This video goes over how to deploy an Azure VNet Gateway on an existing VNet and enable Point-to-Site (P2S) VPN connections. A P2S connection allows clients to connect securely to an Azure Gateway and access resources on the private VNet. The video goes on to demonstrate how to create a root certificate and client certificates to use for authentication. After that, configuring the client is demonstrated as well as blocking a client by revoking a certificate.
The PowerShell commands referenced in the video are located below:
#Create the root cert $cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature ` -Subject "CN=WestP2SRootCert" -KeyExportPolicy Exportable ` -HashAlgorithm sha256 -KeyLength 2048 ` -CertStoreLocation "Cert:\CurrentUser\My" ` -KeyUsageProperty Sign -KeyUsage CertSign # Create Client Cert New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature ` -Subject "CN=WestP2SClientCert1" -KeyExportPolicy Exportable ` -HashAlgorithm sha256 -KeyLength 2048 ` -CertStoreLocation "Cert:\CurrentUser\My" ` -Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")
6 thoughts on “Azure Point-to-Site VPN with Certificate Based Authentication”
is it possible to use public CA certificate for this ?
yes
I need to create more P2SChildCert, but get that error:
New-SelfSignedCertificate : Cannot bind parameter ‘Signer’ to the target. Exception setting “Signer”: “Value cannot be
null.
Parameter name: Signer”
At line:6 char:9
+ -Signer $cert -TextExtension @(“2.5.29.37={text}1.3.6.1.5.5.7.3.2”)
+ ~~~~~
+ CategoryInfo : WriteError: (:) [New-SelfSignedCertificate], ParameterBindingException
+ FullyQualifiedErrorId : ParameterBindingFailed,Microsoft.CertificateServices.Commands.NewSelfSignedCertificateCo
mmand
Excellent tutorial! Thank you! To make future ones even better, I’d suggest adding a brief “why are we doing this” before each step.
One gotcha that I hit: pasting the public cert into the portal was including a space character, and the portal does not ignore them as it “should”. I suspect my use of NotePad2 was the issue. The result was failure to connect, error 0x8007274c. Re-pasting with no spaces solved it.
Excellent! Thank you very much!
The Basic SKU is no longer available via the portal. You need to use Azure PowerShell to get the Basic SKU. If you want to stick to the portal, pay attention to pricing if you choose the VpnGw1 SKU! And if you do go with that SKU, you will want Tunnel Type set to “SSTP (SSL)” and Authentication Type to “Azure certificate” for the VPN client download to work as shown in the video.
https://learn.microsoft.com/en-us/azure/vpn-gateway/about-gateway-skus
https://learn.microsoft.com/en-us/azure/vpn-gateway/create-gateway-basic-sku-powershell