Certificate error while setting up a P2S VPN connection to Azure

11:24 am in Azure, Cloud, VPN by Wim Matthyssen

While studying for Microsoft Exam 70-533 (Implementing Microsoft Azure Infrastructure Solutions) I encountered a problem while setting up a point-to-site (P2S) VPN connection with Azure. The problem was with the self-singed certificate.

clip_image001

In this blog post I will show you how to fix this and setup a working P2S VPN connection from your workstation to Azure.

Herewith the necessary requirements and tips:

  • To setup the virtual network and the gateway I’ve used the Azure Management Portal https://manage.windowsazure.com
  • In this example the virtual network is named azurevnet with an address space of 10.0.0.0/20. There are 3 subnets namely VM1 (10.0.0.0/24), VM2 (10.0.1.0/24) and the Gateway (10.0.2.0/29).
  • GR-DC-01 is deployed from the Windows Server 2012 Datacenter OS image and connected to the VM1 virtual network subnet.
  • To create the self-signed authentication root and client certificate I used makecert.exe which is available if you installed any version of Visual Studio. You can find it under the following directory: C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin. I copied it to my C:\Tools (this folder is added to the PATH environment variable to make it available from any location) folder for easy access. If you don’t have Visual Studio you can always install Visual Studio Express, which you can download over here: https://www.visualstudio.com/en-us/products/visual-studio-express-vs.aspx
  • Microsoft recommends to create a separate client certificate for each client that is going to connect via P2S. When you do this and keep track of them, it’s easier to invalidate a single client certificate when you need to revoke someone’s access.

1) To create the Root Certificate open a command prompt as administrator and run:

makecert -sky exchange -r -n "CN=AzureRootCert" -pe -a sha1 -len 2048 -ss My "AzureRootCert.cer"

clip_image003

In my example this command will create the root certificate directly under the C: root

clip_image004

2) As a next step upload this self-signed root certificate to the virtual network certificates section on Azure

clip_image006

clip_image007

clip_image009

3) To create the Client Certificate open a command prompt as administrator and run:

makecert.exe -n "CN=AzureClientCert" -pe -sky exchange -m 96 -ss My -in "AzureRootCert" -is my -a sha1

This creates and installs the client certificate to your local computer

clip_image011

4) Now open run an type mmc and add the “Certificates” Snap in for “My user account”

clip_image012

clip_image014

5) Go into “Personal”“Certificates” and see if both the client and the root certificate are present

clip_image016

6) If so were ready to install the client VPN package. To do this go back to Azure and navigate to the dashboard of the virtual network. Under “Quick Glance” at the right side, as you can see a 32-bit and 64-bit Client VPN Package are available.

clip_image017

7) Download the appropriate package for your workstation and install it. It might be blocked because the file comes from a location outside your computer but it’s save to run it.

8) Now were ready to connect to Azure. Click the network icon in the system tray, and as you can see you are able to select the azurevnet virtual network. Click it, and in the opened screen click azurevnet connection and choose “Connect” (this is for Windows 10 users).

clip_image018

clip_image019

9) A new dialog box should pop up where you need to press “Connect” again

clip_image020

10) If all went well you are now connected to you Azure environment

clip_image021

clip_image023

11) As you can see, I’m now able to RDP into my VM1 VM via the dynamic IP address (DIP)

clip_image024

clip_image026

Hope it helps!

Wim Matthyssen (@wmatthyssen)