Community discussions

MikroTik App
 
turnip
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 86
Joined: Wed Sep 11, 2013 7:01 pm

Azure VPN

Wed Nov 27, 2019 8:29 am

Does anyone have an up-to-date guide to connect RouterOS to an Azure VPN? My client's router is running 6.45.3, and I could only find documentation for older versions. I've done it before but it's been long enough that I can't remember how, and there's been a few changes in RouterOS.
 
Fesiitis
newbie
Posts: 45
Joined: Tue Sep 13, 2016 10:24 am
Location: Latvia, Riga

Re: Azure VPN  [SOLVED]

Wed Nov 27, 2019 1:26 pm

You can follow this guide how to create a Site-to-Site connection in the Azure portal - https://docs.microsoft.com/en-us/azure/ ... ger-portal

And there is my Mikrotik configuration, including full firewall configuration. Just replace your public IP addresses and subnets, and it should work -
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=8h \
    name="Azure"
/ip ipsec peer
add address=<azure-public-ip> exchange-mode=ike2 local-address=<local-public-ip> \
    name="Azure" profile="Azure"
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=7h30m name=\
    "Azure"
/ip firewall filter
add action=accept chain=input comment="Router fw input accept all active" \
    connection-state=established,related,untracked
add action=accept chain=input comment="Azure access to router" \
    dst-address=<mikrotik-ip> in-interface-list=WAN ipsec-policy=in,ipsec \
    src-address=<azure-subnet>
add action=drop chain=input comment="Router fw input drop invalid" \
    connection-state=invalid
add action=drop chain=input comment="Router fw input drop all not from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="Router fw IPsec in accept" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="Router fw IPsec out accept" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=\
    "Router fw forward fasttrack" connection-state=established,related
add action=accept chain=forward comment="Router fw forward accept all active" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="Router fw forward drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "Router fw forward drop all from WAN not dstnated" connection-nat-state=\
    !dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward comment="Azure" dst-address=\
    <azure-subnet> new-mss=1350 passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=accept chain=srcnat comment="Azure" dst-address=\
    <azure-subnet> src-address=<local-subnet>
add action=masquerade chain=srcnat comment="Router fw masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add peer="Azure" secret="SuperStrongPassword123"
/ip ipsec policy
add dst-address=<azure-subnet> peer="Azure" proposal=\
    "Azure" sa-dst-address=<azure-public-ip> sa-src-address=\
    <local-public-ip> src-address=<local-subnet> tunnel=yes
 
turnip
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 86
Joined: Wed Sep 11, 2013 7:01 pm

Re: Azure VPN

Thu Nov 28, 2019 5:34 am

Thanks very much, that will serve to reduce my stress level today.
 
gagudelo17
just joined
Posts: 7
Joined: Tue Nov 05, 2019 3:48 am

Re: Azure VPN

Wed Dec 04, 2019 10:19 pm

I have the same problem. I can PING from the VM on Azure but I can't ping from my local network to azure
 
matze1708
just joined
Posts: 23
Joined: Sat Jan 28, 2017 5:46 pm

Re: Azure VPN

Sun Jan 19, 2020 10:07 pm

Hello,

Also search for a useful documentaion.

I have a slightly different setup, my local public Ip is a dynamic adress, is it also possible to connect a site-to-site vpn with azure?

Thanks
 
turnip
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 86
Joined: Wed Sep 11, 2013 7:01 pm

Re: Azure VPN

Mon Jan 20, 2020 4:05 pm

I have a slightly different setup, my local public Ip is a dynamic adress, is it also possible to connect a site-to-site vpn with azure?
I'd probably suggest a different solution, like running CHR in Azure and using L2TP/IPSEC rather than using Azure VPN Gateway.
I have the same problem. I can PING from the VM on Azure but I can't ping from my local network to azure
I think Azure disables ICMP from memory - have you checked if other services are working despite ping not working?
 
VYG
just joined
Posts: 10
Joined: Sat Sep 09, 2017 12:38 pm

Re: Azure VPN

Sat Mar 07, 2020 8:47 pm

Dear all,

I have exactly the same config, though I can access resources only one-way - from Azure to On-prem, for some reason I can't access resources in opposite direction.
The tunnel is established as I can see it, all NSG's are open for incoming traffic.
Thus I'm a bit confused...

You can follow this guide how to create a Site-to-Site connection in the Azure portal - https://docs.microsoft.com/en-us/azure/ ... ger-portal

And there is my Mikrotik configuration, including full firewall configuration. Just replace your public IP addresses and subnets, and it should work -
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=8h \
    name="Azure"
/ip ipsec peer
add address=<azure-public-ip> exchange-mode=ike2 local-address=<local-public-ip> \
    name="Azure" profile="Azure"
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=7h30m name=\
    "Azure"
/ip firewall filter
add action=accept chain=input comment="Router fw input accept all active" \
    connection-state=established,related,untracked
add action=accept chain=input comment="Azure access to router" \
    dst-address=<mikrotik-ip> in-interface-list=WAN ipsec-policy=in,ipsec \
    src-address=<azure-subnet>
add action=drop chain=input comment="Router fw input drop invalid" \
    connection-state=invalid
add action=drop chain=input comment="Router fw input drop all not from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="Router fw IPsec in accept" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="Router fw IPsec out accept" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=\
    "Router fw forward fasttrack" connection-state=established,related
add action=accept chain=forward comment="Router fw forward accept all active" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="Router fw forward drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "Router fw forward drop all from WAN not dstnated" connection-nat-state=\
    !dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward comment="Azure" dst-address=\
    <azure-subnet> new-mss=1350 passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=accept chain=srcnat comment="Azure" dst-address=\
    <azure-subnet> src-address=<local-subnet>
add action=masquerade chain=srcnat comment="Router fw masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add peer="Azure" secret="SuperStrongPassword123"
/ip ipsec policy
add dst-address=<azure-subnet> peer="Azure" proposal=\
    "Azure" sa-dst-address=<azure-public-ip> sa-src-address=\
    <local-public-ip> src-address=<local-subnet> tunnel=yes
 
VYG
just joined
Posts: 10
Joined: Sat Sep 09, 2017 12:38 pm

Re: Azure VPN

Sat Mar 07, 2020 9:03 pm

it won't work nice, not sure about any nice automation option.
Hello,

Also search for a useful documentaion.

I have a slightly different setup, my local public Ip is a dynamic adress, is it also possible to connect a site-to-site vpn with azure?

Thanks
 
kc0ode
just joined
Posts: 2
Joined: Mon Mar 30, 2020 6:59 pm

Re: Azure VPN

Mon Mar 30, 2020 7:21 pm

I have the same problem. I can PING from the VM on Azure but I can't ping from my local network to azure
I think Azure disables ICMP from memory - have you checked if other services are working despite ping not working?
[/quote]

Not sure if I'm missing something. I have the same problem, I can ping and SSH from a Linux VM on Azure to the local network, but I can not go the other way. I have tried ICMP (if Azure disables ICMP, that explains that), and SSH and RDP to the same Linux VM on Azure from multiple machines on my local network with no luck.
 
atakacs
Member Candidate
Member Candidate
Posts: 121
Joined: Mon Mar 07, 2016 5:39 pm

Re: Azure VPN

Tue May 26, 2020 4:13 pm

may I ask how this was solved (I don't see a resolution, but I might be missing something :) ) ?
 
alejandroc
just joined
Posts: 1
Joined: Mon Sep 21, 2020 7:23 pm

Re: Azure VPN

Mon Oct 19, 2020 9:20 pm

I have the same problem, any solution?
 
User avatar
bluecrow76
newbie
Posts: 33
Joined: Wed Sep 13, 2006 11:55 pm

Re: Azure VPN

Mon Apr 19, 2021 10:43 pm

I just ran into some problems setting up a customer connection to their Azure environment and thought I would share the resolution. The errors we were receiving were "payload missing: ID_" and "TS_UNACCEPTABLE" depending which side was the initiator. The trick is enabling the "Use policy based traffic selector" option in Azure VPN Connection Configuration, which is disabled by default. This tells Azure to populated the TS_R and TS_I policy based traffic selector payloads. You just need to make sure your policies match up at that point and you should be off to the races.

Unfortunately because we can't overload the policies and we don't have VTI we still can't support failover between multiple remote IPSEC peers like you can with most other platforms. Hopefully that will show up in ROS v7...
 
wiresharky
just joined
Posts: 5
Joined: Sat Aug 22, 2015 3:04 pm

Re: Azure VPN

Sat Nov 19, 2022 12:03 pm

Can't seem to get this to work.
trying this from vwan, but also tried one of the newer gateway sku's. only the old gen1 vpn seems to work, but not supported by vwan.

filled in the ranges (local/remote) but no phase 2 for either responder or initiator. traffic selector is enabled same as use policy based traffic selector.

crypto is set to aes256/dhgroup14 and modp2048 on the mirkotik side.

what am i missing?

Who is online

Users browsing this forum: outtahere, sas2k and 52 guests