If
your project requires multi-site VPN, the important column to review here is
the Route-based, in short if you
want to terminate multiple VPN’s into a single vNet your VPN device must
support Route-based.
This
is somewhat confusing as Route-based also
means Dynamic Routing
·
Static Routing = Policy-based
·
Dynamic Routing = Route-based
The
difference between the two is, Policy-based routing encapsulates and encrypts
traffic and then forwards it out a specific interface according to an Access Control List. Route-based routing
on the other hand forms dedicated tunnels with a neighbouring VPN device and
forwards all of the traffic across this tunnel.
The
Microsoft documentation to create a multi-site VPN states that the Azure vNet
Gateway must be created as a Dynamic
Routing gateway, or in other words a Route-based
gateway.
This
is to allow multiple VPN connection to be terminated into the vNet. If you are
using the Cisco ASA for example this will not work, if you check the supported
devices list above. The Cisco ASA does not support Route-based routing. In reality if your vNet is configured to use
Dynamic Routing and you try and connect it to a Cisco ASA it simply does not
work.
In
short this basically means that if you have two sites with Cisco ASA’s you
cannot create a multi-site VPN to Azure. There is a very small amount of
hardware supported for such a topology by Microsoft.
Unless
you are running one of the following
you basically can’t do multi-site VPN to Azure (these are the only supported
device for multi-site VPN);
·
Checkpoint Security Gateway
·
Cisco ISR, ASR
·
Dell SonicWALL
·
Fortinet
·
Juniper SRX, J-Series, ISG, SSG
·
Windows RRAS
The “work around” that doesn’t work
There
are a number of forums on the Internet listing this exact problem with ASA’s,
Palo Alto’s etc. and some people claim the ingenious workaround is to;
·
Create two separate vNet’s (one for each site
you want a VPN from)
·
Create two VPN’s from each of the sites,
terminating into their own vNets
·
Create a vNet to vNet VPN between the two
separate vNets
I
must admit before I did some research on this I did think this could be an
option, but again if you review some of the Azure documentation you will notice
that for any vNet to vNet VPN you must also create your Gateway using Dynamic
Routing.
The bottom line
In
summary as of January 2016, if you are running a Brocade, Citrix, Palo Alto,
WatchGuard, F5, Barracuda or Cisco ASA firewall you cannot create a multi-site VPN to an Azure vNet.
