Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,543 questions
Setup Azure P2S VPN using Entra ID (Azure Active Directory) and Certificate based authentication
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 70%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
Prabhu
0
Reputation points
Dear Azure Community,
I am currently working on setting up a Point-to-Site (P2S) VPN using an IKEv2 tunnel with the following requirements:
- Authentication using Microsoft Entra ID (Azure Active Directory) with MFA
- Certificate-based Authentication (including both root and client certificates)
After some research, I've come across a few challenges and wanted to get the community's perspective on their feasibility:
IKEv2 and Entra ID Authentication: From what I understand, IKEv2 does not support Entra ID authentication, and this method is only supported via OpenVPN. I would like to confirm if this is indeed correct or if there is a workaround to make IKEv2 work with Entra ID and MFA.
Combining Entra ID and Certificate-based Authentication: My intention is to combine both Entra ID and certificate authentication for added security. However, I am unable to find any way to configure both authentication types simultaneously. Is this possible with the Azure VPN client, or are there any other approaches to achieve this combination?
Any guidance, suggestions, or alternative methods for achieving this setup would be greatly appreciated.
Thank you for your assistance!
Best regards,
Senthil Prabhu
{count} votes
-
KapilAnanth-MSFT 46,016 Reputation points Microsoft Employee2024-10-01T06:04:53.2333333+00:00 Hi Senthil,
Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
To address your queries,
1 . IKEv2 does not support Entra ID authentication, and this method is only supported via OpenVPN. I would like to confirm if this is indeed correct or if there is a workaround to make IKEv2 work with Entra ID and MFA.
- Your observation is correct.
- No, there are no alternatives or workarounds for this
- You have to use OpenVPN if you require Entra Authentication.
2 . However, I am unable to find any way to configure both authentication types simultaneously.
- Can you please specify what exactly is the challenge you are facing?
- Configure certificate authentication by following the steps mentioned here
- Configure Entra authentication by following the steps mentioned here
- The above two are mutually exclusive to each.
If you can provide a specific step where you are facing the issue, we can assist you better
Cheers,
Kapil
-
Prabhu 0 Reputation points
2024-10-01T08:32:21.84+00:00 Hi Kapil,
Thank you for your prompt response and the information provided. I appreciate your help in clarifying the IKEv2 and Entra ID authentication situation.
First Issue:
I am currently using the Azure VPN Client with the following configuration:
- VPN Client: Azure VPN Client
- Tunnel Type: OpenVPN
- Authentication Type: Azure Certificate + Azure Active Directory
I would like to know if it is possible to have both authentication types mutually inclusive, meaning I want to implement added security by combining Azure Active Directory and Azure Certificates. If this is not feasible through the Azure VPN Client, could the OpenVPN client or any other VPN client support this combination?
I've attached my configuration for your reference.
Second Issue:
While my Entra ID authentication works with the Azure VPN Client using
azurevpnconfig_aad.xml, I am having trouble getting the certificate authentication to work withazurevpnconfig_cert.xml. I have the client certificate installed on my laptop and have configured the root certificate information in the P2S settings. (I understand that they are mutually exclusive, so I tried these separately using their respective configuration azurevpnconfig_aad.xml, azurevpnconfig_cert.xml.)If you could assist me with these issues, it would be greatly appreciated.
Attached is the error message
Thank you once again for your support!
Best regards,
Senthil
-
KapilAnanth-MSFT 46,016 Reputation points Microsoft Employee
2024-10-01T11:18:42.72+00:00 You are most welcome Senthil.
Wrt,
1 . I would like to know if it is possible to have both authentication types mutually inclusive, meaning I want to implement added security by combining Azure Active Directory and Azure Certificates.
- No, this is not supported as of now.
- Even with 3rd party applications, the Gateway will not authenticate the requests twice (one for Certificate and one for Entra)
- If you wish, you may vote in Azure Feedback Hub forum requesting this feature. All the feedback shared in these forums are monitored and reviewed by the Microsoft engineering teams responsible for building Azure
2 . You are facing "Server did not respond properly to VPN Control Packets. Session State: Key Material sent" error from the P2S Client.
- The error is usually associated with Entra authentication.
- Can you please confirm if you are using the correct XML File (certificate auth) ?
- Can you please check if the local time is synchronized (correct) in this machine
- Can you try using a different machine to connect to the VPN Gateway (just for testing)
- Please download the VPN Client configuration file once again and use it in this server
Let us know how the above goes.
Cheers,
Kapil
-
KapilAnanth-MSFT 46,016 Reputation points Microsoft Employee
2024-10-04T06:23:14.0233333+00:00 Hi @Prabhu , thanks for sharing the info.
From our private messages, you informed us,
- Can you please confirm if you are using the correct XML File (certificate auth) ?: Yes, I used the correct XML file—azurevpnconfig_cert.xml—for the certificate-based authentication.
- Can you please check if the local time is synchronized (correct) in this machine: I have verified that the local time on my machine is correctly synchronized.
- Can you try using a different machine to connect to the VPN Gateway: I tried connecting to the VPN Gateway using a different machine with the client certificate, but I encountered the same exact issue.
- Please download the VPN Client configuration file once again and use it in this server: If you meant to use it on the new client machine, I have done that as well.
As next steps,
- #1
- Can you please confirm if the "root certificate" is also installed in the P2S Clients servers?
- Additionally, you can try to create a new pair of root and client certificate (if this was done and tested already, please ignore)
- And update the Gateway with new root certificate information
- And redownload the Client configuration file
- #2, if the above does not help
- Please check the Azure VPN Gateway's diagnostic logs , especially P2SDiagnosticLog
- Do you see any errors for the issue time stamp?
Cheers,
Kapil
Sign in to comment
Sign in to answer