This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 3%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
Greetings,
this question relates to the following already existing one: https://video2.skills-academy.com/en-us/answers/questions/589858/azure-wan-and-p2s-vpn-forced-tunneling.html
I am facing the same issue: after connecting successfully to the P2S VPN of the virtual hub in the VWAN, my client routing still uses my local adapter and my default ISP's public IP.
The proposed solution of adding the 0.0.0.0/1 and 128.0.0.0/1 routes to the route table of the virtual hub does not work (extensively tested), since for unknown reasons the two routes do not get propagated to the client this way.
After 'Securing Internet Traffic' through the UI in the Security Configuration of the Firewall, the 0.0.0.0/0 route gets added to the route table and that route does get propagated to the client but it does not force the traffic to use the VPN connection, instead it stays on the local adapter & client ISP public IP.
The only workaround that is working is manually editing the azurevpnconfig.xml file and adding the two 0.0.0.0/1 and 128.0.0.0/1 routes there manually. After that the routes show up in the Azure VPN Client and the VWAN Firewall public IP starts to be used. Also one peculiarity here is that tracert and ping (ICMP?) through cmd stop working after this type of configuration.
Is there any proper way to force these two routes to be propagated & advertised to the clients, without a workaround like mentioned above?
This workaround is not acceptable since it moves a central part of configuration away from the central portal and into a simple configuration file which will be distributed and can easily be manually edited.
I suppose this is somewhat of a bug which needs to be adressed by Microsoft.
Hello @NSimpraga
Thank you for your post.
I would like to assist you on this one.... I wonder if you can gather a route print output while the PC is connected to the VPN client pls.
Regards,
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Also, I have noticed that you are showing the Portal azure set up which is good for us to get a clue for what you are planning to accomplish but Forced tunneling can be configured by using Azure PowerShell. It can't be configured using the Azure portal.
Looking forward to your feedback!
Cheers,
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Hi, thanks for answering!
Here's the output of route print while connected to the VPN:
Regarding setup via PowerShell, the only guide I've found is this one: https://video2.skills-academy.com/en-us/azure/vpn-gateway/vpn-gateway-p2s-advertise-custom-routes#forced-tunneling
Problem is, this is for VPN Gateway which is different from Virtual WAN which has the same functionalities plus much more, and the setup can't be mimcked.
Let me know how to proceed, thanks!
Hi,
Thank you for your answer.
Please see my comments below:
-Did you issue the next syntax "Update-AzP2sVpnGateway -ResourceGroupName "sampleRG" -Name "p2sgwsamplename" -EnableInternetSecurityFlag"?
-Also, from the following blade panel on the portal "Virtual WAN/Connectivity/Virtual network connections/Add connection"... Did you set up any setting from Routing configuration(like Propagate to and so on)?
Which is the client version used?
Which is the following tunnel types IKEv2 VPN, OpenVPN was made the test?
Have you reviewed the "Effective Routes Table"?
Regards,
Don't know if I missed something, let me know if I did! Thanks for the assistance!
I would say that you are not missing it but I want to check the last details.
-Which is the region on which you have set it up?
-Are you using the preview virtual Wan feature?
-Do you have any Routing Intent and Routing policies configured?
Finally, the version should be software version 2:1900:39.0 or newer.
Regards,
Let me know how to proceed, thanks again!
Hi,
Thanks a lot for your reply.
I am wondering if you made the step for "Azure VPN app registration" and provide the right role assignment to the end-user where this VPN client is being tested.
Regards,
Are you talking about the Enterprise Application for Azure AD authentication for the VPN? I have created that already, Azure AD authentication is working properly, otherwise I would be unable to authenticate and connect to the VPN at all.
I configured the Enterprise App to be required for assignment, and assigned my user to the app for testing. Other than that, I haven't configured anything else on that side.
Don't believe the app has anything to do with the routes not being propagated, since that's a purely networking thing.
Is there any way to force the route propagation to clients via CLI or some other way (since it appears that the UI does nothing)?
Let me double-confirm via PS terminal.
On the meantime, do you have NAT on the setup?
BR,
I have the Firewall set up to secure internet traffic, as I screenshot already. That does SNAT when the traffic goes through the Firewall. Other than that, no NAT policies.
Screenshot of SNAT tab in firewall policy:
Hello @NSimpraga
I hope you are doing excellent.
Do you have any other concern at this time?
Looking forward to hear back from you.
BR,
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Hello @NSimpraga
Thank you for your patience on this.
I want to give my own observation for this set up.
For instance, I would like to provide this great and basic statement below:
This is a great detail to keep in mind when forcing traffic being inspected from Azure Firewall.
Private traffic prefixes can be also an IP Public address within your Azure environment.
Once it is read, lets try to understand how to get this going as the way you intent or was planned.
For instance, I have the next observations below:
-Route propagation on PS2 tunnel can be applied to VNET-VNET peering using the BGP protocol(Also remember that if it is more than one VNET Peering so, you might be using allow transit and so on).
Having said that, I know that you are using a VIRTUAL WAN set up but the same expected behavior is happening as it is explained on the next page.
https://video2.skills-academy.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing
Finally, I would say that the remaining option might be the one you implemented which is Manually on the VPN client configuration file, use an NVA or BGP route propagation from on-premises.
I hope this time the information provided before was useful as well as a good guidance to understand the behavior observed.
Best Regards,
Basically, what you are saying is the following: there is no proper solution to the problem, I need to use the workaround which is insecure and easily circumventable by any end-user who can open an .xml file and change it to his own liking, and by doing so break any company policy for routing and inspecting VPN traffic?
Very poor from Microsoft. One of the most basic functionalities of forcing the routing of internet traffic through a VPN is missing... from such an expensive and comprehensive solution (Azure VWAN) which should offer all these things out of the box.
Thank you for the response.
As I mentioned previously @NSimpraga , you can either use any of the options given above but the one that can fit into your scenario is.... Try injecting a default route (0.0.0.0/0) that is originated by an NVA(Network Virtual Appliance) in Azure.
BR,
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Just my last observation on this is to get a support ticket with Azure and submit this to the proper engineering team.
Have a good one!.
I am a bit dissapointed but this falls out of the scope of support provided here, and, as you said, a support ticket might be the next step.
Thank you for your time and assistance!
Hi @NSimpraga
Hoping you are doing good.
I fully understand your comment as well as I agreed with you about this falls out of the scope of support provided here.
Your welcome!
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.