EFW Support

Support => VPN Support => Topic started by: Mo_Hong on Thursday 20 August 2015, 07:50:20 am

Title: GW-2-GW with Azure connection problem
Post by: Mo_Hong on Thursday 20 August 2015, 07:50:20 am

We have the following scenario, in which we have connected two EFW Community via GW-2-GW VPN and one of those EFW is connected to Azure:

          VMs -                LAN -                      LAN -
              MS Azure<---------> EFW S1 <> EFW S2
         Public IP - 2X.x.x.x                  Public IP -1x.x.x.x                  Public IP -1x.x.x.x

S1 and S2 has 2 different Public IPs from different ISP
S1 is connected to Azure via an IPSec VPN (MS recommended config)
S1 and S2 are connected via one IPSec tunnel and one OpenVPN Tunnel
S1 is the OpenVPN Server and S2 the OpenVPN Client (GW-2-GW)
As you can see, we have S1 connected directly to Azure via the IPSec VPN and when we ping/traceroute from any PC in the LAN to the VMs in Azure we can reach them without any problem. This happens also when you ping/traceroute from Azure VMs to any PC on S1.

From S2 things are not working that well. If we do a ping/traceroute from the EFW on S2, we can reach the VMs without any trouble. But when we try the same ping/traceroute from any PC behind the EFW on S2, we cannot reach the VMs with the ping (timeout) and the traceroute gets "lost" when it arrives to the EFW on S1: It does the hop from the PC to the EFW S2, then from the EFW S2 to the EFW S1 and from there it simply timesout. What we need is for all the PCs on S2 to reach the servers/VMs on Azure as the PCs on S1 can do.

We have tried many possible changes on the routing tables on the EFW S1 and on the EFW S2 without any possitive results, and also we have opened all rules on the VPNFW on the two EFW. We have even set as GW the Azure public IP, and this have not worked. Also, take in consideration that we have established between S1 and S2 two VPN tunnels, one via IPSec and one via OpenVPN.

Also, the EFW on S1 is 3.0.5 and the EFW on S2 is 3.0.

In advance thanks for any help you can give us to solve this issue.

Title: Re: GW-2-GW with Azure connection problem
Post by: svritc_81 on Sunday 10 April 2016, 01:38:26 am
Dear Hong,

I am guessing you have to write a static route on S2 for the Azure(destination) to reach traffic via S1(Source) as informed by you Azure VMs can reach S2 LAN PCs.

Also check you VPN Firewall Settings for the subnets you have mentioned are allowed.

have a good luck

Title: Re: GW-2-GW with Azure connection problem
Post by: jsolanki on Thursday 10 January 2019, 01:07:34 am
Hi Guys,
I know this is an old post, but I am trying to get an Azure S2S setup with Endian, and I was hoping if you would be able to share how you went about this. I am new to endian, so struggling with the IPSec setup.