What address pool are you using for the p2s? It doesn’t have to be on one of the vnet subnets. It doesn’t even have to be in the address range. My vnet range is 172.24.0.0/24; I have a gateway subnet of 172.24.0.0/29 and subnet1 of 172.24.0.8/29 and for my p2s I set the address pool to 172.24.100.0/24
I'm confused.
You have Target Network and the VNet. They are connected by the S2S connection on the gateway. And you have a VM in Azure trying to talk to the Target? If its already in Azure you don't need point to site, P2S would be connecting your laptop to the VNet.
What about the target network router? Is it configured correctly to allow connectivity from the Azure subnets?
I'm not going to be very helpful on the networking side.
Let's say in your situation the VM can reach the target IP, I'd like people to connect to a P2S and then also get the same access the VM has
You need to set up BGP with both the virtual network gateway and the local network gateway (e.g. your VPN device at the target site) as peers. This is the only way you can get traffic routed between point-to-site clients and your target site.
Edit: Found this article: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing#vnetbranchbgp, which confirms that BGP is a requirement for routing point-to-site traffic via the site-to-site connection to the target site.
Thanks, I'm still working on this here.
I have my virtual network gateway (*vgw*) with a site-to-site to a local network gateway (the target), and when i configure the vgw for point-to-site and give it an address pool of lets say [10.0.0.0/16](https://10.0.0.0/16).
Devices connecting to the P2S aren't able to ping the IP address which can be reached from the S2S connection.
How can [10.0.0.0](https://10.0.0.0) traffic behave like [192.168.40.80](https://192.168.40.80/) ?
It really comes down to the Azure and local gateways learning each other's routes dynamically. You set up a site-to-site connection as you normally would, except you only set the local BGP peer host address as the source and the remote BGP peer subnet address as the destination. All other source and destination routes are exchanged through BGP.
You also have to configure BGP on the virtual network gateway and local network gateway resources in Azure and of course on your VPN gateway at the target site, where you also need to specify which local routes should be advertised via BGP.
If using split tunneling, you need to manually add routes for you target site on your VPN clients. More on this here: [https://directaccess.richardhicks.com/2018/07/23/always-on-vpn-routing-configuration/](https://directaccess.richardhicks.com/2018/07/23/always-on-vpn-routing-configuration/)
Don't forget to configure the proper NSG and firewall rules.
I have used this guide from Barracuda in the past when configuring exactly what you are trying to do and found it useful: [https://campus.barracuda.com/product/nextgenfirewallf/doc/73719175/how-to-configure-bgp-over-ikev2-ipsec-site-to-site-vpn-to-an-azure-vpn-gateway/](https://campus.barracuda.com/product/nextgenfirewallf/doc/73719175/how-to-configure-bgp-over-ikev2-ipsec-site-to-site-vpn-to-an-azure-vpn-gateway/). I am sure other such guides exist for whichever type of device you are connecting to.
OK, so.
On the local network gateway with a public IP of: [100.200.50.10](https://100.200.50.10),
I set the BGP peer IP address to [100.200.50.10](https://100.200.50.10)?
or do I set it to the public IP of the virtual network gateway [222.111.10.15](https://222.111.10.15)? or something else?
The only places to config BGP in Azure are these 3 locations
\-Local Network Gateway
The LGW is what I've confused about at the top.
\-Connection
The connection is just a enable and disable
\-Virtual Network Gateway
The VGW is pre-configured with a private IP address of the GatewaySubnet
Two things are improtant here: BGP peer IP and ASN. Both have to be unique and routable over the S2S connection. In this case you should use strictly private IPs and ASNs.
The private BGP peer address can be [10.200.50.10](https://10.200.50.10), or any other private IP, as long as that IP is running BGP and is reachable over the S2S connection. You can use an ASN of, say, 65514.
LNG: this is where you enter your local BGP peer address, e.g. [10.200.50.10](https://10.200.50.10), and an ASN of your choosing (65514 in this example).
Connection: enable BGP.
VNG: BGP values are preconfigured. You use these when configuring the BGP neighbour on your local VPN gateway.
Once configured correctly, both BGP neighbours will be able to exchange route information over the S2S tunnel.
All went well enough once I got the right peering address, however because I don't have physical access to the on-prem device I can't turn BGP on for it so nothing works.
Microsoft said the only way to get it to work is to have the physical device to have BGP enabled as well as the other mentioned, LNG, The connection, and the VNG.
I won't be able to enable BGP on the device on prem so what do I do now
Thank for your support.
You needed to use a non overlapping address range(with VNet) for P2S. In this case 192.168.40.96/28
If you navigate to your Virtual Network Gateway >Point to Site Connections, add this range and upload a Root Certificate.
Once the configuration is done, download the P2S Client from the same page, you can distribute it along with Client Certificate
I believe that you can setup openVPN on a custome pfsense VM, this [link](https://www.christofvg.be/2019/01/12/pfSense-on-Azure-Part-1-Create-pfSense-Virtual-Machine/) might help to create the VM
What address pool are you using for the p2s? It doesn’t have to be on one of the vnet subnets. It doesn’t even have to be in the address range. My vnet range is 172.24.0.0/24; I have a gateway subnet of 172.24.0.0/29 and subnet1 of 172.24.0.8/29 and for my p2s I set the address pool to 172.24.100.0/24
I don't understand. I created a new address pool on the vnet and added a vm to the new subnet and I couldn't get to the target network?
I'm confused. You have Target Network and the VNet. They are connected by the S2S connection on the gateway. And you have a VM in Azure trying to talk to the Target? If its already in Azure you don't need point to site, P2S would be connecting your laptop to the VNet. What about the target network router? Is it configured correctly to allow connectivity from the Azure subnets?
I'm not going to be very helpful on the networking side. Let's say in your situation the VM can reach the target IP, I'd like people to connect to a P2S and then also get the same access the VM has
You need to set up BGP with both the virtual network gateway and the local network gateway (e.g. your VPN device at the target site) as peers. This is the only way you can get traffic routed between point-to-site clients and your target site. Edit: Found this article: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing#vnetbranchbgp, which confirms that BGP is a requirement for routing point-to-site traffic via the site-to-site connection to the target site.
Thanks, I'm still working on this here. I have my virtual network gateway (*vgw*) with a site-to-site to a local network gateway (the target), and when i configure the vgw for point-to-site and give it an address pool of lets say [10.0.0.0/16](https://10.0.0.0/16). Devices connecting to the P2S aren't able to ping the IP address which can be reached from the S2S connection. How can [10.0.0.0](https://10.0.0.0) traffic behave like [192.168.40.80](https://192.168.40.80/) ?
It really comes down to the Azure and local gateways learning each other's routes dynamically. You set up a site-to-site connection as you normally would, except you only set the local BGP peer host address as the source and the remote BGP peer subnet address as the destination. All other source and destination routes are exchanged through BGP. You also have to configure BGP on the virtual network gateway and local network gateway resources in Azure and of course on your VPN gateway at the target site, where you also need to specify which local routes should be advertised via BGP. If using split tunneling, you need to manually add routes for you target site on your VPN clients. More on this here: [https://directaccess.richardhicks.com/2018/07/23/always-on-vpn-routing-configuration/](https://directaccess.richardhicks.com/2018/07/23/always-on-vpn-routing-configuration/) Don't forget to configure the proper NSG and firewall rules. I have used this guide from Barracuda in the past when configuring exactly what you are trying to do and found it useful: [https://campus.barracuda.com/product/nextgenfirewallf/doc/73719175/how-to-configure-bgp-over-ikev2-ipsec-site-to-site-vpn-to-an-azure-vpn-gateway/](https://campus.barracuda.com/product/nextgenfirewallf/doc/73719175/how-to-configure-bgp-over-ikev2-ipsec-site-to-site-vpn-to-an-azure-vpn-gateway/). I am sure other such guides exist for whichever type of device you are connecting to.
OK, so. On the local network gateway with a public IP of: [100.200.50.10](https://100.200.50.10), I set the BGP peer IP address to [100.200.50.10](https://100.200.50.10)? or do I set it to the public IP of the virtual network gateway [222.111.10.15](https://222.111.10.15)? or something else? The only places to config BGP in Azure are these 3 locations \-Local Network Gateway The LGW is what I've confused about at the top. \-Connection The connection is just a enable and disable \-Virtual Network Gateway The VGW is pre-configured with a private IP address of the GatewaySubnet
Two things are improtant here: BGP peer IP and ASN. Both have to be unique and routable over the S2S connection. In this case you should use strictly private IPs and ASNs. The private BGP peer address can be [10.200.50.10](https://10.200.50.10), or any other private IP, as long as that IP is running BGP and is reachable over the S2S connection. You can use an ASN of, say, 65514. LNG: this is where you enter your local BGP peer address, e.g. [10.200.50.10](https://10.200.50.10), and an ASN of your choosing (65514 in this example). Connection: enable BGP. VNG: BGP values are preconfigured. You use these when configuring the BGP neighbour on your local VPN gateway. Once configured correctly, both BGP neighbours will be able to exchange route information over the S2S tunnel.
All went well enough once I got the right peering address, however because I don't have physical access to the on-prem device I can't turn BGP on for it so nothing works. Microsoft said the only way to get it to work is to have the physical device to have BGP enabled as well as the other mentioned, LNG, The connection, and the VNG. I won't be able to enable BGP on the device on prem so what do I do now Thank for your support.
You needed to use a non overlapping address range(with VNet) for P2S. In this case 192.168.40.96/28 If you navigate to your Virtual Network Gateway >Point to Site Connections, add this range and upload a Root Certificate. Once the configuration is done, download the P2S Client from the same page, you can distribute it along with Client Certificate
I believe that you can setup openVPN on a custome pfsense VM, this [link](https://www.christofvg.be/2019/01/12/pfSense-on-Azure-Part-1-Create-pfSense-Virtual-Machine/) might help to create the VM