Not able to connect through Rasdial in azure ARM VPN connection

1
votes

I am not able connect to VPN using powershell cmdlet. I use 'rasdial' from a build agent to connect to vpn, so that we can trigger automated tests. The whole process is automated.

Earlier same rasdial command - Rasdial "VPNName" was working perfectly fine with classic model (ASM) of vpn. But, after I migrated to ARM, I am facing this issue. However through UI i.e. clicking on buttons to connect to vpn is working fine but our need is to connect through script.

I am getting a message-

This function is not supported on this system.

NB: I am following this post- https://dzone.com/articles/deconstructing-azure-point

The same workaround worked in ASM but not woking in ARM. What can be another workaround or fix for this ?

I am using below script to create and download the VPN package. I am not sure I am missing something in my script which is causing this issue-

$VNetName  = "MYVPN"
$SubName = "Subnet-1"
$GWSubName = "GatewaySubnet"
$VNetPrefix1 = "15.3.0.0/16"
$SubPrefix = "15.3.1.0/24"
$GWSubPrefix = "15.3.200.0/26"
$VPNClientAddressPool = "158.17.201.0/24"
$RG = "VMsRG"
$Location = "West Europe"
$DNS = "15.3.0.0"
$GWName = "GateWay"
$GWIPName = "GateWayIP"
$GWIPconfName = "GateWayIPConfig"
$P2SRootCertName = "XXXXX.cer"
$DeployUserName = "[email protected]"
$DeployUserPassword = "XXXXX" 

$Azurepwd = ConvertTo-SecureString $DeployUserPassword -AsPlainText -Force
$AzureCredential = new-object -typename System.Management.Automation.PSCredential -argumentlist $DeployUserName, $Azurepwd 
Add-AzureRmAccount -credential $AzureCredential -SubscriptionName Development

New-AzureRmResourceGroup -Name $RG -Location $Location
$fesub = New-AzureRmVirtualNetworkSubnetConfig -Name $SubName -AddressPrefix $SubPrefix
$gwsub = New-AzureRmVirtualNetworkSubnetConfig -Name $GWSubName -AddressPrefix $GWSubPrefix
New-AzureRmVirtualNetwork -Name $VNetName -ResourceGroupName $RG -Location $Location -AddressPrefix $VNetPrefix1 -Subnet $fesub, $gwsub -DnsServer $DNS

$vnet = Get-AzureRmVirtualNetwork -Name $VNetName -ResourceGroupName $RG
$subnet = Get-AzureRmVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet

$pip = New-AzureRmPublicIpAddress -Name $GWIPName -ResourceGroupName $RG -Location $Location -AllocationMethod dynamic

$ipconf = New-AzureRmVirtualNetworkGatewayIpConfig -Name $GWIPconfName -Subnet $subnet -PublicIpAddress $pip

$MyP2SRootCertPubKeyBase64 = "XXXXX"
$p2srootcert = New-AzureRmVpnClientRootCertificate -Name "P2SVNETRootCertName" -PublicCertData $MyP2SRootCertPubKeyBase64
New-AzureRmVirtualNetworkGateway -Name $GWName -ResourceGroupName $RG -Location $Location -IpConfigurations $ipconf -GatewayType Vpn -VpnType RouteBased -EnableBgp $false -GatewaySku Standard -VpnClientAddressPool $VPNClientAddressPool -VpnClientRootCertificates $p2srootcert
Get-AzureRmVpnClientPackage -ResourceGroupName $RG -VirtualNetworkGatewayName $GWName -ProcessorArchitecture Amd64

As I am able to connect using GUI. I hope script is doing it's job.

2
azureazure-virtual-networkazure-vpn

2 Answers

2
votes

After 4 Months I got a reply from MS (as I raised a ticket for the same). They told Rasdial is not supported by Azure VPN Client Package till date. Also, Even after deconstructing-the-azure-point-to-site-vpn lacks addition of route which should be taken care by adding the route explicitly.

So as an workaround I did the steps provided in the blog - http://www.diaryofaninja.com/blog/2013/11/27/deconstructing-the-azure-point-to-site-vpn-for-command-line-usage

However the last part of adding the route is a bit complex. So, for adding route I have created my own PS script-

$Subnet                  = @("10.0.1.0", "10.0.2.0","10.0.3.0")
$VPNClientAddressPool    = "x.x.x"  
$Mask                    = "255.255.0.0"
$azureIpAddress          = ""
$VPNCmd                  = "MYVPNName"

Here x.x.x are the 3 octet that can be found in "GateWay - Point-to-site configuration" of the VPN-

enter image description here

    $routeExists = route print | findstr $VPNClientAddressPool
    if($routeExists) 
    {         
       route delete $Subnet          
    }

    rasdial $VPNCmd > $null
    $azureIPAddress = ipconfig | findstr $VPNClientAddressPool
    if($azureIPAddress -ne $null)
    {   
        $azureIpAddress = $azureIpAddress.Split(": ")
        $azureIpAddress = $azureIpAddress[$azureIpAddress.Length-1]
        $azureIpAddress = $azureIpAddress.Trim()
        route add $Subnet MASK $Mask $azureIPAddress    
    }

This solved the purpose for me. Basically You just need to take care of the route add part.

0
votes

Your PowerShell script seems fine (I didn't try the login and resource group pieces, but everything else works from $fesub on.) except for the third line from the bottom. The -Name tag which you currently have as "P2SVNETRootCertName" needs to be the same as your $P2SRootCertName. For more information, refer to Azure documentation: https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-howto-point-to-site-rm-ps/

As for Rasdial, another StackOverflow post has answered this: Azure Virtual Network Point-to-Site (ex. Azure Connect) autoconnect

-Bridget [MSFT]