Forum Discussion
Solved
On-prem connect with S2S VPN to Azure - Mobile users on P2S to Azure cannot connect to on-prem
Hello Thanks for taking your time to read this if you've got this far 🙂 CURRENT SETUP We have a on-prem network that is connected to Azure using a Site to Site VPN On-prem can communica...
I was able to figure this out in the end:
Once you download the P2S (Client) VPN Config file from the Azure Portal, and install it to set up your P2S VPN.
You're able to see that the routes that Azure VPN can connect to by finding this TXT file in:%appdata%\Microsoft\Network\Connections\Cm\<some id>\routes.txtOur on-prem route was not inside this text file -- We could manually add the on-prem route to this file and our P2S VPN would be able to then contact on-premise - However we needed a way to always include this route, as if a new user installs this (or you deploying to a lot of users) it would make sense to try have it in there before.
- To then include our route automatically we advertised the route (with the local IP of the on-prem) to the Virtual Network gateway. To do this:
- Connect to Azure PowerShell (I use cloud shell as work in different tenants)
- Run the following below:
$gw = Get-AzVirtualNetworkGateway -Name <name of gateway> -ResourceGroupName <name of resource group> Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw -CustomRoute xx.xx.xx.xx/xxThis took about 5 mins to run.
Once it has run, we deleted the current VPN on the machine, downloaded the new VPN profile and installed it. When we then checked the txt file, the new route was inside of the .txt file.
This article helped me: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-p2s-advertise-custom-routesHope this helps someone who comes across the same problem 🙂
Adam.
I was able to figure this out in the end:
Once you download the P2S (Client) VPN Config file from the Azure Portal, and install it to set up your P2S VPN.
You're able to see that the routes that Azure VPN can connect to by finding this TXT file in:
%appdata%\Microsoft\Network\Connections\Cm\<some id>\routes.txt
Our on-prem route was not inside this text file -
- We could manually add the on-prem route to this file and our P2S VPN would be able to then contact on-premise - However we needed a way to always include this route, as if a new user installs this (or you deploying to a lot of users) it would make sense to try have it in there before.
- To then include our route automatically we advertised the route (with the local IP of the on-prem) to the Virtual Network gateway. To do this:
- Connect to Azure PowerShell (I use cloud shell as work in different tenants)
- Run the following below:
$gw = Get-AzVirtualNetworkGateway -Name <name of gateway> -ResourceGroupName <name of resource group>
Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw -CustomRoute xx.xx.xx.xx/xx
This took about 5 mins to run.
Once it has run, we deleted the current VPN on the machine, downloaded the new VPN profile and installed it. When we then checked the txt file, the new route was inside of the .txt file.
This article helped me: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-p2s-advertise-custom-routes
Hope this helps someone who comes across the same problem 🙂
Adam.
Hi!
I am having this exact setup and trying to configure so that P2S users can access resources over at S2S end. I have tried the below solution that you provided but it wont work for me. The onprem net is advertised in the Azure VPN client but still it seems its not routing. Onprem firewall does not see any incoming ICMP. Any suggestions what more I could look at? S2S is working and onprem can access VM at Azure. Also P2S can access VM at Azure and from that VM ofcourse access S2S.
Thanks
