Azure VPN

RouterOS General
1

Does anyone have an up-to-date guide to connect RouterOS to an Azure VPN? My client’s router is running 6.45.3, and I could only find documentation for older versions. I’ve done it before but it’s been long enough that I can’t remember how, and there’s been a few changes in RouterOS.

IPsec tunnel to Azure won't connect [SOLVED]
On-Premise / Azure VPN S2S (IPsec) Connection
2

You can follow this guide how to create a Site-to-Site connection in the Azure portal - https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal

And there is my Mikrotik configuration, including full firewall configuration. Just replace your public IP addresses and subnets, and it should work -

/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=8h \
    name="Azure"
/ip ipsec peer
add address=<azure-public-ip> exchange-mode=ike2 local-address=<local-public-ip> \
    name="Azure" profile="Azure"
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=7h30m name=\
    "Azure"
/ip firewall filter
add action=accept chain=input comment="Router fw input accept all active" \
    connection-state=established,related,untracked
add action=accept chain=input comment="Azure access to router" \
    dst-address=<mikrotik-ip> in-interface-list=WAN ipsec-policy=in,ipsec \
    src-address=<azure-subnet>
add action=drop chain=input comment="Router fw input drop invalid" \
    connection-state=invalid
add action=drop chain=input comment="Router fw input drop all not from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="Router fw IPsec in accept" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="Router fw IPsec out accept" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=\
    "Router fw forward fasttrack" connection-state=established,related
add action=accept chain=forward comment="Router fw forward accept all active" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="Router fw forward drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "Router fw forward drop all from WAN not dstnated" connection-nat-state=\
    !dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward comment="Azure" dst-address=\
    <azure-subnet> new-mss=1350 passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=accept chain=srcnat comment="Azure" dst-address=\
    <azure-subnet> src-address=<local-subnet>
add action=masquerade chain=srcnat comment="Router fw masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add peer="Azure" secret="SuperStrongPassword123"
/ip ipsec policy
add dst-address=<azure-subnet> peer="Azure" proposal=\
    "Azure" sa-dst-address=<azure-public-ip> sa-src-address=\
    <local-public-ip> src-address=<local-subnet> tunnel=yes
3

Thanks very much, that will serve to reduce my stress level today.

4

I have the same problem. I can PING from the VM on Azure but I can’t ping from my local network to azure

5

Hello,

Also search for a useful documentaion.

I have a slightly different setup, my local public Ip is a dynamic adress, is it also possible to connect a site-to-site vpn with azure?

Thanks

6

I’d probably suggest a different solution, like running CHR in Azure and using L2TP/IPSEC rather than using Azure VPN Gateway.

I think Azure disables ICMP from memory - have you checked if other services are working despite ping not working?

7

Dear all,

I have exactly the same config, though I can access resources only one-way - from Azure to On-prem, for some reason I can’t access resources in opposite direction.
The tunnel is established as I can see it, all NSG’s are open for incoming traffic.
Thus I’m a bit confused…


8

it won’t work nice, not sure about any nice automation option.

9

I think Azure disables ICMP from memory - have you checked if other services are working despite ping not working?
[/quote]

Not sure if I’m missing something. I have the same problem, I can ping and SSH from a Linux VM on Azure to the local network, but I can not go the other way. I have tried ICMP (if Azure disables ICMP, that explains that), and SSH and RDP to the same Linux VM on Azure from multiple machines on my local network with no luck.

10

may I ask how this was solved (I don’t see a resolution, but I might be missing something :slight_smile: ) ?

11

I have the same problem, any solution?

12

I just ran into some problems setting up a customer connection to their Azure environment and thought I would share the resolution. The errors we were receiving were “payload missing: ID_” and “TS_UNACCEPTABLE” depending which side was the initiator. The trick is enabling the “Use policy based traffic selector” option in Azure VPN Connection Configuration, which is disabled by default. This tells Azure to populated the TS_R and TS_I policy based traffic selector payloads. You just need to make sure your policies match up at that point and you should be off to the races.

Unfortunately because we can’t overload the policies and we don’t have VTI we still can’t support failover between multiple remote IPSEC peers like you can with most other platforms. Hopefully that will show up in ROS v7…

13

Can’t seem to get this to work.
trying this from vwan, but also tried one of the newer gateway sku’s. only the old gen1 vpn seems to work, but not supported by vwan.

filled in the ranges (local/remote) but no phase 2 for either responder or initiator. traffic selector is enabled same as use policy based traffic selector.

crypto is set to aes256/dhgroup14 and modp2048 on the mirkotik side.

what am i missing?