We have the following setup in our environment:
Azure VPN Gateway
S2S-VPN between gateway and our on-premise datacentre.
P2S-VPN between gateway and clients.
This P2S VPN is configured with AAD-authentication and the VPN profile is assigned to a client via Intune and XML-configuration.
I have attached a stripped down version of our .xml with information that is not sensitive. (azurevpn.xml). It's in the zipped file.
This setup is working overall fine, we add some routes to direct the traffic to the right place.
We also have a management-VPN deployed that some of our employees use to get access to our network equipment and other administrative devices. This is a Cisco Anyconnect VPN.
When connected to both this VPN-profile and the AzureVPN it let's them traverse both the management-net and the "customer"-net and let's them query DNS in both nets.
The Anyconnect-VPN just as the AzureVPN has routes assigned to it, which when connected, one of the routes gets assigned a metric of 35.
When then the P2S-VPN is connected it assigns the metric 311 on the same route. 311 seems to be the "default" metric on the routes specified in our .xml.
This causes the issues in our case and we need to assign a metric lower then 35 to the P2S-route.
Is there any way to assign a metric to a route that we push with the .xml?
According to the Microsoft Docs here Create an Intune profile for Azure VPN clients - Azure VPN Gateway | Microsoft Docs which links to this Docs https://docs.microsoft.com/en-us/windows/client-management/mdm/vpnv2-csp
says you are able to do this.
However if we try to add for example "<metric>25</metric> to the xml this gets ignored on the client.
I have attached a section of the AzureVpnCxn.log which is stripped of sensitive information where this can be seen.
Please advice