P2S and S2S VPN in Azure

Raju

(@raju)

Member Admin

P2S and S2S VPN in Azure

Client VPN (P2S) access to on-prem via S2S both into same Azure VGW - Microsoft Q&A

Azure VPN Gateway: About P2S routing - Azure VPN Gateway | Microsoft Learn

Routing All Traffic Through a VPN Gateway on Linux – Sweetcode.io

Troubleshoot an Azure site-to-site VPN connection that cannot connect - Azure VPN Gateway | Microsoft Learn

Azure VPN Solution | Gateway for S2S and P2S tunnels (sylbek.de)

Does Azure VPN allow to route all traffic now? - Microsoft Q&A

You can direct all traffic to the VPN tunnel by advertising 0.0.0.0/1 and 128.0.0.0/1 as custom routes to the VPN clients.
Reference : https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-p2s-advertise-custom-routes#forced-tunneling
Custom routes are supported and that forces all traffic from the client to Azure. However, I want to emphasize that the VPN client will loose all connectivity to the Internet (even through the local internet breakout as all traffic will be forced to Azure).

Kindly let us know if the above helps or you need further assistance on this issue.

Azure VPN Gateway: About P2S routing - Azure VPN Gateway | Microsoft Learn

 % sudo tcpdump -n -i utun4
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on utun4, link-type RAW (Raw IP), capture size 262144 bytes
21:00:55.720732 IP 10.80.0.2 > 172.20.127.254: ICMP echo request, id 49463, seq 21, length 64

21:00:56.723321 IP 10.80.0.2 > 172.20.127.254: ICMP echo request, id 49463, seq 22, length 64
21:00:57.725902 IP 10.80.0.2 > 172.20.127.254: ICMP echo request, id 49463, seq 23, length 64
21:00:58.731149 IP 10.80.0.2 > 172.20.127.254: ICMP echo request, id 49463, seq 24, length 64
21:00:59.733383 IP 10.80.0.2 > 172.20.127.254: ICMP echo request, id 49463, seq 25, length 64
21:01:00.734273 IP 10.80.0.2 > 172.20.127.254: ICMP echo request, id 49463, seq 26, length 64
21:01:01.736066 IP 10.80.0.2 > 172.20.127.254: ICMP echo request, id 49463, seq 27, length 64
21:01:02.738025 IP 10.80.0.2 > 172.20.127.254: ICMP echo request, id 49463, seq 28, length 64
21:01:03.740065 IP 10.80.0.2 > 172.20.127.254: ICMP echo request, id 49463, seq 29, length 64
21:01:04.741600 IP 10.80.0.2 > 172.20.127.254: ICMP echo request, id 49463, seq 30, length 64
21:01:18.285588 IP 10.80.0.2.55228 > 172.20.127.254.53: 25852+ A? gitlab.emetric.net. (36)
21:01:23.290587 IP 10.80.0.2.55228 > 172.20.127.254.53: 25852+ A? gitlab.emetric.net. (36)
21:01:28.292515 IP 10.80.0.2.55228 > 172.20.127.254.53: 25852+ A? gitlab.emetric.net. (36)

sudo tcpdump -n -i utun4
Password:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on utun4, link-type RAW (Raw IP), capture size 262144 bytes
21:07:49.315740 IP 10.80.0.2.54420 > 172.20.127.254.53: 25181+ A? gitlab.emetric.net. (36)
21:07:49.821937 IP 10.80.0.2.58172 > 239.255.255.250.1900: UDP, length 176
21:07:50.827398 IP 10.80.0.2.58172 > 239.255.255.250.1900: UDP, length 176
21:07:51.835443 IP 10.80.0.2.58172 > 239.255.255.250.1900: UDP, length 176
21:07:52.842907 IP 10.80.0.2.58172 > 239.255.255.250.1900: UDP, length 176
21:07:54.320768 IP 10.80.0.2.54420 > 172.20.127.254.53: 25181+ A? gitlab.emetric.net. (36)
21:07:59.324947 IP 10.80.0.2.54420 > 172.20.127.254.53: 25181+ A? gitlab.emetric.net. (36)
21:08:44.728169 IP 10.80.0.2.62070 > 172.16.2.6.80: Flags [SEW], seq 3501051856, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2488655316 ecr 0,sackOK,eol], length 0
21:08:45.729412 IP 10.80.0.2.62070 > 172.16.2.6.80: Flags [S], seq 3501051856, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2488656316 ecr 0,sackOK,eol], length 0
21:08:46.729796 IP 10.80.0.2.62070 > 172.16.2.6.80: Flags [S], seq 3501051856, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2488657317 ecr 0,sackOK,eol], length 0
21:08:47.730258 IP 10.80.0.2.62070 > 172.16.2.6.80: Flags [S], seq 3501051856, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2488658318 ecr 0,sackOK,eol], length 0
21:08:48.732101 IP 10.80.0.2.62070 > 172.16.2.6.80: Flags [S], seq 3501051856, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2488659319 ecr 0,sackOK,eol], length 0
21:08:49.732086 IP 10.80.0.2.62070 > 172.16.2.6.80: Flags [S], seq 3501051856, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2488660319 ecr 0,sackOK,eol], length 0
21:08:51.733151 IP 10.80.0.2.62070 > 172.16.2.6.80: Flags [S], seq 3501051856, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2488662320 ecr 0,sackOK,eol], length 0
21:08:55.733488 IP 10.80.0.2.62070 > 172.16.2.6.80: Flags [S], seq 3501051856, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2488666321 ecr 0,sackOK,eol], length 0
21:09:03.734831 IP 10.80.0.2.62070 > 172.16.2.6.80: Flags [S], seq 3501051856, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2488674322 ecr 0,sackOK,eol], length 0

This topic was modified 2 years ago 8 times by Raju

Quote

Topic starter Posted : 09/12/2022 11:06 pm

Raju

(@raju)

Member Admin

ip route del default via 192.168.1.254

zsh: command not found: ip

brew install iproute2mac
 https://github.com/brona/iproute2mac

Before After VPN Connectivity

~ % ip route list 
default via 192.168.1.254 dev en0
127.0.0.0/8 via 127.0.0.1 dev lo0
127.0.0.1/32 via 127.0.0.1 dev lo0
169.254.0.0/16 dev en0  scope link
192.168.1.0/24 dev en0  scope link
192.168.1.249/32 dev en0  scope link
192.168.1.254/32 dev en0  scope link
224.0.0.0/4 dev en0  scope link
255.255.255.255/32 dev en0  scope link
~ % ip route list
default via link#22 dev utun4
default via 192.168.1.254 dev en0
10.80.0.0/24 dev utun4  scope link
20.253.234.102/32 via 192.168.1.254 dev en0
127.0.0.0/8 via 127.0.0.1 dev lo0
127.0.0.1/32 via 127.0.0.1 dev lo0
169.254.0.0/16 dev en0  scope link
172.16.0.0/16 dev utun4  scope link
172.20.0.0/16 dev utun4  scope link
172.23.4.0/27 dev utun4  scope link
172.29.64.0/18 dev utun4  scope link
172.31.0.0/18 dev utun4  scope link
172.31.64.0/19 dev utun4  scope link
172.31.96.0/19 via 192.168.1.254 dev en0
172.31.96.0/19 dev utun4  scope link
172.31.96.7/32 via 172.31.96.7 dev utun4
192.168.1.0/24 dev en0  scope link
192.168.1.249/32 dev en0  scope link
192.168.1.254/32 dev en0  scope link
192.168.31.0/24 dev utun4  scope link
192.168.60.0/22 dev utun4  scope link
192.168.65.0/24 dev utun4  scope link
224.0.0.0/4 dev utun4  scope link
224.0.0.0/4 dev en0  scope link
255.255.255.255/32 dev utun4  scope link
255.255.255.255/32 dev en0  scope link

This post was modified 2 years ago 2 times by Raju

ReplyQuote

Topic starter Posted : 10/12/2022 3:17 am

Raju

(@raju)

Member Admin

Gateway Server Health

https://23.100.92.196:8081/healthprobe

Troubleshoot an Azure site-to-site VPN connection that cannot connect - Azure VPN Gateway | Microsoft Learn

ReplyQuote

Topic starter Posted : 10/12/2022 4:08 am

Forum

[Sticky] P2S and S2S VPN in Azure