Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,805 questions
VPN connection with encryption domain different from vnet
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 75%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
Mateo Panesso Piedrahita
0
Reputation points
I currently have a VPNGW2 configured in my subscription which must be used to establish a VPN connection with a provider which requires me to use the encryption domain they set for me which is x.x.195.123/32 but my vnet has x.x.0.0/16 in which I have the environment subnet and the VPN subnet so the connection with this provider is not established.
I have tried creating a new network space in the VNET, with its respective subnet and adding a second NIC to the VM but it fails to establish a connection even though routes were configured in the VM.
The current VPN SKU was changed to do it through NAT VPN but for this we need to use wildcards which the provider reuses for security reasons, what other option could you recommend?
{count} votes
-
KapilAnanth-MSFT 44,551 Reputation points Microsoft Employee2024-09-09T10:35:10.9166667+00:00 Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
Per your verbatim,
- You have a VPN Gateway and VNET of address range x.x.0.0/16
- You want all traffic to be NATed to x.x.195.123/32 to be able to connect to the other side of the VPN.
As next steps,
- You can consider using Egress Dynamic NAT
- And map x.x.0.0/16 to x.x.195.123/32
- This should NAT all traffic from the VNET to x.x.195.123/32
Now, to address your queries,
#1 "I have tried creating a new network space in the VNET, with its respective subnet and adding a second NIC to the VM but it fails to establish a connection even though routes were configured in the VM."
- If you do this, Azure will still continue to advertise the original VNET address range along with the new network space
- So your OnPrem only expecting SP with "x.x.195.123/32", may be rejecting the connection request
- You can check with them on why they are blocking to get a correct answer
#2 "to do it through NAT VPN but for this we need to use wildcards which the provider reuses for security reasons"
- Can you elaborate?
- The vendor should only see the "x.x.195.123/32" in Traffic Selectors Negotiations and shouldn't be aware of the Azure end's network space.
P.S : The term "encryption domain" seems to be related to the third part, as I have not seen this reference wrt Azure VPN Gateways
Cheers,
Kapil
-
Mateo Panesso Piedrahita 0 Reputation points
2024-09-09T14:34:01.58+00:00 - You have a VPN Gateway and VNET of address range x.x.0.0/16
Yes
- You want all traffic to be NATed to x.x.195.123/32 to be able to connect to the other side of the VPN.
Yes
- You can consider using Egress Dynamic NAT
- And map x.x.0.0/16 to x.x.195.123/32
- This should NAT all traffic from the VNET to x.x.195.123/32
No, to use NAT you must set the VPN configuration to wildcards and not traffic selectors as it is a requirement of NAT VPN and in this step the provider tells me that for security reasons they only work with traffic selectors
to do it through NAT VPN but for this we need to use wildcards which the provider reuses for security reasons"
The encryption domain is the network space, the provider forces me to have a network space in azure determined by it and not the one I currently have
-
KapilAnanth-MSFT 44,551 Reputation points Microsoft Employee
2024-09-10T04:56:33.68+00:00 Without NAT, I doubt we can establish a Traffic Selector Policy using just "x.x.195.123/32" space.
You should consider moving away from "Policy based Traffic Selectors" and leveraging NAT to do this.
Please check with the vendor if they can support Route Based Tunnels
Cheers,
Kapil
Sign in to comment
Sign in to answer