Azure P2S to connect through S2S VPN to onprem

Question

Azure P2S to connect through S2S VPN to onprem

Thomas Holme Larsen 26

Hi everybody,

Our setup is like this:

We have an Azure Site-to-Site VPN between Azure subnet and On-prem (Azure subnet: 10.1.0.0/24 On-prem subnet: 172.16.0.0/24)
The tunnel is up running and everything works fine - Azure VMs can connect to on-prem ressources and vise versa.

We also have Azure Point-to-Site VPN (OpenVPN SSL with Azure AD Authentication).
Likewise the tunnels connetcs fine to Azure, and users can connect to Azure VMs.

The problem is that when a user connetcs via Point-to-Site VPN, the user can connect to Azure VMs but not on-prem ressources.
In Point-to-site configuration we advertise an additional route to: 172.16.0.0/24 but nevertheless the user cannot connect to on-prem ressources.

What are we missing here?

Accepted answer

0 additional answers

Your answer

Answer 1

Hello @Thomas Holme Larsen ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you have a working site-to-site VPN connection between Azure and your on-premises and also have a point-to-site VPN which is able to access Azure resources but is unable to access the on-premises resources via the site-to-site connection.

In order for you to be able to access your on-prem network (which is connected to Azure VPN by site to site connection) from your Point to site VPN client, your Site-to-Site VPN connection should be running BGP.

If your site to site connection between Azure and On-prem uses BGP, then you can just manually add the routes for your on-prem network to the Windows P2S client and will be able to access the on-prem network from your point to site connection/client. For non-windows clients, you do not need to add the manual routes as BGP is enough for the routes to be propagated.

To manually add the On-prem network route, you can browse to %AppData%\Microsoft\Network\Connections\Cm*yourGuid*\routes.txt (C:\Users\userID\AppData\Roaming\Microsoft\Network\Connections\Cm*VPNGuid\routes.txt*) in your client machine and add the route in this text file.

Please refer : https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing#vnetbranchbgp

Kindly let us know if the above helps or you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Thomas Holme Larsen 26 Reputation points

2022-10-26T12:56:41.147+00:00

Thank you for your swift reply.
We have setup BGP and everything runs as expected.

Thanks alot!
GitaraniSharma-MSFT 50,116 Reputation points Microsoft Employee Moderator

2022-10-26T13:18:07.927+00:00

It was my pleasure, @Thomas Holme Larsen . Glad to hear that the issue is now resolved.
John Carew 1 Reputation point

2025-08-04T02:38:29.9866667+00:00

BGP is not required at all for P2S to access a S2S remote site. All that is required is routes added in correct places. Each end needs to know how to route to the other end. Most likely the on-site route does not have the subnet that the P2S clients are using in its routes. So, it does not know where to send the response when a server receives a packet from P2S client IP.

Share via

Azure P2S to connect through S2S VPN to onprem

0 additional answers

Your answer