@JaredBusch said in VPN communication through ERX to different subnet:

@fuznutz04 nothing in that azure Vpn step hints at two networks beyond the Vpn

I know, that's still a work in progress. I just managed to get the original tunnel working again which is what the above configs are for.

@Dashrender

There are no specific "rules" that I set in Azure for traffic flow. I can tell you how I set it up though. I'll outline it below but plan on doing a write up guide here on the site for others.

Basic step:

1. Created a local Vnet for your on premise network. This is where you supply your public IP of your on premise device (in my case, the ERX) as well as the local network prefix. (in my case, 10.0.0.0/24)
2. Created a Vnet in Azure with address space of 172.16.0.0/16
3. Created a Subnet within that Vnet for my servers with an address space of 172.16.2.0/24
4. Created a "Gateway Subnet" within the Vnet. This is required for the next step, and the name must not be changed.
5. Create a Virtual Network Gateway. Type is VPN, and choose Route Based. Choose to create a new public IP. This step takes nearly an hour.
6. Once completed, you go into that Virtual Network Gateway and create an IPSEC connection to your local Vnet from step 1.
7. Then on your ERX, you configure it using the config below:

set vpn ipsec auto-firewall-nat-exclude enable
set vpn ipsec disable-uniqreqids
set vpn ipsec esp-group esp-azure compression disable
set vpn ipsec esp-group esp-azure lifetime 3600
set vpn ipsec esp-group esp-azure mode tunnel
set vpn ipsec esp-group esp-azure pfs disable
set vpn ipsec esp-group esp-azure proposal 1 encryption aes256
set vpn ipsec esp-group esp-azure proposal 1 hash sha1
set vpn ipsec ike-group ike-azure ikev2-reauth no
set vpn ipsec ike-group ike-azure key-exchange ikev2
set vpn ipsec ike-group ike-azure lifetime 28800
set vpn ipsec ike-group ike-azure proposal 1 dh-group 2
set vpn ipsec ike-group ike-azure proposal 1 encryption aes256
set vpn ipsec ike-group ike-azure proposal 1 hash sha1
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal enable
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx authentication mode pre-shared-secret
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx authentication pre-shared-secret blahblah
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx connection-type initiate
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx default-esp-group esp-azure
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx ike-group ike-azure
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx ikev2-reauth inherit
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx local-address xxx.xxx.xxx.xxx
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 100 allow-nat-networks disable
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 100 allow-public-networks disable
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 100 esp-group esp-azure
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 100 local prefix 10.0.0.0/24
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 100 protocol all
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 100 remote prefix 172.16.2.0/24

7. Once the tunnel is up, traffic started flowing without any other config steps other than the firewall rules on the ERX side to allow for IPSEC traffic.

Progress... So deleting the entire tunnel from the ERX completely, as well as removing the gateway/public IP from Azure, and then re-creating a new one, with a new IP, solved the issue. As soon as the tunnel was created, traffic started flowing. Feels like something was either "stuck" on the ERX with the old config, or it was something on the Azure side.

In any case, now I'll attempt to create another tunnel to solve the original problem in the OP.

@scottalanmiller said in Your Time Is Valuable:

@guyinpv said in Home business ideas for transition out of 9-5?:

I feel like every in home job I do is a rip off. It's 20% work and 80% waiting for their Walmart special to catch up.

All IT people have to fix this thinking. That's not ripping someone off, that's someone making you waste your valuable time and you need to be compensated for it. No electrician, contractor, plumber, doctor, lawyer or other professional having to sit and wait because of customer decisions or limitations would ever have a thought like they were ripping off the customer for something that wasn't their own fault (and rarely even for things that are.) You ARE working and you DO deserve to be paid. You are mentally ripping yourself off. That their computer is slow, their Internet is slow or they live in the middle of nowhere is only their decision and the consequences of that decision belong to them, not to you.

I used to think this way as well earlier in my career. When I started a family, it became very clear that my time was just too valuable to charge less because I felt "guilty." That type of thinking went right out the window.

@Dashrender I didnt' setup any specific routes in Azure previously. I just started playing with Azure not long ago, so I'm not even sure where to show any existing routes. As far as the ERX routes, if I do a "show IP route table all", one of the routes pertains to my Azure network:

 show ip route table  all
172.16.2.0/28 via PUBLIC.IP dev eth0  table 220  proto static  src 10.0.0.1 default via PUBLIC.IP dev eth0  proto zebra

@JaredBusch Unfortunately, that didn't work. But now I have another command for the toolbox. so thanks!

Additionally, after a reboot, the tunnel comes back up, but still not pinging. So basically, I broke the existing tunnel and although the tunnel comes up, no communication.

The below is the exact configuration that I backed up right before I started making changes today.

set vpn ipsec auto-firewall-nat-exclude enable
set vpn ipsec disable-uniqreqids
set vpn ipsec esp-group esp-azure compression disable
set vpn ipsec esp-group esp-azure lifetime 3600
set vpn ipsec esp-group esp-azure mode tunnel
set vpn ipsec esp-group esp-azure pfs disable
set vpn ipsec esp-group esp-azure proposal 1 encryption aes256
set vpn ipsec esp-group esp-azure proposal 1 hash sha1
set vpn ipsec ike-group ike-azure ikev2-reauth no
set vpn ipsec ike-group ike-azure key-exchange ikev2
set vpn ipsec ike-group ike-azure lifetime 28800
set vpn ipsec ike-group ike-azure proposal 1 dh-group 2
set vpn ipsec ike-group ike-azure proposal 1 encryption aes256
set vpn ipsec ike-group ike-azure proposal 1 hash sha1
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal enable
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx authentication mode pre-shared-secret
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx authentication pre-shared-secret blahblah
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx connection-type initiate
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx default-esp-group esp-azure
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx ike-group ike-azure
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx ikev2-reauth inherit
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx local-address xxx.xxx.xxx.xxx
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 100 allow-nat-networks disable
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 100 allow-public-networks disable
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 100 esp-group esp-azure
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 100 local prefix 10.0.0.0/24
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 100 protocol all
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 100 remote prefix 172.16.2.0/24

My local net is 10.0.0.0/24
My server in Azure is on the 172.16.2.0/24 network.

So in attempting to do that, I seemed to have broken the first tunnel. I reverted back to just my old config by deleting the additional tunnel commands and restarting vpn services. The tunnel appears to be up, but no no traffic is flowing. I have this lingering feeling that a reboot of the ERX would fix it, but cant restart it at the moment.

So I should add another config line like this in the ERX?
set vpn ipsec site-to-site peer AZURE IP tunnel 100 local prefix 10.0.1.0/24 ?

Current one is: set vpn ipsec site-to-site peer AZURE IP tunnel 100 local prefix 10.0.0.0/24

I've just setup a site to site VPN from my ERX to an Azure LAN. Communication is working properly. However, I need to be able to also remotely connect to the Azure LAN from a remote VPN client through the ERX LAN. In other words, when a user connects to the ERX LAN from home, I need them to be able to access local ERX LAN resources (working) as well as browse to the machines in the Azure LAN.(Not working)

Details:

• Site to site VPN connection between an ERX LAN (10.0.0.0/24) and Azure LAN.(172.16.2.0/28)
• IPSEC server on the ERX handing out client IPs of 10.0.1.1 to 10.0.1.10

As a client, when remotely connecting to the ERX VPN server, I can successfully ping everything on the local ERX LAN. (10.0.0.0/24)
However, when pinging to the Azure LAN(172.16.2.0/28) from the remote client, no traffic is passing.

What is the best way to set up the ERX to allow this traffic to pass from the remote client, through the ERX, to the Azure LAN via the IPSEC tunnel?

The only option I saw under attack checks in the video is to disable UDP flood attacks.

@scottalanmiller So without being on site tonight, I' checked some videos online to see if I could get an idea of the interface of the router. I found one that goes along with what you're recommending. See below. from this screen grab, it looks like you can disable session limits altogether, or increase the timeout of UDP to whatever you want.

I'll see what I can find. Any comment on the RTP keep alive setting?

I read somewhere that turning on RTP KeepAlive in the SIP settings helps this exact issue, but I haven't tried it yet. Any experience with that particular setting?

Unfortunately It's probably most likely an issue on their end with congestion. They have an old Netgear router. SRX-5308 with Firmware 4.3.3-8.

I have a client with a cloud hosted PBX (FreePBX). There are about 75 extensions at the client. This morning, phones are not ringing properly and going strait to VM when dialing an extension from and IVR. Looking at the peer list and console, it is because the extensions are unregistering. One phone was fixed by rebooting it.

What has changed since yesterday? Well, the client is busy today and lots of traffic going on on the network. Could it be that their router/firewall simply cant handle all the concurrent SIP registrations? What can be done to help the problem? Changing the qualify time on extensions to something less? Right now the qualify time is at 60.

@Minion-Queen Awesome. Will miss meeting everyone in person for sure, but looking forward to the content regardless.

@Minion-Queen said in Sessions:

Yes we will be recording sessions. They will not be the awesomest recordings this year, due to it being our first one, and I can't afford to hire people. So IPhone are where it's at this year.

Really looking forward to those recordings! Looks like I won't be able to make it after all this year.

@scottalanmiller

It's ok. That's not my favorite by far, but it's what was in the fridge, so it worked.

@fuznutz04 said in EdgeRouter to Azure site to site VPN:

@StrongBad Attempting to do this as we speak. So far, the status is "I need a beer" but I'm far from giving up.

Well, I just fixed part of the problem...

@StrongBad Attempting to do this as we speak. So far, the status is "I need a beer" but I'm far from giving up.

No problem!