KeithStein-4764 avatar image
0 Votes"
KeithStein-4764 asked KeithStein-4764 commented

Certificate for Azure Point-To-Site VPN via Custom HostName

I have a feeling there's something about this I don't understand.

I have a working point-to-site VPN connection between my computer (using Windows' native rasphone component), and our Azure Virtual Network Gateway. The gateway uses a self-signed root certificate that I created, and my computer has a client certificate signed by the root which it uses to authenticate.

In the VPN configuration on my computer, I use the following destination address:

The problem is, occasionally there is cause to recreate the Azure VPN Gateway, which changes the above network address. This then requires me to change the destination address on all the VPN client machines. Instead, I thought it would be a clever idea to create a DNS entry that I could just point to the current gateway address. This way I could give the VPN client an unchanging address I control, and just update the DNS record if the gateway changes.

So, I created the subdomain azurevpngateway.[OurCompany].com, pointed it toward the gateway address, confirmed that it resolved to the correct IP, and then swapped out the destination address in the VPN configuration.

Since I'm posting here, needless to say, it didn't work. Connecting with SSTP gives this error:

The certificate's CN name does not match the passed value.

I discovered later that swapping out the azuregateway-[GUID] address for the IP address which it resolves to, also give that same error.

I'm not sure where the insistence on using that specific FQDN is coming from. It's not used anywhere in the creation of the self-signed root cert, or the subsequent child certs. No other certificates are manually installed on the client machines besides those. I tried creating a new root cert and including CN=azurevpngateway.[OurCompany].com in the subject, but the error persists.

Why does authentication only succeed when I use azuregateway-[GUID] And how can I get it to work using the azurevpngateway.[OurCompany].com address?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

suvasara-MSFT avatar image
0 Votes"
suvasara-MSFT answered KeithStein-4764 commented

@KeithStein-4764, As of today Azure P2S don't support auto reconnect or DDNS capabilities on connection termination. Here is configuration for setting VPN as Always on for a user tunnel.

Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I'm not asking about automatic reconnect or DDNS; I'm not looking to automatically reconnect dropped connections, or automatically update DNS records. I'm simply asking about connecting to an Azure VPN gateway using our own DNS address (which would allow me to manually update it).

0 Votes 0 ·

@KeithStein-4764, My bad! Apologies. If you are looking to setup custom hostname/domain name for the Azure P2S server then this is not possible today as the certificate is tied to hostname. It will start issuing certificate errors.

0 Votes 0 ·

Could you elaborate on that just a bit more, if only for my understanding? What certificate is tied to the hostname? Neither the self-signed root certificate, or the child certificates I created for authentication are in any way tied to the hostname. There is no mention of the hostname in the command used to create them, or in the resulting certificate properties. Those are the only certificates I install on a client machine, so I'm not sure what certificate could be causing this problem.

0 Votes 0 ·