1

Microsoft has a technology called "point to site" VPN. (reference1, reference2)

I have the following internal class "A" networks defined on premise:

  • 10.2.0.0/16
  • 10.4.0.0/16
  • 10.40.0.0/16
  • 10.20.0.0/16

I have the following Azure networks defined:

  • 10.201.0.0/16
  • 10.202.0.0/16
  • 10.203.0.0/16

I want to create a subnet for the exclusive use of Point to Site VPN

  • 10.200.0.0 /16

When I do so in the portal, the VPN client will add a default route for 10.0.0.0/8. Microsoft's justification for this is in RFC1918, and they refuse to allow me to customize this route. In my opinion they clearly misunderstand that this RFC doesn't apply in this case.

When I change the netmask to 168.192.1.0 a Class B route is applied. This works, but it's annoying that I need to deviate from my numbering pattern because of Microsoft Support's misinterpretation of the RFC

enter image description here

Their reply:

As specified by RFC 1918 , Address space must be a private address range, specified in CIDR notation 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16.

Note that the following routes will be added to the client, respectively, for directing traffic from the local machine to the virtual network: 10.0.0.0/255.0.0.0, 172.16.0.0/255.255.0.0, or 192.168.0.0/255.255.255.0. This means that, for example, you may not be able to contact other 10.0.0.0/8 addresses on your local subnet if you have specified 10.0.0.0/8 for your VPN client address space.

Any address space which you chose to starts with 10.x.x.x will result with this problem (not just 10.0.0.0/8). The VPN client package will treat this VPN address space as a Class A (255.0.0.0 subnet mask) regardless of how the you chooses to define it in Azure (for ex : 10.1.0.0/24).

So we always ask our customers to use a 192.168.0.0/X range when creating their P2S environment, and to make sure it doesn’t overlap with any subnet they may have on-premises (where their P2S clients are connecting from).

Question

  1. Am I wrong?
  2. Should Microsoft support a custom CIDR mask for the 10.x range?
  3. How can I persuade them otherwise?
makerofthings7
  • 8,911
  • 34
  • 121
  • 197
  • 1
    Wow. Their use of Class A, B, C, etc is so outdated it's not even funny. Do they even CIDR? – Mark Henderson Dec 02 '16 at 16:05
  • 1
    `When I change the netmask to 168.192.1.0`... I guess you meant: "Change the network to 192.168.1.0/24"? – Tero Kilkanen Dec 02 '16 at 18:16
  • Your implication of "lol Microsoft do u even CIDR?" is somewhat undermined by your own use of the long-obsolete concept of classful addressing. – womble Oct 15 '19 at 02:00
  • @womble love the reality checks. This Q was written while working in a tenure bubble in a smaller company. Wish I had perspective earlier! – makerofthings7 Oct 15 '19 at 03:08

1 Answers1

3
  1. No.
  2. Yes.
  3. If the product is flawed, debating with tech support won't help. For the time being, you will have to work within the limitations of their product, or find a different one. You're probably not going to get them to change it in a reasonable amount of time.
longneck
  • 23,082
  • 4
  • 52
  • 86