I have a feeling there's something about this I don't understand.
I have a working point-to-site VPN connection between my computer (using Windows' native rasphone component), and our Azure Virtual Network Gateway. The gateway uses a self-signed root certificate that I created, and my computer has a client certificate signed by the root which it uses to authenticate.
In the VPN configuration on my computer, I use the following destination address:
azuregateway-[GUID].vpn.azure.com
The problem is, occasionally there is cause to recreate the Azure VPN Gateway, which changes the above network address. This then requires me to change the destination address on all the VPN client machines. Instead, I thought it would be a clever idea to create a DNS entry that I could just point to the current gateway address. This way I could give the VPN client an unchanging address I control, and just update the DNS record if the gateway changes.
So, I created the subdomain azurevpngateway.[OurCompany].com, pointed it toward the gateway address, confirmed that it resolved to the correct IP, and then swapped out the destination address in the VPN configuration.
Since I'm posting here, needless to say, it didn't work. Connecting with SSTP gives this error:
The certificate's CN name does not match the passed value.
I discovered later that swapping out the azuregateway-[GUID].vpn.azure.com address for the IP address which it resolves to, also give that same error.
I'm not sure where the insistence on using that specific FQDN is coming from. It's not used anywhere in the creation of the self-signed root cert, or the subsequent child certs. No other certificates are manually installed on the client machines besides those. I tried creating a new root cert and including CN=azurevpngateway.[OurCompany].com in the subject, but the error persists.
Why does authentication only succeed when I use azuregateway-[GUID].vpn.azure.com? And how can I get it to work using the azurevpngateway.[OurCompany].com address?
