Share this post on:

By default, Azure uses route based VPN if we select IKEv2 option (either we prefer iIKEv2 or we want to have multiple VPN tunnels from same VPN gateway which is not possible with IKEv1) . What that means is, during phase 2 Azure site sends 0.0.0.0/0 as its local selector hence phase 2 and entire tunnel fails to establish.

The 0.0.0.0/0 is needed if we use route based VPN on customer site so we can route traffic towards VTI.

FIX

Open bash console in Azure portal and type your subscription ID:

pawel@Azure:~$ az account set --subscription 1c65831a-cad7-4bf6-98b2-483sadf

Let’s view current VPN settings:

pawel@Azure:~$ az network vpn-connection show -g Customer-Azure_Prod -n Customer-Cloud-VPN

This returns output where we can see that policy based VPN is disabled:

{
  "authorizationKey": null,
  "connectionMode": "Default",
  "connectionProtocol": "IKEv2",
  "connectionStatus": "notConnected",
  "connectionType": "IPsec",
  "dpdTimeoutSeconds": 45,
  "egressBytesTransferred": 12321039,
  "egressNatRules": null,
  "enableBgp": false,
  "etag": "W/\"b09c43b4-fa59-44ac-9920-0521e85552a1\"",
  "expressRouteGatewayBypass": false,
  "id": "/subscriptions/1c65831a-cad7-4bf6-98b2-4830b9448caf/resourceGroups/Gentex-Azure_Prod/providers/Microsoft.Network/connections/Gentex-vCloud-VPN",
  "ingressBytesTransferred": 58162468,
  "ingressNatRules": null,
  "ipsecPolicies": [],
  "localNetworkGateway2": {
    "id": "/subscriptions/1c65831a-cad7-4bf6-98b2-4830b9448caf/resourceGroups/Gentex-Azure_Prod/providers/Microsoft.Network/localNetworkGateways/Gentex-vCloud-LNG",
    "resourceGroup": "Customer-Azure_Prod"
  },
  "location": "uksouth",
  "name": "Customer-Cloud-VPN",
  "provisioningState": "Succeeded",
  "resourceGroup": "Customer-Azure_Prod",
  "resourceGuid": "a8f1a695-3aab-4f08-9edc-c385cbfa7abc",
  "routingWeight": 0,
  "sharedKey": "wMnjYHdfdfWbtKvc",
  "tags": null,
  "trafficSelectorPolicies": [],
  "tunnelConnectionStatus": null,
  "type": "Microsoft.Network/connections",
  "useLocalAzureIpAddress": false,
  "usePolicyBasedTrafficSelectors": false,
  "virtualNetworkGateway1": {
    "id": "/subscriptions/1c65831a-cad7-4bf6-98b2-4830b9448caf/resourceGroups/Gentex-Azure_Prod/providers/Microsoft.Network/virtualNetworkGateways/Gentex-VGW",
    "resourceGroup": "Gentex-Azure_Prod"
  }
}

Let’s enable now the traffic selectors so enter VNET subnet mask is included oppose to 0.0.0.0/0

az network vpn-connection update  -g Customer-Azure_Prod  -n Customer-Cloud-VPN  --enable-bgp Tr--use-policy-based-traffic-selectors true

After a while let’s see VPN status now:

 pawel@Azure:~$ az network vpn-connection show -g Customer-Azure_Prod -n Customer-Cloud-VPN 
  "authorizationKey": null,
  "connectionMode": "Default",
  "connectionProtocol": "IKEv2",
  "connectionStatus": "Connected",
  "connectionType": "IPsec",
  "dpdTimeoutSeconds": 45,
  "egressBytesTransferred": 12321039,
  "egressNatRules": null,
  "enableBgp": false,
  "etag": "W/\"b09c43b4-fa59-44ac-9920-0521e85552a1\"",
  "expressRouteGatewayBypass": false,
  "id": "/subscriptions/1c65831a-cad7-4bf6-98b2-4830b9448caf/resourceGroups/Gentex-Azure_Prod/providers/Microsoft.Network/connections/Gentex-vCloud-VPN",
  "ingressBytesTransferred": 58162468,
  "ingressNatRules": null,
  "ipsecPolicies": [],
  "localNetworkGateway2": {
    "id": "/subscriptions/1c65831a-cad7-4bf6-98b2-4830b9448caf/resourceGroups/Gentex-Azure_Prod/providers/Microsoft.Network/localNetworkGateways/Gentex-vCloud-LNG",
    "resourceGroup": "Customer-Azure_Prod"
  },
  "location": "uksouth",
  "name": "Customer-Cloud-VPN",
  "provisioningState": "Succeeded",
  "resourceGroup": "Customer-Azure_Prod",
  "resourceGuid": "a8f1a695-3aab-4f08-9edc-c385cbfa7abc",
  "routingWeight": 0,
  "sharedKey": "wMnjYHdfdfWbtKvc",
  "tags": null,
  "trafficSelectorPolicies": [],
  "tunnelConnectionStatus": null,
  "type": "Microsoft.Network/connections",
  "useLocalAzureIpAddress": false,
  "usePolicyBasedTrafficSelectors": true,
  "virtualNetworkGateway1": {
    "id": "/subscriptions/1c65831a-cad7-4bf6-98b2-4830b9448caf/resourceGroups/Gentex-Azure_Prod/providers/Microsoft.Network/virtualNetworkGateways/Gentex-VGW",
    "resourceGroup": "Gentex-Azure_Prod"
  }
}

Leave a Comment

Your email address will not be published. Required fields are marked *