Hi,

As EA (Enterprise Agreement) customer, currently I have deployed many virtual machines using multiple subscriptions (managed by multiple azure accounts associated with my EA company account).

For some subscriptions I had virtual network vpn (cross premises) configured in order to consume some on-premises services/data.

I'm looking for a way to provide connectivity between 2 azure subscriptions, in order to optimize some on-premises access (meaning that I would like to have some "Shared Services" like subscriptions).

There is any way to do that?

Currently the Virtual Network feature is associated directly with a subscription, which prevents it from being used / associated with virtual machines of other subscriptions.

There is any way to do that using azure features/configs?

Thanks and Best Regards

Helio Sa Moreira

1.So the need to do that stems from my first DC to have a static IP address; default VM is a part of a subnet, which seems to  have a router, when I drop static IP on the machine, I loose it (Get-AzureVM -ServiceName StaticDemo -Name VM2 | Set-AzureStaticVNetIP -IPAddress 192.168.4.7 | Update-AzureVM). How these boxes see each other in a custom subnet? Are there switches? Do these subnets can get routers? If not, how do I access them without inbuilt VPN?

2. I learned my networking via CISCO; if I pick 192.168.1.0/26 network, for example, I get 4 subnets, each having 63 addresses, 62 are usable, as 63 is a broadcast and 62 is usually a default gateway. When I do the same in Azure, I get 59 available addresses; please specify what are those, and what happened to 3 addresses missing. Also, provide guide info on your highly custom networking, unless you are sticking to the norm.

Hi,

I am running through the “Configure and ExpressRoute Connection through an Exchange Provider” on MSDN, http://msdn.microsoft.com/en-US/library/azure/dn606306.aspx and things do not seem right.

The documentation refers to downloading the Azure PowerShell modules here, http://go.microsoft.com/fwlink/p/?LinkID=320376, and it appears that the installer WindowsAzurePowerShell.3f.3f.3fnew.exe does not contain the Azure ExpressRoute PowerShell modules referred to in step 1 of the procedure.

C:\Program Files (x86)\Microsoft SDKs\Windows Azure\PowerShell\Azure\Expressroute.psd1

The other Azure module referenced is also not installed,

C:\Program Files (x86)\Microsoft SDKs\Windows Azure\PowerShell\Azure\Azure.psd1

Is there something that I am missing?

When I was a member of the preview program, the 0.72 version of the Azure PowerShell modules that Ganesh gave me had the ExpressRoute module (v1.0).

The new version of the Azure powershell modules downloaded from MSDN is 0.82 and has no ExpressRoute module.

Any ideas would be appreciated.

Thanks,
Mark

I am having problems getting a site to site VPN setup using the Microsoft script.

My config is as follows:

version 15.2
!
crypto ikev2 proposal azure-proposal 
 encryption aes-cbc-256 aes-cbc-128 3des
 integrity sha1
 group 2
!
crypto ikev2 policy azure-policy 
 proposal azure-proposal
!
crypto ikev2 keyring azure-keyring
 peer 137.135.246.42
  address 137.135.246.42
  pre-shared-key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
crypto ikev2 profile azure-profile
 match address local interface Loopback2
 match identity remote address 137.135.246.42 255.255.255.255 
 authentication remote pre-share
 authentication local pre-share
 keyring local azure-keyring
!
crypto isakmp policy 5
 authentication pre-share
 group 2
crypto isakmp key xxxxxxxxxxxxxxxxxxx address 0.0.0.0        
crypto isakmp invalid-spi-recovery
crypto isakmp nat keepalive 20
!
!
crypto ipsec transform-set dmvpnset esp-3des esp-sha-hmac 
crypto ipsec transform-set azure-ipsec-proposal-set esp-aes 256 esp-sha-hmac 
!
!
crypto ipsec profile dmvpnprof
 set transform-set dmvpnset 
!
crypto ipsec profile vti
 set transform-set azure-ipsec-proposal-set 
 set ikev2-profile azure-profile
!
interface Loopback0
 ip address x.y.z.211 255.255.255.255 secondary
 ip address x.y.z.212 255.255.255.255 secondary
 ip address x.y.z.213 255.255.255.255 secondary
 ip address x.y.z.214 255.255.255.255 secondary
 ip address x.y.z.215 255.255.255.255 secondary
 ip address x.y.z.216 255.255.255.255 secondary
 ip address x.y.z.217 255.255.255.255 secondary
 ip address x.y.z.218 255.255.255.255 secondary
 ip address x.y.z.219 255.255.255.255 secondary
 ip address x.y.z.220 255.255.255.255 secondary
 ip address x.y.z.209 255.255.255.255
 ip mtu 1492
 ip tcp adjust-mss 1452
!
interface Loopback1
 ip address 172.30.2.1 255.255.255.0
 ip mtu 1416
 ip nat inside
 ip virtual-reassembly in
!
interface Loopback2
 description Source for Azure Tunnel
 ip address x.y.z.221 255.255.255.255
 ip mtu 1492
 ip tcp adjust-mss 1452
!
interface Loopback3
 description Source for DMVPN Tunnel
 ip address x.y.z.222 255.255.255.255
 ip mtu 1492
 ip tcp adjust-mss 1452
!
interface Tunnel0
 description DMVPN
 bandwidth 1000
 ip address 172.16.0.2 255.255.255.0
 no ip redirects
 ip mtu 1388
 ip nhrp authentication xxxxxxxxxxxxxx
 ip nhrp map multicast dynamic
 ip nhrp map 172.16.0.1 w.x.y.z
 ip nhrp map multicast w.x.y.z
 ip nhrp network-id 99
 ip nhrp holdtime 300
 ip nhrp nhs 172.16.0.1
 ip ospf network broadcast
 ip ospf priority 0
 delay 1000
 tunnel source Loopback3
 tunnel mode gre multipoint
 tunnel key 666
 tunnel protection ipsec profile dmvpnprof
!
interface Tunnel1
 ip address 169.254.0.1 255.255.255.0
 ip tcp adjust-mss 1350
 tunnel source Loopback2
 tunnel mode ipsec ipv4
 tunnel destination 137.135.246.42
 tunnel protection ipsec profile vti
!
interface FastEthernet0
 xxxxxxxxxxxxxxxxxxxxxxxxxxx
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 description PPPOE 
 no ip address
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
 no cdp enable
!
interface Vlan1
 no ip address
!
interface Vlan10
 xxxxxxxxxxxxxxxxxxxxxxxxx
!
interface Vlan11
 xxxxxxxxxxxxxxxxxxxxxxxxx
!
interface Vlan12
 xxxxxxxxxxxxxxxxxxxxxxxxx
!
interface Dialer0
 ip unnumbered Loopback0
 ip access-group InternetIn in
 ip mtu 1492
 ip nat outside
 ip inspect InternetIn2Out out
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 ppp authentication chap callin
 ppp chap hostname xxxxxxxxxxxxxxxxxx
 ppp chap password 7 xxxxxxxxxxxxxxxx
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list NAT interface Loopback0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.10.0.0 255.255.0.0 Tunnel1
!
ip access-list extended InternetIn
 remark Traffic allowed to enter the router from the Internet
 remark DMVPN
 permit udp any host x.y.z.222 eq isakmp
 permit esp any host x.y.z.222
 permit gre any host x.y.z.222
 remark Azure IPSEC 
 permit udp any host x.y.z.221 eq isakmp
 permit udp any host x.y.z.221 eq non500-isakmp
 permit udp any host x.y.z.221 eq 1701
 permit esp any host x.y.z.221
 permit gre any host x.y.z.221
 deny   ip any any log
!

The output of debug crypto ipsec and debug crypto ikev2 is as follows:

r0#debug crypto ipsec
Crypto IPSEC debugging is on
r0#debug crypto ikev2 
IKEv2 default debugging is on
r0#term mon 
r0#conf t 
Enter configuration commands, one per line.  End with CNTL/Z.
r0-scedu(config)#  int tun 1
r0-scedu(config-if)#    shut
r0-scedu(config-if)#    no shut
r0-scedu(config-if)#  exit
r0-scedu(config)#exit 
May 26 18:35:13.060: IPSEC(key_engine): got a queue event with 1 KMI message(s)
May 26 18:35:13.060: IPSEC(crypto_ipsec_kmi_process_message): Invalid KMI msg id: 2
May 26 18:35:13.060: IPSEC(key_engine): failed to process KMI message 2
May 26 18:35:13.084: IPSEC: Expand action denied, discard or forward packet.
May 26 18:35:13.084: IPSEC: Expand action denied, discard or forward packet.
May 26 18:35:13.084: IPSEC: Expand action denied, discard or forward packet.
May 26 18:35:13.084: IPSEC: Expand action denied, discard or forward packet.
May 26 18:35:13.088: IPSEC: Expand action denied, discard or forward packet.
May 26 18:35:13.088: IPSEC: Expand action denied, discard or forward packet.
May 26 18:35:13.088: IPSEC: Expand action denied, discard or forward packet.
May 26 18:35:13.088: IPSEC: Expand action denied, discard or forward packet.
May 26 18:35:13.088: insert of map into mapdb AVL failed, map + ace pair already exists on the mapdb
May 26 18:35:13.088: IPSEC(recalculate_mtu): reset sadb_root 88CC197C mtu to 1500
May 26 18:35:13.088: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= x.y.z.221:500, remote= 137.135.246.42:500,
    local_proxy= 0.0.0.0/0.0.0.0/256/0,
    remote_proxy= 0.0.0.0/0.0.0.0/256/0,
    protocol= ESP, transform= esp-aes 256 esp-sha-hmac  (Tunnel), 
    lifedur= 3600s and 4608000kb, 
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
May 26 18:35:13.088: IPSEC(recalculate_mtu): reset sadb_root 88CC197C mtu to 1492
May 26 18:35:13.088: IPSEC(adjust_mtu): adjusting ident ip mtu from 1500 to 1492,
  (identity) local= x.y.z.221:0, remote= 137.135.246.42:0,
    local_proxy= 0.0.0.0/0.0.0.0/256/0,
    remote_proxy= 0.0.0.0/0.0.0.0/256/0
May 26 18:35:13.088: IPSEC(adjust_mtu): adjusting path mtu from 1500 to 1492,
  (identity) local= x.y.z.221:0, remote= 137.135.246.42:0,
    local_proxy= 0.0.0.0/0.0.0.0/256/0,
    remote_proxy= 0.0.0.0/0.0.0.0/256/0
May 26 18:35:13.092: IPSEC: Expand action denied, discard or forward packet.
May 26 18:35:13.092: IPSEC: Expand action denied, discard or forward packet.
May 26 18:35:13.092: IPSEC: Expand action denied, discard or forward packet.
May 26 18:35:13.092: IPSEC: Expand action denied, discard or forward packet.
May 26 18:35:13.092: IKEv2:% Getting preshared key from profile keyring azure-keyring
May 26 18:35:13.092: IKEv2:% Matched peer block '137.135.246.42'
May 26 18:35:13.092: IKEv2:Searching Policy with fvrf 0, local address x.y.z.221
May 26 18:35:13.092: IKEv2:Found Policy 'azure-policy'
May 26 18:35:13.092: IKEv2:SA is already in negotiation, hence not negotiating again
May 26 18:35:26.465: IKEv2:(SA ID = 1):Retransmitting packet 

May 26 18:35:26.465: IKEv2:(SA ID = 1):Sending Packet [To 137.135.246.42:500/From x.y.z.221:500/VRF i0:f0] 
Initiator SPI : 684E76D76792ACC4 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST 
Payload contents: 
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) 
May 26 18:35:31.225: IKEv2:(SA ID = 1):Maximum number of retransmissions reached

May 26 18:35:31.225: IKEv2:(SA ID = 1):
May 26 18:35:31.225: IKEv2:(SA ID = 1):Failed SA init exchange
May 26 18:35:31.225: IKEv2:(SA ID = 1):Initial exchange failed

May 26 18:35:31.225: IKEv2:(SA ID = 1):Initial exchange failed
May 26 18:35:31.225: IKEv2:(SA ID = 1):Abort exchange
May 26 18:35:31.225: IKEv2:(SA ID = 1):Deleting SA
May 26 18:35:43.089: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= x.y.z.221:0, remote= 137.135.246.42:0,
    local_proxy= 0.0.0.0/0.0.0.0/256/0,
    remote_proxy= 0.0.0.0/0.0.0.0/256/0
May 26 18:35:43.089: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= x.y.z.221:500, remote= 137.135.246.42:500,
    local_proxy= 0.0.0.0/0.0.0.0/256/0,
    remote_proxy= 0.0.0.0/0.0.0.0/256/0,
    protocol= ESP, transform= esp-aes 256 esp-sha-hmac  (Tunnel), 
    lifedur= 3600s and 4608000kb, 
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
May 26 18:35:43.089: IKEv2:% Getting preshared key from profile keyring azure-keyring
May 26 18:35:43.089: IKEv2:% Matched peer block '137.135.246.42'
May 26 18:35:43.089: IKEv2:Searching Policy with fvrf 0, local address x.y.z.221
May 26 18:35:43.089: IKEv2:Found Policy 'azure-policy'
May 26 18:35:43.089: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 2
May 26 18:35:43.089: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
May 26 18:35:43.089: IKEv2:(SA ID = 1):Request queued for computation of DH key
May 26 18:35:43.089: IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch
May 26 18:35:43.089: IKEv2:(SA ID = 1):Generating IKE_SA_INIT message
May 26 18:35:43.089: IKEv2:(SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation), 
Num. transforms: 6
   AES-CBC   AES-CBC   3DES   SHA1   SHA96   DH_GROUP_1024_MODP/Group 2 

May 26 18:35:43.093: IKEv2:(SA ID = 1):Sending Packet [To 137.135.246.42:500/From x.y.z.221:500/VRF i0:f0] 
Initiator SPI : C27AE69DBED79DC8 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST 
Payload contents: 
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) 

May 26 18:35:43.093: IKEv2:(SA ID = 1):Insert SA
May 26 18:35:44.909: IKEv2:(SA ID = 1):Retransmitting packet 

May 26 18:35:44.909: IKEv2:(SA ID = 1):Sending Packet [To 137.135.246.42:500/From x.y.z.221:500/VRF i0:f0] 
Initiator SPI : C27AE69DBED79DC8 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST 
Payload contents: 
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) 

May 26 18:35:48.697: IKEv2:(SA ID = 1):Retransmitting packet 

May 26 18:35:48.697: IKEv2:(SA ID = 1):Sending Packet [To 137.135.246.42:500/From x.y.z.221:500/VRF i0:f0] 
Initiator SPI : C27AE69DBED79DC8 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST 
Payload contents: 
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) 

May 26 18:35:55.969: IKEv2:(SA ID = 1):Retransmitting packet 

May 26 18:35:55.969: IKEv2:(SA ID = 1):Sending Packet [To 137.135.246.42:500/From x.y.z.221:500/VRF i0:f0] 
Initiator SPI : C27AE69DBED79DC8 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST 
Payload contents: 
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) 

May 26 18:36:11.702: IKEv2:(SA ID = 1):Retransmitting packet 

May 26 18:36:11.702: IKEv2:(SA ID = 1):Sending Packet [To 137.135.246.42:500/From x.y.z.221:500/VRF i0:f0] 
Initiator SPI : C27AE69DBED79DC8 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST 
Payload contents: 
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) 

May 26 18:36:13.090: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= x.y.z.221:0, remote= 137.135.246.42:0,
    local_proxy= 0.0.0.0/0.0.0.0/256/0,
    remote_proxy= 0.0.0.0/0.0.0.0/256/0
May 26 18:36:26.262: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= x.y.z.221:500, remote= 137.135.246.42:500,
    local_proxy= 0.0.0.0/0.0.0.0/256/0,
    remote_proxy= 0.0.0.0/0.0.0.0/256/0,
    protocol= ESP, transform= esp-aes 256 esp-sha-hmac  (Tunnel), 
    lifedur= 3600s and 4608000kb, 
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
May 26 18:36:26.266: IKEv2:% Getting preshared key from profile keyring azure-keyring
May 26 18:36:26.266: IKEv2:% Matched peer block '137.135.246.42'
May 26 18:36:26.266: IKEv2:Searching Policy with fvrf 0, local address x.y.z.221
May 26 18:36:26.266: IKEv2:Found Policy 'azure-policy'
May 26 18:36:26.266: IKEv2:SA is already in negotiation, hence not negotiating again
r0-scedu#
May 26 18:36:27.914: %SYS-5-CONFIG_I: Configured from console by Ross.Mason on vty0 (10.66.0.33)
May 26 18:36:43.103: IKEv2:(SA ID = 1):Retransmitting packet 

May 26 18:36:43.103: IKEv2:(SA ID = 1):Sending Packet [To 137.135.246.42:500/From x.y.z.221:500/VRF i0:f0] 
Initiator SPI : C27AE69DBED79DC8 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST 
Payload contents: 
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) 

May 26 18:36:45.611: IPSEC(key_engine): got a queue event with 1 KMI message(s)

We do have a Dynamic Multi Point VPN running on the device but I have removed the config for this and the Azure Tunnel still won't connect.

Can someone help with the debug and give me some pointers?

Hi

After rebooting a VM the DNS settings in the network card reset bsck to automatic.

My VMs are in a virtual network with an AD server.

Ip address are DHCP enabled, but DNS settigs should be static with the DC server IP.

I have created virtual network in azure using 2 Virtual machine.For one server (VM1) I have installed the SQL server 2008 and for other server (VM2) I only installed the Management Studio. I have setup firewall rule correctly after that I could able to connect to SQL sever (which is intalled in VM1) using management studio. So Everything fine. So after that to save the cost I shutdown the VMs (Here I shutdown the service for deal-located the resources). Next day again I start the VMs and I tried to connect to SQL server server and It was failed. But I was able to connect to sql server if I use IP address of VM1 server. But in this scenario I need to connect to the SQL server using server name.

Please help me on this.

Thanks,

Erandika.

We have a DNS server registered via the Azure portal along with a virtual network.    VMs are joined to an Active directory domain hosted in an azure vm. 

Recently we increased the VM size of one our VM from A3 to A4. After the reboot  the ip, DNs, gateway values were present and correct.  Unfortunately we lost the ability to communicate with other vm in the same azure virtual network. 

The other vm were still able to communicated with each other except for the vm that was resized. 

Reverting back from A4 to A3 the network communication was restored.  I re attempted scale up to A4 and the network communication was lost again.  Reverting back from A4 to A3 restored the network communications. 

I had scaled the same VM from A2 to A3 a few days prior with out any issues.  

Any one out there with a similar experience?

Hi,

I have two Windows Server 2012 Datacenter R2 VMs setup on Windows Azure.Both of the VMs reside within the same could services and same Virtual Network. I did not setup the active directory and Two VMs working fine as work-groups.

Now I'm trying to deploy my application (.NET 4.5 MVC) thorough the VS 2012 publish GUI but I'm receiving the following message when I'm trying to validate the connection.

 Connected to '<sitename>.cloudapp.net' using the Web Deployment Agent Service, but could not authorize. Make sure you are an administrator on '<sitename>.cloudapp.net'.  Learn more at: http://go.microsoft.com/fwlink/?LinkId=221672#ERROR_USER_NOT_ADMIN. The remote server returned an error: (401) Unauthorized.

I used the built in administrator account as I don't have domain administrator account since I'm running the VMs as workgroups.

Note: I'm receiving the same error message from both VMs within the virtual network. However I got the deployment working for a VM which is outside of the Virtual Network.

I'm too tired of reading related posts and trying different things. I think I need a help to resolve this matter.

Thanks in Advance!

I have setup vNet/AG on Azure and installed VPN client on my location machine.

When I connect to Azure VPN I can access Azure servers (RDP) and work on those.

But I lose internet on my local machine. I can't ping any site.

My internet IPv4 setting are all set to "Obtain Automatically"

Thanks Henry http://www.RedandBlueGraphics.com

I have two VNets (VNet1 / VNet2) Vnet1 has client certificates installed and point to site configured. 

So I have 

Home <--> Vnet1 <--> Vnet2 

I can RDP from home to Vnet1, and from Vnet1 to Vnet2, and from Vnet2 to Vnet1 

However I can't connect from home across Vnet1 to Vnet2 

I can understand why this might be by design. But I'm hoping I've either done something wrong, or $somethingelse 

I know I could create a point to site to Vnet2 - I'm just avoiding that at the moment. 

So, any thoughts? 

Hello,

I downloaded the VPN client configuration package locally on my client box. When I double click on it, it asks whether I want to install a vpn client then it launches some cmd window on the background which closes immediately and nothing else happens.

Can someone please explain what is wrong.

Thanks!

I created a site-to-site vpn connection between local ASA(5512, OS 9.1) and Azure. it seems phase 1 and 2 is up but I can't ping from any side and Azure portal shows 0 for data in and some bytes for data-out.

I checked this article below for the same issue and checked what it suggests but seems find on my end. I can't figure out where is wrong.

http://social.msdn.microsoft.com/Forums/windowsazure/en-US/a17ffd32-b712-46d5-90e5-6c4f470f36f6/virtual-network-no-data-in?forum=WAVirtualMachinesVirtualNetwork

Can anyone help on this?

<<<<related configuration on ASA>>>>>>
object-group network azure-networks
 network-object 10.1.2.0 255.255.255.0
object-group network onprem-networks
 network-object 172.18.100.0 255.255.255.0

access-list azure-vpn-acl extended permit ip object-group onprem-networks object-group azure-networks
nat (INSIDE,OUTSIDE-MAIN) source static onprem-networks onprem-networks destination static azure-networks azure-networks
access-group azure-vpn-acl in interface OUTSIDE-MAIN

crypto ipsec ikev1 transform-set azure-ipsec-proposal-set esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 102400000

crypto map azure-crypto-map 10 match address azure-vpn-acl
crypto map azure-crypto-map 10 set peer xxx.xxx.xx.xxx
crypto map azure-crypto-map 10 set ikev1 transform-set azure-ipsec-proposal-set
crypto map azure-crypto-map interface OUTSIDE-MAIN

crypto isakmp identity address
no crypto isakmp nat-traversal    ;tried with crypto isakmp nat-traversal as well but the same result.
crypto ikev1 enable OUTSIDE-MAIN
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800

tunnel-group xxx.xxx.xx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xx.xxx ipsec-attributes
 ikev1 pre-shared-key *****

sysopt connection tcpmss 1350

<<<<<<<Azure network configuration>>>>>>>

<NetworkConfiguration xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/ServiceHosting/2011/07/NetworkConfiguration">
  <VirtualNetworkConfiguration>
    <Dns>
      <DnsServers>
        <DnsServer name="Azure Local DNs" IPAddress="10.1.2.4" />
      </DnsServers>
    </Dns>
    <LocalNetworkSites>
      <LocalNetworkSite name="Tishman_Local">
        <AddressSpace>
          <AddressPrefix>172.18.100.0/24</AddressPrefix>
        </AddressSpace>
        <VPNGatewayAddress>xx.xxx.xx.xxx</VPNGatewayAddress>
      </LocalNetworkSite>
    </LocalNetworkSites>
    <VirtualNetworkSites>
      <VirtualNetworkSite name="TishmanVN" AffinityGroup="TishmanAG">
        <AddressSpace>
          <AddressPrefix>10.1.2.0/24</AddressPrefix>
        </AddressSpace>
        <Subnets>
          <Subnet name="Subnet-1">
            <AddressPrefix>10.1.2.0/25</AddressPrefix>
          </Subnet>
          <Subnet name="GatewaySubnet">
            <AddressPrefix>10.1.2.128/29</AddressPrefix>
          </Subnet>
        </Subnets>
        <DnsServersRef>
          <DnsServerRef name="Azure Local DNs" />
        </DnsServersRef>
        <Gateway>
          <ConnectionsToLocalNetwork>
            <LocalNetworkSiteRef name="Tishman_Local">
              <Connection type="IPsec" />
            </LocalNetworkSiteRef>
          </ConnectionsToLocalNetwork>
        </Gateway>
      </VirtualNetworkSite>
    </VirtualNetworkSites>
  </VirtualNetworkConfiguration>
</NetworkConfiguration>

We have an active site-to-site vpn running with a VM deployed in the virtual network. We have a Juniper SRX240 on site providing the connectivity, this unit should be able to provide upwards of 250mbps of IPsec vpn throughput but we only seem to get about 24mbps max usually less during a file transfer from a server onsite to the azure server. The server is a large size VM.

Is there something we can do to achieve better performance?

If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer".

I'm about ready to set up a virtual network in the Azure preview. An existing Azure VM running as fileserver is to be made available in the on-premise network. This is a windows AD network.

How simple is it to make the Azure fileserver appear to be a member server in the on-prem network once the virtual network is set up?

Do I need a replica AD DC in Azure?

Do I need to use ADFS and WAAD?

The scenario is going to remain simple. The only VM we plan to run in Azure is the single fileserver instance. No planned expansion to additional worker roles, more VMs, or even services tied together in Azure subnets. Just the one server that users should access in on-prem network.

Hello,

Install Certificate and Client Package and when I try to connect it shows the following error

"A certificate could not be found that can be used with this Extensible Authentication Protocol. (Error 798) For customised troubleshooting information for this connection"

I have checked both cert are installed under current user in both personal and trusted root, and have tried every resource we can

We have successfully installed using same settings & process on Windows 7 without problem, the log file is as follows

Hello,

I have a client/server architecture where the server-farm lives behind the LB.

In this architecture, the client initiates communication, the load balancer establishes a route back to a particular VM and as long as the socket is active, the VM can exchange traffic back with the client.

But if the client sleeps for more than 4 minutes, the LB drops the route and now the VM can't talk back even if the VM knows the client's endpoint.

This model is based on UDP, where there are no sessions and keep alives, but it is not effective if the route is broken.

Q1) Can the VM initiate traffic and transverse the LB to a remote client? This is key to the architecture.

Q2) IS there a way to configure the LB not to drop the route, or at least to maintain it for a longer duration?

Hope Steve Espinosa, gets a chance to see this post and reply with his advice.

Pardon me for being ignorant, but I am just a young developer playing around with stuff I do not necessarily fully understand. 

I am trying to set up a VPN using Windows Azure to have a way I can secure connect all my devices regardless where they are. I already have the virtual network set up and the point-to-site configuration on my primary desktop to the virtual network. I know I saw that Windows Phone 8 was not on the list of supported OSes, but I was wondering is possible to connect a Windows Phone 8 device to this VPN? My phone is actually the Windows 8.1 preview if that matters.

Thanks.

Hello everyone

I'm absolutely new to Windows Azure and loving every second of it. I'm trying to get a small infrastructure set up, and because I'm new to everything, I'm a bit lost.

I have two virtual machines created, one running IIS and my web page, I have the available ports opened through the firewall (both the load balancer/endpoint and the host firewall). But in my research, to get these two virtual machines to talk to each other, they needed to be provisioned on the same network. Now, they're presently on different networks (one has an address of 100.75.86.41 and the other 100.74.220.51, but I want them (and the future machines) to be able to talk to each other (reasons being Internal DNS/Active Directory/Exchange, etc.).

How can I do that?

Thanks!