question

FlatulentMonk avatar image
0 Votes"
FlatulentMonk asked DanJohnson-2139 commented

Do you have to setup BGP to get transitive routing to work between User VPN (P2s) and on-prem VPN Site connections in a Virtual WAN?

I have an Azure Virtual WAN with a User VPN configured and 3 Site-to-Site connections. The P2S connects and can access VMs in Azure but when I try to connect to on-prem resources from the P2S connection, it fails. The S2S connection works between on-prem and Azure Vnets. The problem is transitive routing between User VPN connections and on-prem. Other posts suggest you have to configure BGP on the S2S VPNs but those are referring to Virtual Network Gateway VPNs and not Virtual WAN. Do you have to configure BGP on each VPN site connection to get this to work in vWAN as well? Second question is if I bring in ExpressRoute will I have any issues with transitive routing?

azure-virtual-wan
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

GitaraniSharmaMSFT-4262 avatar image
0 Votes"
GitaraniSharmaMSFT-4262 answered DanJohnson-2139 commented

Hello @FlatulentMonk ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

To setup connectivity from the remote user to on-premises via Virtual WAN, you have two options:

1) Set up Site-to-site connectivity with any existing VPN device. When you connect the IPsec VPN device to Azure Virtual WAN hub, interconnectivity between the Point-to-site User VPN (Remote user) and Site-to-site VPN is automatic.

2) Connect your ExpressRoute circuit to the Virtual WAN hub. Connecting an ExpressRoute circuit requires deploying an ExpressRoute gateway in Virtual WAN. As soon as you have deployed one, interconnectivity between the Point-to-site User VPN and ExpressRoute user is automatic.

Please refer : https://docs.microsoft.com/en-us/azure/virtual-wan/work-remotely-support

Most possible cause of it not working in your case could be the below:

On the P2S User side, do you see the on-premises routes getting added to the VPN client?
Once connected to Azure Point to site VPN, the VPN client should get the routes from Azure VPN gateway, which are stored in this path - C:\Users\UserName\AppData\Roaming\Microsoft\Network\Connections\cm\<VirtualNetworkId\routes.txt

If the on-premise routes are missing, you can manually add those routes in the routes.txt notepad. After adding the routes, check if you are able to access on-premises sites from P2S VPN client.

Other things to check:
Is it same vHUB or across vHUBs?
Do you have any Firewall in the middle?

Virtual WAN allows transit connectivity between VPN and ExpressRoute. This implies that VPN-connected sites or remote users can communicate with ExpressRoute-connected sites. There is also an implicit assumption that the Branch-to-branch flag is enabled and BGP is supported in VPN and ExpressRoute connections.

Bringing ExpressRoute to the setup will not affect transitive routing but as mentioned above, you need BGP on your VPN to be able to connect to ExpressRoute-connected sites from your VPN-connected sites.
Please refer : https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about#transit-er

Kindly let us know if the above helps or you need further assistance on this issue.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks @GitaraniSharmaMSFT-4262, I think the clients aren't getting the routes from the Azure VPN. Any idea what could cause that? We don't want to have to push this routes.txt file out to all client VPN devices.

0 Votes 0 ·

Hello @FlatulentMonk ,

I did some internal research on this issue and found that P2S VPN client package not getting learned routes from same hub's VPN gateway is caused due to the use of IKEv2 protocol. If you are using IKEv2 instead of OpenVPN, then it requires the manual entry of routes as I mentioned above. OpenVPN will be able to propagate these routes without manual entry.

Could you please confirm if you are using IKEv2 protocol for your P2S VPN? If yes, then you will have to change it to OpenVPN.
Refer : https://docs.microsoft.com/en-us/azure/virtual-wan/howto-openvpn-clients?

Regards,
Gita

0 Votes 0 ·

Hello @FlatulentMonk ,

Could you please provide an update on this post?

Kindly let us know if the above helps or you need further assistance on this issue.

Regards,
Gita Sharma

0 Votes 0 ·
DanJohnson-2139 avatar image DanJohnson-2139 GitaraniSharmaMSFT-4262 ·

Hello @GitaraniSharmaMSFT-4262 ,

Yes we are using IKEv2 and we cannot change to OpenVPN so we are pushing out the updated routes to the clients. Thank you for your research and assistance.

1 Vote 1 ·