I have a single Azure virtual network gateway running the "Basic" VPN SKU (MainVGW) in "Route-based" mode in the Australia East region. MainVGW has two "Connections" (BR and MH) which are IPsec Site-to-Site VPN connections to two separate sites (SITE 1 and SITE 2). I then have a single VM (TestVM) running in the same region. Each remote site uses a Ubiquiti EdgeRouter which is configured to connect to its IPsec VPN and tunnel traffic across it using a VTI with static routes (BRrouter and MHrouter). Each site also has a PC connected to the router with an IP in the local range (BRtestPC and MHtestPC)
The VPN connections work well in the sense that from each site the test PC (BRtestPC or MHtestPC) can communicate with TestVM on Azure. However, I cannot communicate from BRtestPC to MHtestPC through the MainVGW, even though routers at each end have a separate static route to pass traffic through MainVGW to the other site. I also can't ping BRrouter from MHrouter or vice versa, although both can ping TestVM successfully.
The documentation I have read seems to indicate that this should work without any additional configuration. There is some information about what to do if running policy-based routing here https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps but again, this seems to indicate no additional information required for route-based connections.
I think that the static routes are are configured properly on my routers and feel like there must be a setting on the Azure side preventing traffic flow between IPsec Site-to-Site VPN connections that I'm somehow missing – Can anyone shed some light?
Thanks.
Best Answer
Next to using UDR, you can also use BGP on you VPN devices. This requires however that you'll use a VpnGw1 SKU or higher.