Community discussions

MikroTik App
 
aneroid
just joined
Topic Author
Posts: 9
Joined: Fri Dec 30, 2016 1:07 pm

Site2Site VPN with Azure crap

Fri Dec 30, 2016 1:30 pm

Hello everyone,

working with MT for a couple of years, everytime solved an issue by myself, after hours/days, but solved ... but right now, its like a nightmare.
One of our customers started with Azure and needs to create site-to-site vpn to that MS crap.

Device: RB750GL - v6.38rc51

I've tried several different solutions, found here on forum in IKEv2 topic, on other webpages, google.it etc.
I always failed with this in log:
Image

I've created new topic, bcs i dont want to blame IKEv2 :) just want to ask some good ppl to share their working configuration with Azure.
It could also help some1 with same situation like me, it hard to find working cfg with current rc of MT and "current version" of Azure.

Feel free to ask for any other required cfg, if needed.
Thank you for your help.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7042
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Site2Site VPN with Azure crap

Fri Dec 30, 2016 2:13 pm

install rc52 and post a full ipsec log.
 
irico
newbie
Posts: 47
Joined: Thu Nov 10, 2016 5:35 pm

Re: Site2Site VPN with Azure crap

Fri Dec 30, 2016 3:05 pm

Try this config with latest RC:
/ip ipsec proposal
add enc-algorithms=aes-256-cbc,aes-128-cbc,3des lifetime=1h name=Azure \
    pfs-group=none
/ip ipsec peer
add address={AZURE_IP/32} dpd-interval=disable-dpd enc-algorithm=\
    aes-256,3des exchange-mode=ike2 local-address={LOCAL_IP} \
    secret={SECRET}
/ip ipsec policy
add dst-address={AZURE_SUBNET} proposal=Azure sa-dst-address={AZURE_IP} \
    sa-src-address={LOCAL_IP} src-address={LOCAL_SUBNET} tunnel=yes
On Azure, you need RouteBased VPN to use ike2
 
aneroid
just joined
Topic Author
Posts: 9
Joined: Fri Dec 30, 2016 1:07 pm

Re: Site2Site VPN with Azure crap

Fri Dec 30, 2016 5:00 pm

Updated to rc52.
I found something strange ... on local site, i have 192.168.254.0/27 range.
Everywhere in Azure and also in MT IPsec configuration, i setup 192.168.254.0/27

In logs, i've found this kind of error:
my vs peer's selectors:
192.168.254.0/27 vs 192.168.254.0/24
and it fails.
So I changed MT IPsec policy configuration to 192.168.254.0/24 and it looks ok now. Status in Azure is Connected.

How to manage routing now? Static ranges routing via AzureIP in MT? And what about azure site routing??
Thank you
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7042
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Site2Site VPN with Azure crap

Fri Dec 30, 2016 5:09 pm

Recheck if /27 is actually set on Azure. If it is provide the ipsec logs as requested previously.

Who is online

Users browsing this forum: adrianmartin16, nonolk, Rockyboa, senseivita and 85 guests