By default, Azure uses route based VPN if we select IKEv2 option (either we prefer iIKEv2 or we want to have multiple VPN tunnels from same VPN gateway which is not possible with IKEv1) . What that means is, during phase 2 Azure site sends 0.0.0.0/0 as its local selector hence phase 2 and entire tunnel fails to establish.
The 0.0.0.0/0 is needed if we use route based VPN on customer site so we can route traffic towards VTI.
FIX
Open bash console in Azure portal and type your subscription ID:
pawel@Azure:~$ az account set --subscription 1c65831a-cad7-4bf6-98b2-483sadfLet’s view current VPN settings:
pawel@Azure:~$ az network vpn-connection show -g Customer-Azure_Prod -n Customer-Cloud-VPNThis returns output where we can see that policy based VPN is disabled:
{
"authorizationKey": null,
"connectionMode": "Default",
"connectionProtocol": "IKEv2",
"connectionStatus": "notConnected",
"connectionType": "IPsec",
"dpdTimeoutSeconds": 45,
"egressBytesTransferred": 12321039,
"egressNatRules": null,
"enableBgp": false,
"etag": "W/\"b09c43b4-fa59-44ac-9920-0521e85552a1\"",
"expressRouteGatewayBypass": false,
"id": "/subscriptions/1c65831a-cad7-4bf6-98b2-4830b9448caf/resourceGroups/Gentex-Azure_Prod/providers/Microsoft.Network/connections/Gentex-vCloud-VPN",
"ingressBytesTransferred": 58162468,
"ingressNatRules": null,
"ipsecPolicies": [],
"localNetworkGateway2": {
"id": "/subscriptions/1c65831a-cad7-4bf6-98b2-4830b9448caf/resourceGroups/Gentex-Azure_Prod/providers/Microsoft.Network/localNetworkGateways/Gentex-vCloud-LNG",
"resourceGroup": "Customer-Azure_Prod"
},
"location": "uksouth",
"name": "Customer-Cloud-VPN",
"provisioningState": "Succeeded",
"resourceGroup": "Customer-Azure_Prod",
"resourceGuid": "a8f1a695-3aab-4f08-9edc-c385cbfa7abc",
"routingWeight": 0,
"sharedKey": "wMnjYHdfdfWbtKvc",
"tags": null,
"trafficSelectorPolicies": [],
"tunnelConnectionStatus": null,
"type": "Microsoft.Network/connections",
"useLocalAzureIpAddress": false,
"usePolicyBasedTrafficSelectors": false,
"virtualNetworkGateway1": {
"id": "/subscriptions/1c65831a-cad7-4bf6-98b2-4830b9448caf/resourceGroups/Gentex-Azure_Prod/providers/Microsoft.Network/virtualNetworkGateways/Gentex-VGW",
"resourceGroup": "Gentex-Azure_Prod"
}
}Let’s enable now the traffic selectors so enter VNET subnet mask is included oppose to 0.0.0.0/0
az network vpn-connection update -g Customer-Azure_Prod -n Customer-Cloud-VPN --enable-bgp Tr--use-policy-based-traffic-selectors true
After a while let’s see VPN status now:
pawel@Azure:~$ az network vpn-connection show -g Customer-Azure_Prod -n Customer-Cloud-VPN "authorizationKey": null,
"connectionMode": "Default",
"connectionProtocol": "IKEv2",
"connectionStatus": "Connected",
"connectionType": "IPsec",
"dpdTimeoutSeconds": 45,
"egressBytesTransferred": 12321039,
"egressNatRules": null,
"enableBgp": false,
"etag": "W/\"b09c43b4-fa59-44ac-9920-0521e85552a1\"",
"expressRouteGatewayBypass": false,
"id": "/subscriptions/1c65831a-cad7-4bf6-98b2-4830b9448caf/resourceGroups/Gentex-Azure_Prod/providers/Microsoft.Network/connections/Gentex-vCloud-VPN",
"ingressBytesTransferred": 58162468,
"ingressNatRules": null,
"ipsecPolicies": [],
"localNetworkGateway2": {
"id": "/subscriptions/1c65831a-cad7-4bf6-98b2-4830b9448caf/resourceGroups/Gentex-Azure_Prod/providers/Microsoft.Network/localNetworkGateways/Gentex-vCloud-LNG",
"resourceGroup": "Customer-Azure_Prod"
},
"location": "uksouth",
"name": "Customer-Cloud-VPN",
"provisioningState": "Succeeded",
"resourceGroup": "Customer-Azure_Prod",
"resourceGuid": "a8f1a695-3aab-4f08-9edc-c385cbfa7abc",
"routingWeight": 0,
"sharedKey": "wMnjYHdfdfWbtKvc",
"tags": null,
"trafficSelectorPolicies": [],
"tunnelConnectionStatus": null,
"type": "Microsoft.Network/connections",
"useLocalAzureIpAddress": false,
"usePolicyBasedTrafficSelectors": true,
"virtualNetworkGateway1": {
"id": "/subscriptions/1c65831a-cad7-4bf6-98b2-4830b9448caf/resourceGroups/Gentex-Azure_Prod/providers/Microsoft.Network/virtualNetworkGateways/Gentex-VGW",
"resourceGroup": "Gentex-Azure_Prod"
}
}
