Community discussions

MUM Europe 2020
 
turnip
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 68
Joined: Wed Sep 11, 2013 7:01 pm

Azure VPN

Wed Nov 27, 2019 8:29 am

Does anyone have an up-to-date guide to connect RouterOS to an Azure VPN? My client's router is running 6.45.3, and I could only find documentation for older versions. I've done it before but it's been long enough that I can't remember how, and there's been a few changes in RouterOS.
 
Fesiitis
just joined
Posts: 21
Joined: Tue Sep 13, 2016 10:24 am
Location: Latvia, Riga

Re: Azure VPN  [SOLVED]

Wed Nov 27, 2019 1:26 pm

You can follow this guide how to create a Site-to-Site connection in the Azure portal - https://docs.microsoft.com/en-us/azure/ ... ger-portal

And there is my Mikrotik configuration, including full firewall configuration. Just replace your public IP addresses and subnets, and it should work -
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=8h \
    name="Azure"
/ip ipsec peer
add address=<azure-public-ip> exchange-mode=ike2 local-address=<local-public-ip> \
    name="Azure" profile="Azure"
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=7h30m name=\
    "Azure"
/ip firewall filter
add action=accept chain=input comment="Router fw input accept all active" \
    connection-state=established,related,untracked
add action=accept chain=input comment="Azure access to router" \
    dst-address=<mikrotik-ip> in-interface-list=WAN ipsec-policy=in,ipsec \
    src-address=<azure-subnet>
add action=drop chain=input comment="Router fw input drop invalid" \
    connection-state=invalid
add action=drop chain=input comment="Router fw input drop all not from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="Router fw IPsec in accept" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="Router fw IPsec out accept" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=\
    "Router fw forward fasttrack" connection-state=established,related
add action=accept chain=forward comment="Router fw forward accept all active" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="Router fw forward drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "Router fw forward drop all from WAN not dstnated" connection-nat-state=\
    !dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward comment="Azure" dst-address=\
    <azure-subnet> new-mss=1350 passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=accept chain=srcnat comment="Azure" dst-address=\
    <azure-subnet> src-address=<local-subnet>
add action=masquerade chain=srcnat comment="Router fw masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add peer="Azure" secret="SuperStrongPassword123"
/ip ipsec policy
add dst-address=<azure-subnet> peer="Azure" proposal=\
    "Azure" sa-dst-address=<azure-public-ip> sa-src-address=\
    <local-public-ip> src-address=<local-subnet> tunnel=yes
 
turnip
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 68
Joined: Wed Sep 11, 2013 7:01 pm

Re: Azure VPN

Thu Nov 28, 2019 5:34 am

Thanks very much, that will serve to reduce my stress level today.
 
gagudelo17
just joined
Posts: 6
Joined: Tue Nov 05, 2019 3:48 am

Re: Azure VPN

Wed Dec 04, 2019 10:19 pm

I have the same problem. I can PING from the VM on Azure but I can't ping from my local network to azure

Who is online

Users browsing this forum: No registered users and 94 guests