.0/24

Hope this makes things clear.

Cheers,

Kapil

Taylor, Kevin 20 Reputation points

2024-08-20T13:44:13.3266667+00:00

Thank you so much for this discourse. You've helped me clear up some confusion I had surrounding the vpn gateway, the LNG, and building the connection between my Azure tenant and my on-prem network.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Fix s2s connection

0 additional answers

Your answer