Community discussions

MikroTik App
 
zywczak
just joined
Topic Author
Posts: 2
Joined: Mon Feb 06, 2023 11:14 pm

Ipsec VPN to Azure Point-to-site

Mon Feb 06, 2023 11:25 pm

I'm trying to establish p2s connection to azure, based on IKEv2, using certificates for authentication.
I'm using the following configuration:
/ip ipsec mode-config
add name=azure responder=no
/ip ipsec policy group
add name=azure
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256,aes-128 lifetime=7h30m name=azure
/ip ipsec peer
add address=azuregateway-******.vpn.azure.com exchange-mode=ike2 name=azure profile=azure
/ip ipsec proposal
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=8h name=azure
/ip ipsec identity
add auth-method=digital-signature certificate="{client_certificate}" mode-config=azure peer=azure policy-template-group=azure remote-certificate="{gateway_certificate}"
/ip ipsec policy
add dst-address=0.0.0.0/0 group=azure proposal=azure src-address=0.0.0.0/0 template=yes
Unfortunately I'm getting AUTHENTICATION FAILED messaged from VPN:
22:19:13 ipsec,info new ike2 SA (I): azure {localIP}[4500]-{gatewayIp}[4500] spi:4b064ff5edd37f3e:358930ac1e611259
22:19:13 ipsec,error got fatal error: AUTHENTICATION_FAILED
22:19:13 ipsec,info killing ike2 SA: azure {localIP}[4500]-{gatewayIp}[4500] spi:4b064ff5edd37f3e:358930ac1e611259
Can you please help me, what is wrong with this setup.
Gateway certificate I got from Azure config,
Client certificate was generated based on this approach: https://learn.microsoft.com/en-us/azure ... site-linux
 
User avatar
MickeyT
Member Candidate
Member Candidate
Posts: 125
Joined: Tue Feb 18, 2020 7:06 am
Location: Australia

Re: Ipsec VPN to Azure Point-to-site

Wed Feb 08, 2023 9:26 am

I've never used certificates with Azure VPN and, based on details here, it looks like MS only support using pre-shared keys.

Microsoft also provide a site-to-site VPN tutorial that you might want to read through (If you haven't already).

--
Backups are your friend. Always make a backup!
/system backup save encryption=aes-sha256 name=MyBackup
 
zywczak
just joined
Topic Author
Posts: 2
Joined: Mon Feb 06, 2023 11:14 pm

Re: Ipsec VPN to Azure Point-to-site

Mon Feb 27, 2023 2:37 pm

Yes, but why?
It should be possible, after all there is event a part in mikrotik's manual about setting up this kind of connection: https://wiki.mikrotik.com/wiki/Manual:I ... figuration
On the other hand, I don't see reason why Azure VPN should prevent from this kind of connection, should this be similar to configration in linux or macos. I was hoping that proper setup of myId (certificate's subject) and remoteId (Gateway FQDN) as described here https://learn.microsoft.com/en-us/azure ... -osx-ikev2 would help, but it didn't.
Maybe I still have something wrong here:
Screenshot 2023-02-27 at 13.36.27.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
MickeyT
Member Candidate
Member Candidate
Posts: 125
Joined: Tue Feb 18, 2020 7:06 am
Location: Australia

Re: Ipsec VPN to Azure Point-to-site

Wed Mar 01, 2023 11:55 am

Yes, but why?
You would need to ask Microsoft about that. Just because MikroTik support the use of certificates doesn't mean that others will.
 
User avatar
woland
Member Candidate
Member Candidate
Posts: 258
Joined: Mon Aug 16, 2021 4:49 pm

Re: Ipsec VPN to Azure Point-to-site

Wed Mar 01, 2023 12:26 pm

Hi,
MS supports certificate auth for p2s connections and the docs are great: https://learn.microsoft.com/en-us/azur ... cert-linux
OP means p2s and not for s2s.
Anyway unfortunately I don´t see the reason why OPs config would not work. Probably something about the certificates and there is also a nice trap here:
The Basic SKU Azure VPNGW does not support P2S IKE2!!!
https://learn.microsoft.com/en-us/azure ... site-about
Of course thats a bit off topic here...

Who is online

Users browsing this forum: Bing [Bot], rplant and 65 guests