About this work
Firstly, I must inform you that this work is not my own, and because of that I want to congratulate the Daniel Pires and Daniel Mauser for the great work and all the credits are for them. This work is a translation of the article. Creating a Site-to-Site VPN (IPSec IKEv2) with Azure and MikroTik (RouterOS).
In this article we will show you how to set up an Ipsec Site-to-Site VPN connection between an on-premises environment and Azure using a MikroTik router. Another post was published a few years ago on the same subject. Creating a site-to-site VPN with Windows Azure and MikroTik (RouterOS). However we have some great updates in this article. First, let's set up Site-to-Site VPN using the Azure Resource Manager portal, while the original article uses the classic Azure portal. Second, the VPN Gateway in this post is route-based, which requires the configuration of IKE version 2, compared to the policy-based gateway used in the previous post and which is configured using IKE version 1. If you are not familiar with parameter terminology from IPSec take a look at the following documentation: About VPN devices and IPsec / IKE parameters for Site-to-Site VPN Gateway connections.
Below we have a diagram of the scenario covered in this step-by-step.
Relevant information in the above diagram required to configure Site-to-Site VPN
Relevant information on the diagram above necessary to configure the Site-to-Site VPN.
- VNET Subnet: 10.4.0.0/16
- Azure VPN Gateway Public IP: 13.85.83.XX
- Subnet: 192.168.88.0/24
- On-Prem Gateway Public IP: 47.187.118.YY
Azure: Configuring Route-Based Site-to-Site IPSec VPN
In this section we will walk you through how to configure Site-to-Site VPN through the Azure portal. The steps shown here are the same as in the official documentation: Create a site-to-site connection in the Azure portal.. So we will not specifically cover the step by step how to get to the screens, you can use the official documentation as a reference. Also, if you are unfamiliar with the steps here, you can skip to the bottom session: MikroTik (On-Premises) Configuring IPSec (IKEv2) Site-to-Site VPN.
1. Create a virtual network
2. Specify a DNS Server (This is an optional step and is not required for this demo);
3. Create a gateway subnet;
The. Select Gateway Subnet
B. Add a Gateway subnet. In this case I will use the end 255 of the network on 10.4.0.0/16 to create 32 IP addresses allocated to VPN devices. The subnet will be 10.4.255.0/27
4. Create the Virtual Network Gateway. It is important to note that we will use route-based VPN. For laboratory and testing purposes you can use the Basic SKU, for production it is recommended to use a Standard SKU. More information on VPN Gateway sizes can be found here: Gateway SKUs
The. Creating the virutal network gateway called VNET1GW
B. After creating the Virtual Network Gateway you can see the status as well as the Public IP that we will use:
5. Creating the LAN Gateway requires that you specify the Public IP of your VPN Device (47.187.117.YY in this demo) as well as the extension of your on-premises network (192.168.88.0/24 in this demo);
6. Configure your VPN device - See section: MikroTik (On-Premises) Configuring IPSec (IKEv2) Site-to-Site VPN.
7. Create the VPN Connection
8. Verify the VPN Connection
MikroTik RouterOS has several templates and there are many compatible templates you can use to test and learn how to set up a Site-to-Site VPN with Azure.
DISCLAIMER: While we are demonstrating Mikrotik in this article, it is important to mention that Microsoft does not support device settings directly. If you experience problems, please contact the device manufacturer for additional support and setup instructions.
An important point to note is that IKEv2 was introduced in release 6.38. Also make sure you have a version compatible with the settings shown. In this article we use RouterBOARD 750 and software version: RouterOS 6.39
In this tutorial managing the Winbox was used to configure Mikrotik and here are the necessary steps to configure Mikrotik correctly:
1. Add an IPSec policy in Menu > IP > IPSec - on the tab Policies click on the symbol + to add a new policy. on the tab General add both subnets (Source: On-Premises and Destination: Azure) as shown:
note: If your mikrotik does not show IKEv2 make sure you have the latest release version: Router OS 6.38 or higher. Before them only IKEv1 is available.
The. Add Chain as srcnat to both subnets (On-Premises and Azure)
B. In the tab Action select accept
Validating the IPSec Tunnel
Ping between the two computers on each side. On the right side the on-premises computer (192.168.88.17) correctly dripping the Azure VM (10.4.0.4) and the other side works fine too.
On both sides, we see that the TTL of 126 corresponds to two hops (both Gateway) are decreased. The Standard TTL of Windows Machines is 128.
Important: By default ICMP is disabled. Make sure you have enabled ICMP by running the following powershell command:
Set-NetfirewallRule -Name FPS-ICMP4-ERQ-In -Enable True
On the Azure side
In the Azure portal you can validate the tunnel created as shown in item 8. Verify the VPN connection above. This can also be done by powershell using the command:
Get-AzureRmVirtualNetworkGatewayConnection -Name From-azure-to-Mikrotik -ResourceGroupName S2SVPNDemo
On the MikroTik side
There are multiple ways to validate the VPN connection between Azure and Mikrotik. Here are some of them:
1. IPSec - tab Policies . It shows if the IKE IPSec phase 2 phase is working correctly:
2. Tab Remote peers. It shows if IKE phase 1 is working correctly.
3. The Tab Installed SAs shows the current Security Associations:
If something is not working for some reason during your setup, you can troubleshoot to determine what is going on. MikroTik provides a good interface for IPSec logging and troubleshooting in case you need more information on what is happening. Events can be viewed in the Log Menu, but to ensure that you can get exposed IPSec events, you need to make a simple change to Logging settings (System> Logging) and add IPSec as a topic:
After you add the new Logging rule you will see the following detailed IPSec event logs:
In this article we have demonstrated how to set up a Site-to-Site IPSec VPN using IKEv2 (Route Based) between Azure and MikroTik RouterBoard. These instructions can also help you configure an IPSec device that is sharing with Azure VPN Gateway configurations. I hope you enjoyed the information. I hope you enjoyed the information shared here and please help below in the comments if you have other questions. I would like to say a special thank you to Azure Support Escalation Engineer Daniel Pires, who has co-authored this article. Thank you!