/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=8h \
name="Azure"
/ip ipsec peer
add address=<azure-public-ip> exchange-mode=ike2 local-address=<local-public-ip> \
name="Azure" profile="Azure"
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=7h30m name=\
"Azure"
/ip firewall filter
add action=accept chain=input comment="Router fw input accept all active" \
connection-state=established,related,untracked
add action=accept chain=input comment="Azure access to router" \
dst-address=<mikrotik-ip> in-interface-list=WAN ipsec-policy=in,ipsec \
src-address=<azure-subnet>
add action=drop chain=input comment="Router fw input drop invalid" \
connection-state=invalid
add action=drop chain=input comment="Router fw input drop all not from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="Router fw IPsec in accept" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="Router fw IPsec out accept" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=\
"Router fw forward fasttrack" connection-state=established,related
add action=accept chain=forward comment="Router fw forward accept all active" \
connection-state=established,related,untracked
add action=drop chain=forward comment="Router fw forward drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"Router fw forward drop all from WAN not dstnated" connection-nat-state=\
!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward comment="Azure" dst-address=\
<azure-subnet> new-mss=1350 passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=accept chain=srcnat comment="Azure" dst-address=\
<azure-subnet> src-address=<local-subnet>
add action=masquerade chain=srcnat comment="Router fw masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add peer="Azure" secret="SuperStrongPassword123"
/ip ipsec policy
add dst-address=<azure-subnet> peer="Azure" proposal=\
"Azure" sa-dst-address=<azure-public-ip> sa-src-address=\
<local-public-ip> src-address=<local-subnet> tunnel=yes
I'd probably suggest a different solution, like running CHR in Azure and using L2TP/IPSEC rather than using Azure VPN Gateway.I have a slightly different setup, my local public Ip is a dynamic adress, is it also possible to connect a site-to-site vpn with azure?
I think Azure disables ICMP from memory - have you checked if other services are working despite ping not working?I have the same problem. I can PING from the VM on Azure but I can't ping from my local network to azure
You can follow this guide how to create a Site-to-Site connection in the Azure portal - https://docs.microsoft.com/en-us/azure/ ... ger-portal
And there is my Mikrotik configuration, including full firewall configuration. Just replace your public IP addresses and subnets, and it should work -Code: Select all/ip ipsec profile add dh-group=modp1024 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=8h \ name="Azure" /ip ipsec peer add address=<azure-public-ip> exchange-mode=ike2 local-address=<local-public-ip> \ name="Azure" profile="Azure" /ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=7h30m name=\ "Azure" /ip firewall filter add action=accept chain=input comment="Router fw input accept all active" \ connection-state=established,related,untracked add action=accept chain=input comment="Azure access to router" \ dst-address=<mikrotik-ip> in-interface-list=WAN ipsec-policy=in,ipsec \ src-address=<azure-subnet> add action=drop chain=input comment="Router fw input drop invalid" \ connection-state=invalid add action=drop chain=input comment="Router fw input drop all not from LAN" \ in-interface-list=!LAN add action=accept chain=forward comment="Router fw IPsec in accept" \ ipsec-policy=in,ipsec add action=accept chain=forward comment="Router fw IPsec out accept" \ ipsec-policy=out,ipsec add action=fasttrack-connection chain=forward comment=\ "Router fw forward fasttrack" connection-state=established,related add action=accept chain=forward comment="Router fw forward accept all active" \ connection-state=established,related,untracked add action=drop chain=forward comment="Router fw forward drop invalid" \ connection-state=invalid add action=drop chain=forward comment=\ "Router fw forward drop all from WAN not dstnated" connection-nat-state=\ !dstnat connection-state=new in-interface-list=WAN /ip firewall mangle add action=change-mss chain=forward comment="Azure" dst-address=\ <azure-subnet> new-mss=1350 passthrough=yes protocol=tcp tcp-flags=syn /ip firewall nat add action=accept chain=srcnat comment="Azure" dst-address=\ <azure-subnet> src-address=<local-subnet> add action=masquerade chain=srcnat comment="Router fw masquerade" \ ipsec-policy=out,none out-interface-list=WAN /ip ipsec identity add peer="Azure" secret="SuperStrongPassword123" /ip ipsec policy add dst-address=<azure-subnet> peer="Azure" proposal=\ "Azure" sa-dst-address=<azure-public-ip> sa-src-address=\ <local-public-ip> src-address=<local-subnet> tunnel=yes
Hello,
Also search for a useful documentaion.
I have a slightly different setup, my local public Ip is a dynamic adress, is it also possible to connect a site-to-site vpn with azure?
Thanks
I think Azure disables ICMP from memory - have you checked if other services are working despite ping not working?I have the same problem. I can PING from the VM on Azure but I can't ping from my local network to azure