Azure Virtual WAN - routing internet traffic for P2S connections

Question

question

NSimpraga-7653 asked May 14, '22 ricardosolisvillegas-4678 commented May 23, '22

Azure Virtual WAN - routing internet traffic for P2S connections

Greetings,

this question relates to the following already existing one: https://docs.microsoft.com/en-us/answers/questions/589858/azure-wan-and-p2s-vpn-forced-tunneling.html

I am facing the same issue: after connecting successfully to the P2S VPN of the virtual hub in the VWAN, my client routing still uses my local adapter and my default ISP's public IP.
The proposed solution of adding the 0.0.0.0/1 and 128.0.0.0/1 routes to the route table of the virtual hub does not work (extensively tested), since for unknown reasons the two routes do not get propagated to the client this way.

After 'Securing Internet Traffic' through the UI in the Security Configuration of the Firewall, the 0.0.0.0/0 route gets added to the route table and that route does get propagated to the client but it does not force the traffic to use the VPN connection, instead it stays on the local adapter & client ISP public IP.

The only workaround that is working is manually editing the azurevpnconfig.xml file and adding the two 0.0.0.0/1 and 128.0.0.0/1 routes there manually. After that the routes show up in the Azure VPN Client and the VWAN Firewall public IP starts to be used. Also one peculiarity here is that tracert and ping (ICMP?) through cmd stop working after this type of configuration.

Is there any proper way to force these two routes to be propagated & advertised to the clients, without a workaround like mentioned above?
This workaround is not acceptable since it moves a central part of configuration away from the central portal and into a simple configuration file which will be distributed and can easily be manually edited.

I suppose this is somewhat of a bug which needs to be adressed by Microsoft.

azure-virtual-network azure-virtual-wan

image.png (75.6 KiB)

image.png (332.1 KiB)

image.png (96.3 KiB)

image.png (62.5 KiB)

image.png (361.5 KiB)

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 1 · 2022-05-14T21:57:29.38Z

ricardosolisvillegas-4678 answered May 14, '22 NSimpraga-7653 edited May 19, '22

Hello @NSimpraga-7653

Thank you for your post.

I would like to assist you on this one.... I wonder if you can gather a route print output while the PC is connected to the VPN client pls.

Regards,

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 10

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ricardosolisvillegas-4678 · May 14 at 10:06 PM

Also, I have noticed that you are showing the Portal azure set up which is good for us to get a clue for what you are planning to accomplish but Forced tunneling can be configured by using Azure PowerShell. It can't be configured using the Azure portal.

Looking forward to your feedback!

Cheers,

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

0 ·

NSimpraga-7653 ricardosolisvillegas-4678 · May 16 at 08:52 AM

Hi, thanks for answering!
Here's the output of route print while connected to the VPN:

202229-routeprint.txt

Regarding setup via PowerShell, the only guide I've found is this one: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-p2s-advertise-custom-routes#forced-tunneling
Problem is, this is for VPN Gateway which is different from Virtual WAN which has the same functionalities plus much more, and the setup can't be mimcked.

Let me know how to proceed, thanks!

0 ·

routeprint.txt (3.0 KiB)

ricardosolisvillegas-4678 NSimpraga-7653 · May 17 at 07:32 AM

Hi,

Thank you for your answer.

Please see my comments below:

-Did you issue the next syntax "Update-AzP2sVpnGateway -ResourceGroupName "sampleRG" -Name "p2sgwsamplename" -EnableInternetSecurityFlag"?

-Also, from the following blade panel on the portal "Virtual WAN/Connectivity/Virtual network connections/Add connection"... Did you set up any setting from Routing configuration(like Propagate to and so on)?

Which is the client version used?

Which is the following tunnel types IKEv2 VPN, OpenVPN was made the test?

Have you reviewed the "Effective Routes Table"?

Regards,

0 ·

Show more comments

Answer 2 · 2022-05-15T19:38:54.29Z

ricardosolisvillegas-4678 answered May 15, '22

Hello @NSimpraga-7653

I hope you are doing excellent.

Do you have any other concern at this time?

Looking forward to hear back from you.

BR,

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 3 · 2022-05-20T07:44:16.907Z

ricardosolisvillegas-4678 answered May 20, '22

Hello @NSimpraga-7653

Thank you for your patience on this.

I want to give my own observation for this set up.

For instance, I would like to provide this great and basic statement below:

This is a great detail to keep in mind when forcing traffic being inspected from Azure Firewall.

Private traffic prefixes can be also an IP Public address within your Azure environment.

Once it is read, lets try to understand how to get this going as the way you intent or was planned.
For instance, I have the next observations below:

-Route propagation on PS2 tunnel can be applied to VNET-VNET peering using the BGP protocol(Also remember that if it is more than one VNET Peering so, you might be using allow transit and so on).

Route propagation on PS2 tunnel can be applied to Local Gateway networks
Route propagation on PS2 tunnel can be applied to virtual network address prefixes
Routes learned from other BGP peering sessions connected to the Azure VPN gateway, except for the default route or routes that overlap with any virtual network prefix.

Routes learned from other BGP peering sessions connected via ExpressRoute.

Routes learned when propagation is enabled from custom route tables

Having said that, I know that you are using a VIRTUAL WAN set up but the same expected behavior is happening as it is explained on the next page.

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing

Finally, I would say that the remaining option might be the one you implemented which is Manually on the VPN client configuration file, use an NVA or BGP route propagation from on-premises.

I hope this time the information provided before was useful as well as a good guidance to understand the behavior observed.

Best Regards,

image.png (135.7 KiB)

image.png (55.4 KiB)

image.png (73.3 KiB)

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 4 · 2022-05-20T11:07:16.083Z

NSimpraga-7653 answered May 20, '22 ricardosolisvillegas-4678 commented May 20, '22

Basically, what you are saying is the following: there is no proper solution to the problem, I need to use the workaround which is insecure and easily circumventable by any end-user who can open an .xml file and change it to his own liking, and by doing so break any company policy for routing and inspecting VPN traffic?

Very poor from Microsoft. One of the most basic functionalities of forcing the routing of internet traffic through a VPN is missing... from such an expensive and comprehensive solution (Azure VWAN) which should offer all these things out of the box.

· 2

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ricardosolisvillegas-4678 · May 20 at 04:19 PM

Thank you for the response.

As I mentioned previously @NSimpraga-7653 , you can either use any of the options given above but the one that can fit into your scenario is.... Try injecting a default route (0.0.0.0/0) that is originated by an NVA(Network Virtual Appliance) in Azure.

BR,

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

0 ·

ricardosolisvillegas-4678 ricardosolisvillegas-4678 · May 20 at 04:37 PM

Just my last observation on this is to get a support ticket with Azure and submit this to the proper engineering team.

Have a good one!.

0 ·

Answer 5 · 2022-05-23T11:58:53.18Z

NSimpraga-7653 answered May 23, '22 ricardosolisvillegas-4678 commented May 23, '22

I am a bit dissapointed but this falls out of the scope of support provided here, and, as you said, a support ticket might be the next step.
Thank you for your time and assistance!

· 1

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ricardosolisvillegas-4678 · May 23 at 04:06 PM

Hi @NSimpraga-7653

Hoping you are doing good.

I fully understand your comment as well as I agreed with you about this falls out of the scope of support provided here.

Your welcome!

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

0 ·

question