我们正在尝试在Azure上建立站点到站点VPN。问题在于,我们有一个较大的虚拟网络子网,即10.0.0.0/16,而VPN应该只能在该范围内访问10.0.1.0/24。我们已建立连接,但由于“流量选择器不匹配”而导致连接失败。
我通过PowerShell设置连接,如下所示:
$ResourceGroup = [SomeResourceGroup]
$Location = [SomeLocation]
$OnsitePublicIp = [onsite public ip]
$OnsiteSubnet = [onsite accessable subnet]
$LocalNetworkGatewayName = [SomeNetworkGatewayName]
$ConnectionName = [SomeConnectionName]
$AzureAddressRange = "10.0.1.0/24"
$VirtualNetworkGatewayName = [SomeVirtualNetworkGatewayName]
$IpSecPolicy = New-AzIpsecPolicy XXXXXXXXXXXXX
$LocalNetworkGateway = New-AzLocalNetworkGateway -Name $LocalNetworkGatewayName -ResourceGroupName $ResourceGroup -Location $Location -GatewayIpAddress $OnsitePublicIp -AddressPrefix $OnsiteSubnet
$IpsecTrafficSelectorPolicies = New-AzIpsecTrafficSelectorPolicy -LocalAddressRange $AzureAddressRange -RemoteAddressRange $OnsiteSubnet
$VirtualNetworkGateway = Get-AzVirtualNetworkGateway -Name $VirtualNetworkGatewayName -ResourceGroupName $ResourceGroup
New-AzVirtualNetworkGatewayConnection -Name $ConnectionName -ResourceGroupName $ResourceGroup -VirtualNetworkGateway1 $VirtualNetworkGateway -LocalNetworkGateway2 $LocalNetworkGateway -Location $Location -ConnectionType IPsec -UsePolicyBasedTrafficSelectors $True -IpsecPolicies $IpSecPolicy -SharedKey $SharedKey -TrafficSelectorPolicy $IpsecTrafficSelectorPolicies
连接仍然被拒绝,对连接进行故障排除后,我仍然看到整个范围。
Proposed Traffic Selector payload will be- [Tsid 4e4 , ]Number of TSIs 1: StartAddress 10.0.0.0 EndAddress 10.0.255.255 ......
我们在网关设备上有多种设置,它们可以按预期运行,但是由于“流量选择器不匹配”,因此无法使用。
流量选择器策略是否未将发布范围过滤到10.0.1.0到10.0.1.255?
我将很高兴为您解决此问题提供帮助。我完全错误地解决了这个问题吗?有更好的方法吗?