Let's Configure Azure Site-to-Site VPN with RRAS in Azure Resource Manager!


UPDATE 12/20/2016: The correct port forwarding rules need to be in place in order for the VPN to work.  Here is a link to a blog with more information about which ports need to be configured on the router.

There are several blog posts about configuring an Azure site-to-site VPN with Microsoft RRAS in the old Azure portal.  I did find that Cheryl McGuire wrote an article about creating a site-to-site VPN in Azure Resource Manager with PowerShell here. However this post is more specific about configuring RRAS and Azure site-to-site VPN.

In the old Azure portal once you configured a site-to-site VPN it would generate a script that would configure RRAS on a Windows Server.  I have not been able to find where or even if that script is created in the new Azure portal.  So we are going to manually configure RRAS.

NOTE: In this post I will be disabling IPv6 because it is not used.

Before you begin you will need a Windows Server 2012 R2 that has 2 NICs.

Configuring the RRAS Server's NICs...

Label one NIC to be External and one to be Internal.

Go into the properties of the External adapter.

  • Uncheck everything except for TCP/IPv4.
  • Go into the properties of TCP/IPv4 and configure:
    • IP Address
    • Gateway
    • DNS Servers
    • Advanced Settings -> WINS -> Disable NetBIOS over TCP

Site-to-Site_2

Click OK to close out the External adapter properties.

Go into properties of the Internal adapter.

  • Uncheck TCP/IPv6.
  • Go into the properties of TCP/IPv4 and configure:
    • IP Address
    • DNS Servers

NOTE: Do not configure a gateway for the Internal adapter.  This will ensure all traffic is routed through the External adapter.

Site-to-Site_3In other articles about setting up a site-to-site VPN with Azure it is recommended that you assign the External IP address in the DMZ on the router.  I did not do that because this is just a home lab and it still works fine.  However without the External adapter in the DMZ, Azure is unable to initiate the connection.

Installing the RRAS Roles and Features...

Now that the networking has been configured.  Make sure that the server has the latest updates.

Open Server Manager. Select Manage -> Add Roles and Features.

On the Add Roles and Features Wizard

  • Before You Begin: Click Next
  • Installation Type: Role-based -> Click Next
  • Server Selection: Select a server from the server pool -> RRAS-Server -> Click Next
  • Server Roles: Check Remote Access -> Click Next
  • Features: Click Next
  • Remote Access: Click Next
    • Role Services:
      • Direct Access and VPN (RAS)
        • Click Add Features on the pop-up window
      • Routing
      • Click Next
  • Web Server Role (IIS): Click Next
    • Role Services
      • Accept Defaults: Click Next
  • Confirmation: Click Install

While that installs let's head over to Azure

Setting up / configuring the VPN in Azure...

NOTE: For this walk-through all resources will be specified in East US.  As my own person best practice I place all my resources in the same location.

Go to Virtual Networks and click Add.

On the Create virtual network blade fill in the following:

  • Name - RRAS-S2S-Vnet
  • Address space - 10.2.0.0/16
    • There will need to be 2 subnets created so the address space here will have to be big enough for your 2 subnets.  I am going to have 2 /24 subnets under this to help clarify the differences in the 2 subnets.
  • Subnet name - default
    • This is the subnet you will use for your Azure VMs.
  • Subnet address range - 10.2.0.0/24
    • This is the address range that will be used for the Azure VMs.
  • Subscription - pick your subscription
  • Resource group - S2S-Test
    • This is creating a resource group that we will use for the rest of the resources.
  • Location - Pick the location you want your Virtual Network to reside.

Click Create.

Next you need to create a subnet for the virtual network gateway.  Click on Virtual Networks.

On the Virtual Networks blade click the RRAS-S2S-Vnet network.  Then click on All settings -> Subnets -> Add.

On the Add subnet blade fill in the following:

  • Name - GatewaySubnet
    • This has to be the name of the subnet for the Virtual Network Gateway.
  • Address Range - 10.2.1.0/24
    • This is the IP range for the RRAS server to use.

Click OK

After the Virtual Network is deployed click on Virtual network gateways.

Click on Add

On the Create virtual network gateway blade type in the name of the virtual network gateway, RRAS-S2S-VnetGW. Then click choose virtual network and select the virtual RRAS-S2S-Vnet virtual network.

 

Back on the Create virtual network gateway blade click Choose public a IP address. Then on the Choose public IP address blade click Create new.

Site-to-Site_9On the Create public IP address blade type in the name for the public IP address resource and click OK.

Back on the Create virtual network gateway blade select the following:

  • Gateway type: VPN
  • VPN type: Route-based
  • Subscription: your Azure subscription

Click on Select existing under Resource group and then on the Resource group blade select the S2S-Test, click OK.

Back on the Create virtual network gateway blade select East US as the Location and then click OK.

Back on the Create virtual network gateway blade review the options and then click Create.

Site-to-Site_12

After the Virtual Network Gateway is created select Virtual network gateways and then select RRAS-S2S-VnetGW.  The settings blade will appear. Make note of the Public IP address, this will be needed later.

Site-to-Site_24

 

Next go to Local network gateways and click Add.

Site-to-Site_14

On the Create local network gateway blade enter in the following information:

  • Name: RRAS-S2S-LclNetGW
  • IP address: Enter the public IP address of network that the RRAS server is on
  • Address space: This is where the on prem network space can be set or left blank.
  • Subscription: Select your Azure subscription
  • Resource group: S2S-Test
  • Location: East US

Site-to-Site_15

Click Create.

After the Local network gateway is created, go to Local network gateways -> RRAS-S2S-LclNetGW-> Settings -> Connections.

Click Add.

Site-to-Site_17

On the Add connection blade fill in the following:

  • Name: RRAS-S2S-LclNetGW-Connection
  • Connection type: Site-tosite (IPsec)
  • Virtual network gateway: RRAS-S2S-VnetGW
  • Local network gateway: RRAS-S2S-LclNetGW
  • Shared key (PSK): Enter in any alphanumeric key as the key
  • Resource group: S2S-Test
  • Location: East US

Site-to-Site_18

Click OK.

The site-to-site VPN configuration in Azure is now complete.

Now we go back to the RRAS server...

After the install of the Remote Access role is complete, open up Routing and Remote Access.

Right-click the RRAS-Server and click Configure and Enable Routing and Remote Acess.

S2S-7

The Routing and Remote Access Server Setup Wizard will appear.

  1. Welcome to the Routing and Remote Access Server Setup Wizard: Click Next
  2. Configuration: Select Secure connection between two private networks, click Next
  3. Demand-Dial Connections: Select Yes, click Next
  4. IP Address Assignment: Select Automatically, click Next
  5. Completing the Routing and Remote Access Server Setup Wizard: Click Finish

The Demand-Dial Interface Wizard will appear.

  1. Welcome to the Demand-Dial Interface Wizard: Click Next
  2. Interface Name: Type in Azure S2S, click Next
  3. Connection Type: Select Connect using virtual private network (VPN), click Next
  4. VPN Type: Select IKEv2, click Next
  5. Destination Address: Enter in the Public IP address of the Azure Virtual Network Gateway, click Next
  6. Protocols and Security: Check Route IP packets on this interface, click Next
  7. Static Routes for Remote Networks: Click Add
    • Static Route: Select Remote Network Support using IPv4:
      • Destination: 10.2.0.0
      • Network Mask: 255.255.255.0
      • Metric: 24
      • Click OK
    • Click Next
  8. Dial-Out Credentials: Type Azure for the User name, click Next
  9. Completing the Demand-Dial Interface Wizard: Click Finish

In the Routing and Remote Access window select RRAS-Server -> Network Interfaces.  Right-click on Azure S2S and select Properties.

Select the Security tab and under Authentication select Use preshared key for authentication. Type in the preshared key that was entered on the RRAS-S2S-LclNetGW-Connection.  Click OK.

Right-click on the Azure S2S network interface and click Connect.

After it connects open up a command prompt and ping 10.2.0.0.  You should get a response.

Now any Azure VM that you put on RRAS-S2S-Vnet will be able to communicate directly with your on-premise systems.

In order for any on-premise systems to communicate with the Azure VMs you will need to either setup a route for the Azure subnet to route through the RRAS server or set the gateway on your systems to be the RRAS server.

Comments (35)

  1. Kadabra says:

    Hi there
    The VPN is UP but
    "After it connects open up a command prompt and ping 192.167.0.0. You should get a response."
    No response to the ping and can't connect to any VM
    Any troubleshooting advice ?
    Thanks
    K

    1. JLetsch says:

      Verify that under IPv4 -> Static Routes, that your static route is set to use the Azure S2S interface and that the destination IP/subnet information is set correctly.

    2. Alan Sigudo says:

      I had this problem and I fixed it by setting a static IP for the demand-dial interface.
      RRAS > Network Interfaces > MyDemandDialInterfaceName : Properties > Networking > Ipv4 : Properties > "your IP configuation data"

    3. BJohnson says:

      Yep - that was it!! I can Ping All Address in the 192.167.X.X network. I also had to set the static ID for the Dial Up Adapter on the Network Interfaces as Alan described. When you go into the "properties" of the adapter it will be set to use an assigned IP Address. I changed it to 192.167.0.1 and it connected and was able to ping other addresses. I hope this helps someone else

  2. Walter Chomak says:

    Spectacular blog! Thank you!

  3. Walter Chomak says:

    I can ping 192.167.0.0 using Alan's suggestion. However I can ping azure VMs nor can azure VMs ping anything on premise. I am certain I missed something but can't seem to figure out what. Both azure VMs can ping each other. Should I be able to ping Azure VMs from the RRAS server?

    1. cyclonetjc says:

      I am having the same issue, site to site is working but I cannot ping from onprem to azure and vice versa. Any idea anyone?

      1. JLetsch says:

        The VM has a Network Security Group associated with it just like the virtual network. So you have to go into the VMs NSG and add a rule in to allow ICMP.

        1. Dave says:

          can you explain how? i can still see my connection is up, but i cant RDP to the server in Azure SRM with its new IP 🙁

          1. JLetsch says:

            Go to the NSG for that server and make a rule to allow RDP traffic. If the server does not have an NSG associated with it then it is the Windows Firewall. Verify that the Windows Firewall is configured correctly. If you are connected try connecting to remote desktop from the RRAS server by way of the internal Azure ip of the Azure VM.

        2. cyclonetjc says:

          Hi, There is currently no NSG applied to the VM on Azure. But that does not explain why from Azure I cannot ping on prem (RRAS) server. Any clue?

          1. JLetsch says:

            Check the firewall of the RRAS server. Unless you setup DNS for the Azure and On Prem systems just ping by IP. If you want to ping to other systems on prem then the on prem systems need to have the RRAS server as their default gateway.

  4. cyclonetjc says:

    Hi,
    Thanks for your assistance but I am still not able to ping or RDP from onprem to azure and vice versa. I checked and my site to site is connected. I had also checked the onprem firewall as well as the azure server firewall, I had tried with and without NSG with RDP enabled but nothing seem to work. Do you have any clue what else I might be missing or I had misconfigured?
    Regards.

    1. JLetsch says:

      Can you ping 192.167.0.0?

      1. cyclonetjc says:

        Yes I can, It seems that now I can ping from Azure to onprem but not the other way around.

        1. JLetsch says:

          If you can ping one direction then packets are flowing. It sounds like it is either a routing issue or firewall issue. Try setting your RRAS server as the GW server on another onprem server.

          1. Monte says:

            I have attempted all the checks listed in the responses and am still unable to get any pings to work to any resources either on premise or Azure based. Also, any reason as to why to even get ping to work to 192.167.0.0 a Static IP needs to be assigned to the Network Interface Azure S2S?

            Any help would be appreciated - thanks!

          2. JLetsch says:

            Pinging 192.167.0.0 is just to show connectivity has been established between on prem and Azure. The Azure S2S interface in RRAS is where you put the public IP address in your Azure Virtual Network Gateway, this is just telling RRAS the properties of the Azure Virtual Network Gateway's public IP and how to connect to it.

            Are you doing this from your home or from an office? If in the office, check to ensure network devices are allowing traffic.

          3. Monte says:

            All of this is being provisioned in a home lab by placing the RRAS VM in the DMZ.

            So, to get it to work (at least one way) from on premise to Azure via RDP to a VM, did the following: I added my local on premise address space to the Local Network Gateway / RRAS-S2S-LclNetGW, where you have noted to leave it blank. I also reset the Azure S2S Demand-dial Network Interface back to DHCP instead of a static IP. After doing this, it connects and I am again now able to ping a VM running in Azure as well as connect via RDP from the RRAS server. I can do the same from any on premise box by added a static route statement on that machine.

            My issue now is it doesn't work bi-directionally, as I cannot ping nor RDP to any on premise box from the Azure based VM? Thoughts?

          4. JLetsch says:

            Remember that if you want to ping from Azure to on prem that your on prem system’s gateway must be set to the RRAS server’s internal network adapter’s ip address. The address space on the local gateway can be set to the on prem network space. It might help with some so I’ll make note of it in the blog.

            The dial on demand should have always been set to DHCP. Setting that up is the last thing that is done and it doesn’t say anything about setting a static IP. Some others have set it but mine is set to DHCP and everything is working without any issue.

    2. JLetsch says:

      Please look at this blog for port forwarding information that is needed in order to make this work.

      https://blogs.technet.microsoft.com/rrasblog/2006/06/14/which-ports-to-unblock-for-vpn-traffic-to-pass-through/

  5. Justin Schneider says:

    When you say to create a local network gateway and use the Public IP of the network the RRAS server is on, your example shows a Private IP address and the GatewaySubnet (192.168.1.0/24) is not part of the virtual network's address space (192.167.0.0/16).

    What kind of black magic is this?

    1. JLetsch says:

      The local network gateway is where you tell Azure about your on prem network. The IP address I use in the example (10.10.10.10) is a representation of the your on prem public ip address. The 192.168.1.0/24 is the on prem network address space that your on prem servers are on. The 192.167.0.0/16 is a network space in Azure that your Azure VMs will be a part of.

  6. Dima says:

    Hi JLetsch, can I use Windows Server 2012R2 RRAS at HA scenario?

    1. JLetsch says:

      Do you mean run RRAS on a 2012 R2 cluster? If you are, check out this link https://technet.microsoft.com/en-us/library/jj134175%28v=ws.11%29.aspx

  7. JLetsch says:

    Please look at this blog for port forwarding information that is needed in order to make this work.

    https://blogs.technet.microsoft.com/rrasblog/2006/06/14/which-ports-to-unblock-for-vpn-traffic-to-pass-through/

  8. Jeremy says:

    The last sentence saved me:). I had to reset my router, and forgot that I had added a route in their previously. Took me until this article to remember, thanks for writing that point down!

    1. JLetsch says:

      You're welcome. Glad it helped.

  9. Omid R says:

    Hello everyone,

    I've set up everything and it shows it is connected on both ends on RRAS and and Azure but I cannot ping anything form azure to on prem and from on local to azure!! Do you have nay idea my LAN is behind Juniper SRX firewall do I need to setup a rule for core firewall?

    1. JLetsch says:

      I would start with reviewing the Juniper SRX firewall logs and rules to see if it is blocking traffic. The link at the top of the page has the firewall port information needed for the connection.

  10. eric says:

    Hi all,

    The vm on azure able to print onprem RRAS.
    However the RRAS unable to ping Azure vm.

    I have removed NSG, firewall, iptables.
    static route has also been assigned on the RRAS and also assign an azure ip on the vpn interface.
    What is next ?

    1. JLetsch says:

      It sounds like the issue is with the Azure. It could either be the Azure VM is not responding to ping because of firewall (but you said you removed that), or the gateway in Azure doesn't know the route back to your RRAS server. Try doing a trace route on both sides and see where the packets drop. Also you could gather Wireshark data on both side too and see if the Azure VM is responding but the packets are being lost at your gateway.

      1. eric says:

        Thank you for your information.

        Will the azure gateway drop the ping( which is response back) package, even the Azure vm can ping the onpremise ?
        How can we control the routing issue on the azure vpn gateway?

        Thanks so much

  11. chris says:

    192.167.0.0 is a public network id right? You need to buy that range right?

    1. JLetsch says:

      You are correct that it is part of a public IP space. I used it for an example purpose here so that there would be a visible distinction between Azure and Onprem. You can set it to be that IP space without any issues other than if you are trying to access a public resource within that same IP range. Thanks for pointing that out, I will update it to reflect another designated private IP space.

Skip to main content