question

ArtemKulikovskyi-9525 avatar image
0 Votes"
ArtemKulikovskyi-9525 asked ·

Network segmentation and IPSec VPN

There is an address space on the Azure site
10.20.70.0/16
I want to create subnets in it
10.20.70.0/27
10.20.70.32/27
10.20.70.64/27
10.20.70.96/27
I don't want to indicate a bunch of second phases in the IPsec tunnel, each of which will refer to its own subnet. And make only one that will refer to
10.20.70.0/24.
Will it work like that, and will it be stable?
I understand that if the connection drops from 10.20.70.0/24, all subnets will not be available and if I configure connections to the subnets separately, then if one connection fails, the others would remain to work.
I am more interested in the issue of the operation of the IPsec protocol itself. Which way is better to configure? Multiple / 27 connections in the tunnel - to each subnet, or will one / 24 connection work just as well?

azure-virtual-networkazure-vpn-gateway
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

msrini-MSFT avatar image
1 Vote"
msrini-MSFT answered ·

Hi,

You configure the Traffic Selector as the entire address space of your VNET. That is the recommended TS config from Microsoft end.

When Azure negotiates, we uses 0.0.0.0 as TSi and based on what you have configured, we narrow it down. So its best you configure the entire address space of the VNET, in this case, its 10.20.70.0/16

Regards,
Msrini

· 5 · Share
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ArtemKulikovskyi-9525 avatar image ArtemKulikovskyi-9525 ·

Thank you Msrini,

Initially, I set up the Traffic selector as 10.20.70.0/16.
But for a more stable VPN connection, an external contractor recommended that I narrow the subnet for the traffic selector. In the entire Azure network, no more than 10 servers are planned. Based on your words, will I need to delete the current network settings and create a new address space with a smaller range?

Or reducing the range does not affect the stability of the network(VPN) and I should not change anything?

0 Votes 0 ·
msrini-MSFT avatar image msrini-MSFT ArtemKulikovskyi-9525 ·

Before doing that I have few questions for you:

  1. What is your On-Prem device ?

  2. Is your device listed in the validated devices list as per our doc ?

  3. Are you using route based gateway or Policy based Gateway ?

  4. Are you using IKEv1 or IKEv2 for your connection ?






0 Votes 0 ·
ArtemKulikovskyi-9525 avatar image ArtemKulikovskyi-9525 msrini-MSFT ·

Ok, answers below
1. FortiGate 60E
2. Yes
3. Route-based
4. IKEv2



0 Votes 0 ·
Show more comments