Always On VPN with Azure Gateway

Always On VPN with Azure GatewayRecently I wrote about VPN server deployment options for Windows 10 Always On VPN in Azure. In that post I indicated the native Azure VPN gateway could be used to support Always On VPN connections using Internet Key Exchange version 2 (IKEv2) and Secure Socket Tunneling Protocol (SSTP). In this post I’ll outline the requirements and configuration steps for implementing this solution.

Requirements

To support Always On VPN, point-to-site VPN connections must be enabled on the Azure VPN gateway. Not all Azure VPN gateways are alike, and point-to-site connections are not supported in all scenarios. For Always On VPN, the Azure VPN gateway must meet the following requirements.

VPN SKU

The Azure VPN gateway SKU must be VpnGw1, VpnGw2, VpnGw3, VpnGw1AZ, VpnGw2AZ, or VpnGw3AZ. The Basic SKU is not supported.

VPN Type

The VPN type must be route-based. Policy-based VPN gateways are not supported for point-to-site VPN connections.

Limitations

Using the Azure VPN gateway for Always On VPN may not be ideal in all scenarios. The following limitations should be considered thoroughly before choosing the Azure VPN gateway for Always On VPN.

Device Tunnel

RADIUS/EAP authentication for user tunnel connections is not supported if the Azure VPN gateway is configured to support device tunnel with machine certificate authentication.

Maximum Connections

A maximum of 250, 500, and 1000 concurrent IKEv2 connections are supported when using the VpnGw1/AZ, VpnGw2/AZ, and VpnGw3/AZ SKUs, respectively (x2 for active/active gateway deployments). In addition, a maximum of 128 concurrent SSTP connections are supported for all VPN gateway SKUs (x2 for active/active gateway deployments).

Always On VPN with Azure Gateway

Reference: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways#gwsku

RADIUS Requirements

To support Always On VPN connections, the Azure VPN gateway must be configured to authenticate to a RADIUS server. The RADIUS server must be reachable from the VPN gateway subnet. The RADIUS server can be hosted in Azure or on-premises. Before proceeding, ensure that any network routes, firewall rules, and site-to-site VPN tunnel configuration is in place to allow this communication.

RADIUS Configuration

Guidance for configuring Windows Server NPS for Always On VPN can be found here. The only difference when configuring NPS for use with Azure VPN gateway is the RADIUS client configuration.

Open the NPS management console (nps.msc) and follow the steps below to configure Windows Server NPS to support Always On VPN client connections from the Azure VPN gateway.

1. Expand RADIUS Clients and Servers.
2. Right-click RADIUS Clients and choose New.
3. Enter a descriptive name in the Friendly name field.
4. Enter the Azure VPN gateway subnet using CIDR notation in the Address (IP or DNS) field. The gateway subnet can be found by viewing the properties of the Azure VPN gateway in the Azure portal.
5. Enter the shared secret to be used for RADIUS communication in the Shared secret field.

Always On VPN with Azure Gateway

Azure VPN Gateway Configuration

To begin, provision a Virtual Network Gateway in Azure that meets the requirements outlined above. Guidance for implementing an Azure VPN gateway can be found here. Once complete, follow the steps below to enable support for Always On VPN client connections.

Enable Point-to-Site

Perform the following steps to enable point-to-site VPN connectivity.

1. In the navigation pane of the Azure VPN gateway settings click Point-to-site configuration.
2. Click Configure Now and specify an IPv4 address pool to be assigned to VPN clients. This IP address pool must be unique in the organization and must not overlap with any IP address ranges defined in the Azure virtual network.
3. From the Tunnel type drop-down list select IKEv2 and SSTP (SSL).
4. In the RADIUS authentication field enter the IPv4 address of the RADIUS server. At the time of this writing only a single IPv4 address is supported. If RADIUS redundancy is required, consider creating a load balanced NPS cluster.
5. In the Server secret field enter the RADIUS shared secret.
6. Click Save to save the configuration.

Always On VPN with Azure Gateway

VPN Client Configuration

Perform the following steps to configure a Windows 10 VPN client to connect to the Azure VPN gateway.

Download VPN Configuration

1. Click Point-to-site configuration.
2. Click Download VPN client.
3. Select EAPMSCHAv2 (yes, that’s correct even if EAP-TLS will be used!)
4. Click Download.
5. Open the downloaded zip file and extract the VpnSettings.XML file from the Generic folder.
6. Copy the FQDN in the VpnServer element in VpnSettings.XML. This is the FQDN that will be used in the template VPN connection and later in ProfileXML.

Always On VPN with Azure Gateway

Create a Test VPN Connection

On a Windows 10 device create a test VPN profile using the VPN server address copied previously. Configure EAP settings to match those configured on the NPS server and test connectivity.

Create an Always On VPN Connection

Once the VPN has been validated using the test profile created previously, the VPN server and EAP configuration from the test profile can be used to create the Always On VPN profile for publishing using Intune, SCCM, or PowerShell.

IKEv2 Security Configuration

The default IKEv2 security parameters used by the Azure VPN gateway are better than Windows Server, but the administrator will notice that a weak DH key (1024 bit) is used in phase 1 negotiation.

Always On VPN with Azure Gateway

Use the following PowerShell commands to update the default IKEv2 security parameters to recommended baseline defaults, including 2048-bit keys (DH group 14) and AES-128 for improved performance.

Connect-AzAccount
Select-AzSubscription -SubscriptionName [Azure Subscription Name]

$Gateway = [Gateway Name]
$ResourceGroup = [Resource Group Name]

$IPsecPolicy = New-AzVpnClientIpsecParameter -IpsecEncryption AES128 -IpsecIntegrity SHA256 -SALifeTime 28800 -SADataSize 102400000 -IkeEncryption AES128 -IkeIntegrity SHA256 -DhGroup DHGroup14 -PfsGroup PFS14

Set-AzVpnClientIpsecParameter -VirtualNetworkGatewayName $Gateway -ResourceGroupName $ResourceGroup -VpnClientIPsecParameter $IPsecPolicy

Note: Be sure to update the cryptography settings on the test VPN connection and in ProfileXML for Always On VPN connections to match the new VPN gateway settings. Failing to do so will result in an IPsec policy mismatch error.

Additional Information

Microsoft Azure VPN Gateway Overview

About Microsoft Azure Point-to-Site VPN

Windows 10 Always On VPN IKEv2 Security Configuration

 

 

 

Leave a comment

47 Comments

  1. Justin Nel

     /  September 12, 2019

    Hi Richard, thank you for the tutorial, I have been looking for other options to implement AOVPN in Azure besides RRAS. I have a question around setting up AOVPN with Azure VPN Gateway. Will ADCS still be required as I don’t see anything about it in your tutorial ?

    Reply
  2. Justin Nel

     /  September 17, 2019

    Hi Richard, did you manage to get this to work with certificates ? I’m battling to get this to work with EAP (PEAP) OR “MS smart card or other certificate” for authentication. I managed to get it to work with MS-Chap V2 but would like the stronger authentication with certificates.I’m getting the following message when trying to connect “The remote access connection completed but authentication failed because the certificate” I have issued certificates to all the servers and client as per MS article so not sure where I’m going wrong.

    Reply
    • Absolutely. The authentication takes place on the NPS server so the gateway doesn’t really care what protocol is used. It just forwards the authentication request to the configured RADIUS server. As long as NPS is configured to use EAP with certificate authentication it should work just fine.

      Reply
  3. Hi Richard, great blog first of all. I just had a question about the limitation of using Device tunneling and User tunneling together. Is it possible to use Azure MFA with user tunneling after device tunneling is set-up? And use the NPS extension for forcing Azure user MFA. What i like to achieve is step 1: AOVPN connection will be established when user starts the device, step 2 User will be prompted to use MFA to start AOVPN user tunnel. Thanks in advanced!

    Reply
    • Sure, that should work. Device tunnel connections don’t use NPS, they’re just authenticated by the VPN server. So, in your case, a device tunnel would be established without MFA, but when a user connects they would be authenticated by NPS which would require Azure MFA. 🙂

      Reply
  4. Rob M

     /  December 4, 2019

    Great Article Richard. Having one problem though. When im trying to connect with IKEv2, I get ike authentication credentials are unacceptable. Machine certs are good so not sure why im getting this error with IKEv2.
    SSTP works ok but would prefer IKEv2 when push out the intune config

    Reply
    • If you are getting an IKE Authentication Credentials Unacceptable error I would suspect something is wrong in your NPS policy or client-side configuration. Make sure you are using the Azure-provided gateway hostname and have a close look at your NPS policy to ensure everything matches.

      Reply
  5. Marvin

     /  December 17, 2019

    Hey, what a great article with all tips. Is it all the same when using a Mac? Because I have Azure and I just started to use NordVPN Teams (route based VPN) – together they are a great match, because I can login via Azure to NordVPN Teams easily and use them both. But looking into your example which I think gonna to use, started to think if everything is the same on Mac…

    Reply
  6. Stuart

     /  February 7, 2020

    Hi Richard, a great article as always. It looks like the Azure VPN Gateway Generation 2 supports up to 10000 connections (https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways). Is that a recent update or is there something I need to know about using generation 2 with AOVPN?
    Is there anyway to provide HA, in case the Azure VPN Gateway fails, such as deploying in 2 regions and is there a way to load balance these to get more connections?

    Reply
    • I’m not sure when those new limits were put in to effect. It was recently though I believe. It is important to point out that this applies only to IKEv2. SSTP connections are still (inexplicably!) limited to 128 connections. BTW, you can select the option to implement active/active gateways to provide redundancy. It also doubles the connection count. 🙂

      Reply
  7. Doug

     /  February 7, 2020

    The downside I’ve found is that Azure VPN Gateways don’t respect IP filters from NPS RADIUS. In any scenario where you want to limit access to certain networks by groups this makes things a little complicated as there is only one P2S config and IP pool per gateway/VNET

    Reply
    • Interesting. That’s not something I’ve ever tested with the Azure VPN gateway. Good to know!

      Reply
    • Rana Banerjee

       /  April 2, 2020

      Hello Richard, first of all excellent article which gives insight into always on VPN. I would really appriciate if you spare some time to share your thoughts on the following questions:

      My scenario:
      * all the servers are being migrated to Azure in a Vnet.
      * we have decided to go with always on Vpn in Azure
      * have configured the Point to Site VPN gateway using the recommended needed settings and sku.
      * we also have the enterprise root certificate authority

      My questions:
      * Do I Need an NPS server in Vnet? Or just selecting certificate authentication on Gateway do the job? (user tunnel)
      * if NPS is needed then what can be done to make it highly available in azure?
      * out of user and device tunnel which is most preferred?

      Many thanks

      Reply
      • You can choose either certificate authentication or RADIUS, so you’ll have to pick one. FYI, certificate authentication is required for the device tunnel, and you’ll use RADIUS if you want to use the user tunnel. If you choose RADIUS, then yes, you’ll need an NPS server somewhere, ideally in Azure. As you can only provide one IP address for the NPS, the recommendation to provide redundancy is to place them behind a load balancer (Azure or appliance, either will work).

        The choice to use user tunnel or device tunnel is up to you. Remember that with the Azure VPN gateway they are mutually exclusive options. You’ll have to pick one or the other.

  8. Justin Nel

     /  February 7, 2020

    Hi Richard, a bit of a late reply.Thanks for all your help! I decided to take your advice and use the RAS VPN option on an Azure VM over the Azure VPN Gateway after having so much trouble with it. I’ve been using the RAS VPN for a couple of months now and had no problems, works like BOSS.

    Reply
  9. Stuart

     /  February 11, 2020

    Hi Richard, I can see that you can monitor the health of the VPN Gateway, but is there a way to monitor the connections/users? This would be really useful as during periods of bad weather more people may work from home so the number of connections required may increase. If the limit was approaching I’m assuming we could change the SKU to one that had more connections and then scale down once the sun started shining again.

    Reply
    • I’m not aware of any way to monitor concurrent connections on the Azure VPN gateway. There might be something exposed through PowerShell or CLI though. Might have a look at those options and see what you can find.

      Reply
  10. Elliott Chandler

     /  February 17, 2020

    Hi Richard, nice article. Is it still necessary to have a VM installed with NPS? Referring to this article https://docs.microsoft.com/en-gb/azure/vpn-gateway/vpn-gateway-howto-always-on-user-tunnel

    Reply
    • If you plan to use the Azure VPN gateway to host user connections, yes. Strictly speaking the NPS doesn’t have to be hosted in Azure, it just has to be reachable from the Azure VPN gateway. Ideally the NPS would be located in Azure because it improves authentication performance, but in theory it could be hosted on premises and reachable via express route or site-to-site VPN.

      Reply
  11. Steve Burkett

     /  February 17, 2020

    Technically you can use the Basic SKU for the Azure VPN Gateway if you’re just using an SSTP-based user tunnel for your Windows 10 Always On connection, no device tunnel. Works ok and much cheaper for some scenarios.

    Reply
  12. Grant Wilson

     /  March 11, 2020

    Thanks very much for the article – very helpful!
    Has anyone encountered an issue when configuring the Virtual Network Gateway P2S where Azure does not save the config? I amend the options to how I want then click Save – I get a notification that it Saved ok. But when I click out of the config screen immediately it asks me whether I want to save the changes again. I again say to save the changes and it allows me to leave the screen. But I go back into the config screen again and it remembers some settings (tunnel type and ip range) but always reverts to Azure Certificate authentication type. I wish to use Radius Authentication but it refuses to save these settings!
    The Radius server is up with a static IP address, no NSG is currently blocking access.

    Reply
    • Yes, I came across this recently myself! I think it is a UI display issue though. When we made the changes to use RADIUS authentication it works, even though the UI displays certificate authentication. Hopefully it gets fixed soon!

      Reply
      • Grant Wilson

         /  March 12, 2020

        Yep – it saved it fine after all 🙂
        I’m a little stuck now though!
        Trying to test out Always on VPN using Azure Gateway. User tunnel.
        I’ve gotten to the stage of being able to connect to the VPN and authenticate over Radius with an NPS server, but I am unable to access any resources on the VNET remotely.
        I’ve kept things as simple as possible:
        1 NPS server that is also a DC. NPS network policy has EAP-MSCHAPv2 selected for the authentication method.
        VPN gateway is attached to the Azure vnet (10.10.0.0/21) with my resources in it and is using IKEv2 and SSTP for tunnel type. The VPN gateway will use 172.28.10.0/24 for dishing out vpn client addresses.
        I’m not using certificates.
        My VPN connection on the Windows 10 client will connect successfully using my AD username and password.
        I create a file share on the file server in vnet 10.10.0.0/21.
        This share is not accessible from my vpn client. And servers are not able to be pinged. Created a quick website on same server and unable to access this either.
        I have no NSG’s setup in my test lab. No firewalls are enabled on the servers.
        Not sure where else to look for troubleshooting.
        Before I look to next stage about using makeprofile.ps1deploy – I need to solve this issue first.

      • Not sure what’s up there to be honest. If you are using the Azure VPN gateway, Azure takes care of routing for you so you shouldn’t have to configure that manually. It simply knows that whatever subnet you define for the point-to-site VPN connections needs to be routed, so it does that automatically. Why that’s not happening here I have no idea. :/

      • Grant Wilson

         /  March 13, 2020

        Interestingly enough – if I install and run the VpnClientSetupAmd64 application from the “DownloadVPN client” in the P2S cofiguration page -it works perfectly well! I guess this means something is up with the manual VPN creation using the Windows 10 built-in VPN. Theres not much to configure there – so I’m not sure whats up!

  13. Many Thanks Richard.
    Your Instructions have been REALLY helpful. I was able to deploy Device Tunnels using Azure Gateway. Everything seems to be working well so far. I was wondering if there is any way to get Specific connection statistics from the Azure Gateway. I could not find any Azure cmdlet specific to connection details for P2S. If not on Azure is it possible to get connection stats from win 10 Machine? I know the Metrics in Azure does give some information but would like to get more information, like connection duration per client etc.

    and I would really request if you can create an online course covering Always On Vpn, OnPrem / Azure in depth.

    Reply
    • To my knowledge there isn’t anything available to provide user activity information when using the Azure VPN gateway. As for the online course, I’m considering that as we speak. No ETA yet but I’ll probably have something done before the end of the year. 🙂

      Reply
  14. Hello Richard,

    We have the following scenario
    * Azure Vnet in Azure with VPN gateway
    * 2 Site-to site-VPNs terminating at each datacentre based on BGP
    * Device Tunnels configured with Certificate Authentication on Azure Gateway
    * All the Devices are windows 10 (1909) Device Tunnels deployed and managed via Intune.
    * In future we will be combining this with User Tunnels

    We face one of the following issues
    * When we increase the no of routes more than 25 the client VPN disconnects and never connect due to Traffic Selectors. is there any way to circumvent this issue without reducing the total no or routes advertised?
    * can we use OpenVpn as AlwaysOn Vpn Device Tunnel?

    Lastly, we are based in Brisbane (+10 GMT) if we wanted to hire your consulting services what would be the process?

    Many Thanks
    Rana Banerjee

    Reply
    • I’ve heard others complain that having more than 25 routes breaks VPN when using the Azure VPN gateway. I don’t believe there is a workaround for this limitation yet. I don’t believe this affects RRAS or third-party NVAs in Azure though.

      I have many customers in Australia. Reach out to me via email and we can talk about a consulting engagement in more detail. 🙂

      Reply
  15. Many thanks for your reply and sure, I will be reaching out to you in the coming near future, and one last question can Open VPN be used for always-on VPN ? as a user tunnel?

    Reply
  16. Jakob Strøm

     /  June 10, 2020

    Hi Richard.
    I’m looking at options to deploy AOVPN in Azure. The minimal VM deployment is important for us, as we are implementing SaaS solutions where possible.

    I like the Ikev2 Device tunnel + SSTP User tunnel that we are currently testing. It works a charm really. But the 128 max SSTP connections is a deal breaker, and a VPN not connecting on 443 is also a deal breaker. So we really need the following:

    Device tunnel for hybrid environment.
    User tunnel on 443 and both tunnels need “Auto connect”.
    400-500 users.
    Deployed via Intune.

    Is this at all possible with Always On VPN in Azure?

    The only way I can see this work would be with several VM’s and a load balancer to get the SSTP limit up?

    Reply
    • Using the Azure VPN gateway prevents you from using the same gateway for device tunnel and user tunnel. And yes, the default 128 port limit for SSTP is a showstopper for most. You can easily deploy Windows Server RRAS in Azure, although it is not formally supported. If you can accept that limitation it works quite well. Details here: https://directaccess.richardhicks.com/2019/09/09/always-on-vpn-and-rras-in-azure/.

      FYI, if you deploy RRAS in Azure you can set the max number of SSTP ports to whatever you want. You could easily get 500 users on a single RRAS VM in that case. 🙂

      Reply
      • Jakob Strøm

         /  June 10, 2020

        Hi Richard.

        Thanks for the response. It’s the virtual machine that bugs me a little. But if that’s they only way to go, we could live with a VM.

  17. Justin

     /  June 24, 2020

    Hi Richard, thanks for another great post! Just to add to this, forced tunneling isn’t supported in Azure P2S VPN & just ran into the same limitation in Azure Virtual WAN P2S VPN. Hopefully this changes soon – https://feedback.azure.com/forums/217313-networking/suggestions/7027397-use-p2s-vpn-connection-as-default-gateway-like-st

    Reply
  18. Hi Richard,
    do you know whether the device OR user tunnel only issue is still present? I’ve found that it seems to work with dual IKEv2 tunnel with azure certificate authentication but goes nowhere with RADIUS as the device auth never seems to reach the NPS server.

    Reply
    • The device tunnel can’t use NPS, so not surprised that doesn’t work. As stated, when using the Azure VPN gateway for Always On VPN you can only configure it for device tunnel or user tunnel, not both. This is because only one authentication scheme can be selected, either certificate authentication (device tunnel) or RADIUS (user tunnel).

      Reply
  1. Always On VPN Options for Azure Deployments | Richard M. Hicks Consulting, Inc.
  2. Always On VPN and RRAS in Azure | Richard M. Hicks Consulting, Inc.
  3. Always On VPN Load Balancing for RRAS in Azure | Richard M. Hicks Consulting, Inc.
  4. Always On VPN Device Tunnel with Azure VPN Gateway | Richard M. Hicks Consulting, Inc.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: