Hi everybody,
Is it possible to set several site-2-site VPN from local Mikrotik network to different Azure Virtual Networks?
I set up the first site-2-site VPN connection from 196.168.4.0/24 (Mikrotik) to 10.1.1.0/24 (Azure) four years ago and is working properly.
Now, I need to add a second site-2-site VPN connection from 196.168.4.0/24 (Mikrotik) to 172.18.1.0/24 (Azure), but I can’t do it working: Connection is established because I can see remote peer created for both VPN. I also can ping and access shared folders of my on-prem servers from a Virtual Machine in Azure, but can’t do it the same from on-prem to Azure VM. When I try tracert from on-prem to Azure VM, the first step is on-prem router IP, and the second is the ON_PREM_OUT_IP, so it goes to Internet instead of going to the tunnel.
It is very extrange because the first VPN works properly, allowing full communication in both directions, but the second VPN no. Any idea of which is the problem?
I attach the router configuration:
/ip ipsec peer> print
Flags: X - disabled
0 ;;; VPN AZURE
address=AZURE_GATEWAY_VPN_1/32 port=500 auth-method=pre-shared-key secret="**********************" generate-policy=no
exchange-mode=main send-initial-contact=yes nat-traversal=yes my-id-user-fqdn="ON_PREM_OUT_IP" proposal-check=obey
hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5
1 ;;; CLIENTE IPSec
address=0.0.0.0/0 port=500 auth-method=pre-shared-key secret="?????????????????????" generate-policy=yes exchange-mode=main-l2tp
send-initial-contact=yes nat-traversal=yes my-id-user-fqdn="" hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d
dpd-interval=2m dpd-maximum-failures=5
2 X address=0.0.0.0/0 port=500 auth-method=pre-shared-key secret="?????????????????????" generate-policy=yes exchange-mode=main-l2tp
send-initial-contact=yes nat-traversal=yes my-id-user-fqdn="" hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d
dpd-interval=2m dpd-maximum-failures=5
3 ;;; VPN AZURE SHAREDFILES
address=AZURE_GATEWAY_VPN_2/32 port=500 auth-method=pre-shared-key secret="$$$$$$$$$$$$$$" generate-policy=no exchange-mode=main
send-initial-contact=yes nat-traversal=yes my-id-user-fqdn="ON_PREM_OUT_IP" proposal-check=obey hash-algorithm=sha1
enc-algorithm=aes-128 dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5
=================================================
/ip ipsec policy> print
Flags: X - disabled, D - dynamic, I - inactive
0 ;;; Red ON_PREM <---> VPN AZURE
src-address=192.168.4.0/24 src-port=any dst-address=10.0.0.0/8 dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=ON_PREM_OUT_IP sa-dst-address=AZURE_GATEWAY_VPN_1 proposal=default priority=0
1 ;;; VPN ON_PREM <---> VPN AZURE - Allow PPTP CNX
src-address=172.16.50.0/26 src-port=any dst-address=10.0.0.0/8 dst-port=any protocol=all action=encrypt level=unique
ipsec-protocols=esp tunnel=yes sa-src-address=ON_PREM_OUT_IP sa-dst-address=AZURE_GATEWAY_VPN_1 proposal=default priority=0
2 src-address=0.0.0.0/32 src-port=any dst-address=0.0.0.0/32 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp
tunnel=no sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=proposal1 priority=2
3 ;;; VPN ON_PREM <--> VPN AZURE SHAREDFILES
src-address=192.168.4.0/24 src-port=any dst-address=172.18.0.0/16 dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=ON_PREM_OUT_IP sa-dst-address=AZURE_GATEWAY_VPN_2 proposal=proposalAzure2 priority=0
=================================================
NOTES:
lines 0 and 1: rules are the ones for the new VPN and viceversa → Do not show traffic
lines 2 and 3 rules are for connect PPTP addresses to AZURE VPN 1 and viceversa (working) → Show traffic
lines 4 and 5 rules are for connect ON_PREM addresses to AZURE VPN 1 and viceversa (working) → Show traffic
/ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Red ON_PREM <--> VPN AZURE SHAREDFILES
chain=srcnat action=accept src-address=192.168.4.0/24
dst-address=172.18.1.0/24 src-address-type="" dst-address-type=""
connection-limit=100,32 limit=1,5 dst-limit=1,5,dst-address/1m40s
time=0s-1d,sun,mon,tue,wed,thu,fri,sat
1 chain=srcnat action=accept src-address=172.18.1.0/24
dst-address=192.168.4.0/24 connection-limit=100,32
2 ;;; VPN ON_PREM <---> VPN AZURE
chain=srcnat action=accept src-address=172.16.50.0/26
dst-address=10.1.1.0/24
3 chain=srcnat action=accept src-address=10.1.1.0/24
dst-address=172.16.50.0/26
4 ;;; Red ON_PREM <---> VPN AZURE
chain=srcnat action=accept src-address=192.168.4.0/24
dst-address=10.1.1.0/24
5 chain=srcnat action=accept src-address=10.1.1.0/24
dst-address=192.168.4.0/24
(.... OTHER NAT RULES RELATED WITH PORTS THAT DOES NOTHING TO DO WITH VPN ....)
=================================================
NOTES:
line 16: filter for Azure Gateway IP AZURE VPN 2 (not working) → Do not show traffic
line 17: filter for Azure Gateway IP AZURE VPN 1 (working) → Show traffic
/ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=output action=accept protocol=tcp dst-port="" content=530 Login incorrect
dst-limit=1/1m,9,dst-address/1m
1 ;;; VPN
chain=input action=accept protocol=ipsec-esp connection-limit=100,32
(.... OTHER FILTERS RELATED WITH PORTS THAT DOES NOTHING TO DO WITH VPN ....)
16 ;;; VPN AZURE SHAREDFILES
chain=input action=accept src-address=AZURE_GATEWAY_VPN_2 connection-limit=100,32
17 ;;; VPN AZURE
chain=input action=accept src-address=AZURE_GATEWAY_VPN_1
(.... OTHER FILTERS RELATED WITH PORTS THAT DOES NOTHING TO DO WITH VPN ....)
=================================================