Site to Site VPN is connected but still can not access resource on the other network

Hi Faisal Kabeer,

I’m following up to see if you’ve had a chance to review the answer provided by Andreas Baumgarten regarding your issue. If you found the response helpful, please click "Upvote and Accept Answer" on his post to let us know.

If you have any further questions or need additional assistance, feel free to ask. We’re here to help!

Thank you!

Best regards,

Ganesh Patapati

@Andreas Baumgarten I had to change the subnet range because as per client. so now the new address space is 172.20.1.0/26 under which there is 02 subnets
172.20.1.0/27 - Default Subnet
172.20.1.32/27 - Gateway Subnet

And I have asked the client to to allow route 172.20.1.0/26 on their end. and I have created route table in azure to their network. then I have established the connection but now that the status of the connection is "Not Connected"

Noted: The client is using a policy based VPN where as on Azure I have a route based firewall but I have enabled - Use policy based traffic selector option as well. I have attached a snip above.

Is there anything I am missing here which could be the reason my the connection is still not connect status.

Hi @Faisal Kabeer ,

the Azure VPN Site To Site connection to the on-premises client network worked before?

Are there any changes in the VPN Site To Site configuration or on the on-premises configuration beside different IP ranges?

Please take a look here: Troubleshooting: An Azure site-to-site VPN connection can't connect and stops working

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards

Andreas Baumgarten

Yes earlier with the old subnet the connected status was "connected"

I do not think so there is any changes with the configuration because I used the same one. any changes on the whole configuration is the "address space" previously it was 172.20.0.0/20 under which i had these -
Azure VM is in the default subnet 172.20.0.0/24

Gateway is in GatewaySubnet 172.20.1.0/27 (This was the only range the client allowed at their end)

The client was not happy to allow this 172.20.0.0/20 which it was a huge scope.

So then I had the change the address space to this 172.20.1.0/26 which has

172.20.1.0/27 - Default Subnet

172.20.1.32/27 - Gateway Subnet

They have allowed 172.20.1.0/26 this space from there end which means both my deafult subnet & Gateway Subnet are allowed to communicated in their end right?

Hi @Faisal Kabeer ,

have you checked through the troubleshooting guide I provided above?

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards

Andreas Baumgarten

@Andreas Baumgarten Yes I did and everything seems to be correctly set

Above are the parameters and both my side and client side are having the same parameters.

Just wondering where I am missing

Hi @Faisal Kabeer ,

anything in the logs of the Azure VPN Gateway or/and on-premises VPN Gateway?
Troubleshoot Azure VPN Gateway using diagnostic logs

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards

Andreas Baumgarten

@Andreas Baumgarten Yes I have found this in the logs query_data.txt in the logs

Hi @Faisal Kabeer ,

it looks like the IKE Tunnel could not be established.

Could you please verify on both ends if the settings are matching.

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards

Andreas Baumgarten

@Andreas Baumgarten I was able to sort this out, Thank you very much, I have an other query.

How/Can I create a Point to Site Connection so that user's can connect to the site to site VPN and access client's network?

Hi @Faisal Kabeer ,

maybe you like to share what the issue was with the tunnel connection?
This might be helpful for the community as well.

For Point To Site configuration please take a look here: Configure server settings for P2S VPN Gateway certificate authentication

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards

Andreas Baumgarten

@Andreas Baumgarten hey sure, so the client only allowed the Gateway Subnet from their end which is why we could not communicate to their network, I asked them to allow the whole address space that is when it worked.

Also I created a P2S connection with the link you provided but I will still not able to connect to it. the address space I gave for my P2S was 10.0.0.0/24 and I even added a route for this in our subnet. Does the client also need to allow the route 10.0.0.0/24 in this end?

But I though the P2S works in a way that user's use the P2S connection to establish with the Site to Site and then the traffic goes through that tunnel so does the P2S IP address 10.0.0.0/24 gets exposed to the client no right?

Hi @Faisal Kabeer ,

thanks for sharing the details.

By default the P2S VPN connection should be able to connect to the Azure resources.

If the computer using the P2S VPN connection should be able to connect to the on-premises network you need to add the routing for this (like described for the S2S VPN connection).

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards

Andreas Baumgarten

So does the Client also need to allow the routes for whatever IP the P2S is using?

Hi @Faisal Kabeer ,

I am not 100% sure and I can't test this at the moment. Please give it a try by yourself.

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards

Andreas Baumgarten