I'm using the following configuration:
Code: Select all
/ip ipsec mode-config
add name=azure responder=no
/ip ipsec policy group
add name=azure
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256,aes-128 lifetime=7h30m name=azure
/ip ipsec peer
add address=azuregateway-******.vpn.azure.com exchange-mode=ike2 name=azure profile=azure
/ip ipsec proposal
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=8h name=azure
/ip ipsec identity
add auth-method=digital-signature certificate="{client_certificate}" mode-config=azure peer=azure policy-template-group=azure remote-certificate="{gateway_certificate}"
/ip ipsec policy
add dst-address=0.0.0.0/0 group=azure proposal=azure src-address=0.0.0.0/0 template=yes
Code: Select all
22:19:13 ipsec,info new ike2 SA (I): azure {localIP}[4500]-{gatewayIp}[4500] spi:4b064ff5edd37f3e:358930ac1e611259
22:19:13 ipsec,error got fatal error: AUTHENTICATION_FAILED
22:19:13 ipsec,info killing ike2 SA: azure {localIP}[4500]-{gatewayIp}[4500] spi:4b064ff5edd37f3e:358930ac1e611259
Gateway certificate I got from Azure config,
Client certificate was generated based on this approach: https://learn.microsoft.com/en-us/azure ... site-linux