Can’t create a static gateway VPN on a Microsoft Azure virtual network

Ah the joys of a proof of concept. We’re playing with a vendor’s application that has some tricky networking requirements (multi-site VPN support through a third party aggregator) to see if the architecture would work with a server in Azure.

The great part is we have a trial version of the software, so we can replicate things from the comfort of our own office without disturbing the customer. Which is just as well, really.

Following the instructions, I’d successfully created a virtual network, a Windows Server and a static gateway VPN and managed to get our Draytek router to connect. Hooray!

Next step was to see if a Cisco router we had here would connect, that we could then swap into the customer site. Because I wanted to retain our connectivity too, I needed to delete and re-recreate the gateway as Dynamic for multiple site VPN connectivity. Problem is, dynamic gateways use IKEv2 and neither our Draytek Vigor 2860 nor our Cisco SRP521W wanted to play that game. Back to the drawing board to reconfigure the gateway as static. And by reconfigure I mean delete and re-create.

Unfortunately, once you add multiple local networks to a gateway, the Azure portal gives up and says “it’s all too complicated for me now – use XML to configure stuff”. But when I tried to upload an edited XML file, I got an unhelpful “unexpected error”.

I also found that if you DONT remove that second local network from the configuration, if you try to delete the gateway and re-add it .. it will only want to add a new dynamic gateway. The box to choose static or dynamic gets hidden behind the yes/no to create prompt.

The solution is that you HAVE to edit your XML configuration file and remove the local network from the ConnectionsToLocalNetwork section, and import this change, to make sure there’s only one local network attached to the VPN. Then you can delete the gateway and add a new static gateway.

Makes sense, but a prompt msg or error about that would be useful.

As for the unexpected error uploading the XML? Beats me what the problem with that was. I went to lunch, came back and repeated my steps and it verified and uploaded without a problem. Let’s just put that one down to a glitch in the Matrix.



3 thoughts on “Can’t create a static gateway VPN on a Microsoft Azure virtual network

  1. Hi Scuffy, is there any way round the issue of needing dynamic gateways for multiple site vpn’s? I have a very similar scenario where I want multi site vpns to on-prem but need to use static gateways. Any way of achieving this. Have been trying to think outside the box. It seems crazy that a £50 netgear can do 8x vpn tunnels but azure can only do one. (& no I don’t want to change my bootiful draytek 2860)

    1. I don’t think there is. We also had to change a router at a site because it didn’t support dynamic gateways and they wanted multi-point vpn to Azure.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s