I want to use 2 on-prem MikroTik routers to connect to Azure Virtual network - to do so I need to choose route based VPN (attachment multiple-active-tunnels.png). It uses IKE2 which is good and it works with MikroTik - I am also able to configure BGP so I get routes announced from Azure - and I can see them in routing table (attachment routes.png)
Azure network
10.1.0.0/16
On-prem network:
10.94.0.0/16
So until I manually add IPSec policy the traffic does not pass the VPN - so it is the same if I use BGP or not - traffic passes just in case I manually add IPSec policy. I would like to know if I am doing something wrong or MT simply does not support so called route based s2s IPSec VPN - I saw that most nextgen FWs (Barracuda, PaloAlto …) support that. There are also many tutorials that help with this implementation. I would really like to do it with MikroTik.
If memory serves me correctly you need to actually build a tunnel interface (ipip I think) for the route based tunnel. If policy rules are working you’re likely failing back to a previously configures policy based VPN with Azure.
It did work for me with azure, with BGP, because no VTI is supported in Mikrotik I used Policy 0.0.0.0/0 → 10.0.0.0/16 (Azure Network)
, once BGP session established you will be fine, I used 2 Mikrotiks and BGP failovers fine, Azure BGP peer must be defined as EBGP-multihop (no interfaces directly connected)
