azure site-to-site-vpn does not let traffic through

0
votes

I am trying to setup a site-to-site-vpn with an azure-virtual-network and an azure-virtual-machine to a local-network and a local-computer.

The VPN-Gateway has managed to establish a connection to the VPN-Device, but does not let traffic travel between the networks. It is probably it is caused by a configuration error somewhere.

Is there any tools I can use that can pin-point the problem?

I have tried downloading the AzureVNetGatewayDiagnostics but I dont see any problems with it. Anything else I can try?

2
azurevpnazure-vpn

2 Answers

1
votes

Did you follow the instructions here https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-create-site-to-site-rm-powershell/ when you set up the S2S VPN?

When you open the connection in the Azure portal, is there any traffic registered? There should read how much data has been sent and received through the connection. The status should also read "Connected". The connection in question is the one created in step 8.

Also, in the "local network gateway" in the Azure portal, are the correct subnets defined for your on-premise networks? I.e. in the configuration section, in the portal, for the gateway should read something like 192.168.0.0/24. This is created in step 3.

Note: if you change these settings after creating the gateway in Azure, you must recreate the connection object. See the "To modify IP address prefixes for a local network gateway" section for more information.

In the same way, check that the remote subnets are also defined in your local device. There should read something like 10.0.0.0/16 if that's the subnet you used for the remote subnet you are trying to connect to.

If all that's fine, then also check that your local firewall is configured to route traffic to through the right interface.

Finally try to run e.g. tracert <remote vm ip> and see what it returns. If all is fine it should look like

C:\>tracert 10.0.1.15

Tracing route to 10.0.1.15 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  192.168.0.1
  2     *        *        *     Request timed out.
  3    47 ms    48 ms    51 ms  10.0.1.15

Trace complete.

If you run the same from a remote VM against a local IP it should return a similar result.

0
votes

Finally managed to get the VPN working. Ill post what the problems was here.

tracert 192.168.36.16
Tracing route to 192.168.36.16 over a maximum of 30 hops
1    <1 ms    <1 ms     1 ms  10.2.0.36
2     *        *        * Request timed out.
3    44 ms    44 ms    45 ms  192.168.36.16
Trace complete.

I encountered the following problems:

Turns out that you could indeed see what was wrong from the AzureVNetGatewayDiagnostics vpnlog file. I just could not understand it.

vpnlog says Attribute mismatch: QM-TRANSFORM-TYPE, expected: ESP-AUTH-AND-CIPHER, received: AH, indicates that the PHASE 2 encryption algorithm used should be ESP-AUTH-AND-CIPHER. Set the Encryption to ESP and AUTO.

vpnlog indicates ERROR ERROR_IPSEC_IKE_INVALID_PAYLOAD, indicates faulty configuration of some sort?

Also the virtual network was not a private class A,B,C,D network. instead it started with 111.x.x.x which is a public network.

I was following the settings on this page but did not catch every setting correctly since the vpn devices had unexpected UI fields. https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-about-vpn-devices/