[Solved] Azure Site to Site IPSec tunnel not working

d0kt0r · May 2, 2016, 12:24pm

Hi guys,

First post, and only asking for help!!! Not the best way to enter here I guess!!!

Im having problems with a routerboard 2011.

Im trying to create a site to site vpn connection to the azure cloud, but after spending a lot of effort and time, I think Im in a stuck point

Routerboard 2011uias
ROS 6.35

I’ve done a lot search on this forum, and, to be honest, there are a lot of info that I think I’ve already followed. I’ve created on azure the Static VPN Gateway for allowing IKEv1, and posted on the cloud the ranges.

Azure range : 2.1.0.0/16
Home lab : 1.1.0.0/16

/ip ipsec peer> print
Flags: X - disabled, D - dynamic
0 address=13.69.253.X/32 local-address=:: passive=no port=500
auth-method=pre-shared-key secret=“Secret”
generate-policy=no policy-template-group=default exchange-mode=main
send-initial-contact=yes nat-traversal=yes proposal-check=obey
hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp1024 lifetime=8h
lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5

/ip ipsec policy> print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 T * group=default src-address=1.1.0.0/16 dst-address=2.1.0.0/16 protocol=all

/ip ipsec proposal> print
Flags: X - disabled, * - default
0 * name=“default” auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=8h
pfs-group=none

/ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Allow from Azure
chain=input action=accept protocol=ipsec-esp src-address=13.69.253.X
log=yes log-prefix=“”

1 ;;; Allow from Azure
chain=forward action=accept src-address=1.1.0.0/16 dst-address=2.1.0.0/16
log=no log-prefix=“”

2 chain=forward action=accept src-address=2.1.0.0/16 dst-address=1.1.0.0/16
log=no log-prefix=“”

3 ;;; Azure VPN Tunnel
chain=srcnat action=accept src-address=1.1.0.0/16 dst-address=2.1.0.0/16
log=yes log-prefix=“”
proposal=default template=yes

/ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=1.1.0.0/16 dst-address=2.1.0.0/16
log=no log-prefix=“”

1 chain=srcnat action=accept src-address=2.1.0.0/16 dst-address=1.1.0.0/16
log=no log-prefix=“”

The error I have now is a : Failed to pre process ph2 packet.
The strange thing, is saying that No policy found 2.1.0.0/16 1.1.0.0/16
The IPsec policy I have is the 1.1.0.0/16 2.1.0.0/16, from home to Azure not otherwise.
Anyway, creating a second policy for testing, it does exactly the same.

Anything I could be messing with?

Thanks in advance guys!

Followed : http://forum.mikrotik.com/t/ipsec-site-2-site-vpn-ping-fails-in-one-direction/95124/32
And a few other guides with Mikrotik and Azure site to site.

d0kt0r · May 2, 2016, 2:09pm

Seems I’ve advanced a bit.

The tunnel seems to be connected now. I’ve get the OK flag on the azure portal, and I have the SA keys. It appears from time to time the phase1 error, but seems to be working.

The problem is, I can’t access anything on Azure. Im trying to ping a VM with a internal IP of 2.1.1.6/24 and no ping or other services like Remote Desktop

From azure I can ping to internal 1.1.1.1 but all IPs are responding (including the VMs that are offline), so, Im guessing is just pinging my public IP and not the internal IP of the server.

d0kt0r · May 2, 2016, 4:33pm

Argh,

Everything was working OK.

After creating the VM on the correct Virtual network, I could access everything on that end.

All working fine so long.

Cheers and thanks!