Azure VPN in 6.34

I have followed the Microsoft Mikrotik<>Azure VPN howto and I can get to a point where Azure is showing that there is a connection established but I can not transfer data between them.

https://blogs.technet.microsoft.com/rharper/2012/11/14/creating-a-site-to-site-vpn-with-windows-azure-and-mikrotik-routeros/

However the Peer configuration looks slightly different, I can’t set the My Id setting as I get back “Couldn’t change IPsec Peer address id must be used in main mode”

I’m getting an error in the logs saying “Phase 1 negotiation failed due to time up” but azure says the connection is up.

Also my Installed SAs are showing Current Bytes out bound from the Mikrotik but nothing shows in-bound.

Has anyone managed to get this going with newer OS version?

/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=8h name=azure
/ip ipsec peer
add address=/32 enc-algorithm=aes-256,aes-128 nat-traversal=no secret=secret
/ip ipsec policy
add dst-address=192.168.8.0/24 sa-dst-address= sa-src-address= src-address=192.168.0.0/21 tunnel=yes

Tim

Boom.. Got it (for me at least)

In my locked down firewall state I had to enter the following:

add action=accept chain=input comment=“Allow - IPsec Allow in” in-interface=WAN-Interface log-prefix=“” protocol=ipsec-esp
src-address=

I already had port 500 open for other VPN services:

add action=accept chain=input comment=“Allow - In - l2tp” dst-port=500,4500,1701,800 in-interface=ether1-WAN log-prefix=“”
protocol=udp

NOTE Don’t rely on ping as your test method. The azure server I created has its firewall up and wont respond. mstsc/rdp was my test method (or use the cloudapp.net rdp and test ping the other way)