Creating Site-to-Site (Route-based) VPN with Mikrotik

About this work

Firstly, I must inform you that this work is not my own, and because of that I want to congratulate the Daniel Pires and Daniel Mauser for the great work and all the credits are for them. This work is a translation of the article. Creating a Site-to-Site VPN (IPSec IKEv2) with Azure and MikroTik (RouterOS).


In this article we will show you how to set up an Ipsec Site-to-Site VPN connection between an on-premises environment and Azure using a MikroTik router. Another post was published a few years ago on the same subject. Creating a site-to-site VPN with Windows Azure and MikroTik (RouterOS). However we have some great updates in this article. First, let's set up Site-to-Site VPN using the Azure Resource Manager portal, while the original article uses the classic Azure portal. Second, the VPN Gateway in this post is route-based, which requires the configuration of IKE version 2, compared to the policy-based gateway used in the previous post and which is configured using IKE version 1. If you are not familiar with parameter terminology from IPSec take a look at the following documentation: About VPN devices and IPsec / IKE parameters for Site-to-Site VPN Gateway connections.


Below we have a diagram of the scenario covered in this step-by-step.

Relevant information in the above diagram required to configure Site-to-Site VPN

Relevant information on the diagram above necessary to configure the Site-to-Site VPN.

Azure Side:

  • VNET Subnet:
  • Azure VPN Gateway Public IP: 13.85.83.XX

On-premises side:

  • Subnet:
  • On-Prem Gateway Public IP: 47.187.118.YY

Azure: Configuring Route-Based Site-to-Site IPSec VPN

In this section we will walk you through how to configure Site-to-Site VPN through the Azure portal. The steps shown here are the same as in the official documentation: Create a site-to-site connection in the Azure portal.. So we will not specifically cover the step by step how to get to the screens, you can use the official documentation as a reference. Also, if you are unfamiliar with the steps here, you can skip to the bottom session: MikroTik (On-Premises) Configuring IPSec (IKEv2) Site-to-Site VPN.

1. Create a virtual network

2. Specify a DNS Server (This is an optional step and is not required for this demo);

3. Create a gateway subnet;

The. Select Gateway Subnet

B. Add a Gateway subnet. In this case I will use the end 255 of the network on to create 32 IP addresses allocated to VPN devices. The subnet will be

4. Create the Virtual Network Gateway. It is important to note that we will use route-based VPN. For laboratory and testing purposes you can use the Basic SKU, for production it is recommended to use a Standard SKU. More information on VPN Gateway sizes can be found here: Gateway SKUs

The. Creating the virutal network gateway called VNET1GW

B. After creating the Virtual Network Gateway you can see the status as well as the Public IP that we will use:

5. Creating the LAN Gateway requires that you specify the Public IP of your VPN Device (47.187.117.YY in this demo) as well as the extension of your on-premises network ( in this demo);

6. Configure your VPN device - See section: MikroTik (On-Premises) Configuring IPSec (IKEv2) Site-to-Site VPN.

7. Create the VPN Connection

8. Verify the VPN Connection

MikroTik (On-Premises) Configuring IPSec (IKEv2) Site-to-Site VPN

MikroTik RouterOS has several templates and there are many compatible templates you can use to test and learn how to set up a Site-to-Site VPN with Azure.

DISCLAIMER: While we are demonstrating Mikrotik in this article, it is important to mention that Microsoft does not support device settings directly. If you experience problems, please contact the device manufacturer for additional support and setup instructions.

An important point to note is that IKEv2 was introduced in release 6.38. Also make sure you have a version compatible with the settings shown. In this article we use RouterBOARD 750 and software version: RouterOS 6.39

In this tutorial managing the Winbox was used to configure Mikrotik and here are the necessary steps to configure Mikrotik correctly:

1. Add an IPSec policy in Menu > IP > IPSec - on the tab Policies click on the symbol + to add a new policy. on the tab General add both subnets (Source: On-Premises and Destination: Azure) as shown:

2. In the same window, now in the tab Action - Check the checkbox Tunnel and specify Specify the On-Prem Appliance Public IP in SA Src. Address is at SA Dst Address add the VPN Gateway Public IP that can be found after you create the Virtual Network Gateway (See: Section Azure S2S VPN - Step 4b)

3. In the tab Peers - Click in + and add a new IPSec Peer. In IPSec terminology we are working with IKE phase 1 (Main Mode) in this configuration tab. Here we need the Azure Gateway Public IP, so specify the preshared key that can be specified in Part I - Step 7 (Create the VPN Connection).

note: If your mikrotik does not show IKEv2 make sure you have the latest release version: Router OS 6.38 or higher. Before them only IKEv1 is available.

4. In the same screen go to the tab Advanced and make Lifetime adjustments to 8h = 28,800 seconds, based on official Azure documentation at IPSec / IKE SA (Security Associations) Parameters for IKE Phase 1 (Main Mode)

5. In the tab Encryption You can use the standard supported by Azure or make adjustments for stronger Hash and Critpography (See details here: IPSec / IKE parameters). For this article we have the following selected:

6. Now let's move to IKE Phase 2 (Quick Mode) which is represented in MikroTik by Proposals. For this you can either create a new one (by clicking +) or change the default. If you create a new one make sure you change it in step 2 (IPSec Policy) and Action and select the correct Proposal. For this article we will change the default IPSec Proposal which we have selected as follows, based on the official Azure documentation for IKE phase 2 in IPSec / IKE parameters:

2. The last step is to ensure that the VPN tunnel is routed correctly between on premises and Azure. For this we set up a NAT rule. This is done by going into IP > Firewall > NAT

The. Add Chain as srcnat to both subnets (On-Premises and Azure)

B. In the tab Action select accept

Validating the IPSec Tunnel

Ping between the two computers on each side. On the right side the on-premises computer ( correctly dripping the Azure VM ( and the other side works fine too.

On both sides, we see that the TTL of 126 corresponds to two hops (both Gateway) are decreased. The Standard TTL of Windows Machines is 128.

Important: By default ICMP is disabled. Make sure you have enabled ICMP by running the following powershell command:

On the Azure side

In the Azure portal you can validate the tunnel created as shown in item 8. Verify the VPN connection above. This can also be done by powershell using the command:

On the MikroTik side

There are multiple ways to validate the VPN connection between Azure and Mikrotik. Here are some of them:

1. IPSec - tab Policies . It shows if the IKE IPSec phase 2 phase is working correctly:

2. Tab Remote peers. It shows if IKE phase 1 is working correctly.

3. The Tab Installed SAs shows the current Security Associations:

IPSec Troubleshooting

If something is not working for some reason during your setup, you can troubleshoot to determine what is going on. MikroTik provides a good interface for IPSec logging and troubleshooting in case you need more information on what is happening. Events can be viewed in the Log Menu, but to ensure that you can get exposed IPSec events, you need to make a simple change to Logging settings (System> Logging) and add IPSec as a topic:

After you add the new Logging rule you will see the following detailed IPSec event logs:


In this article we have demonstrated how to set up a Site-to-Site IPSec VPN using IKEv2 (Route Based) between Azure and MikroTik RouterBoard. These instructions can also help you configure an IPSec device that is sharing with Azure VPN Gateway configurations. I hope you enjoyed the information. I hope you enjoyed the information shared here and please help below in the comments if you have other questions. I would like to say a special thank you to Azure Support Escalation Engineer Daniel Pires, who has co-authored this article. Thank you!


Carlos Oliveira

Carlos Oliveira, 25, Graduated in IT Management at Paulista College of Informatics and Administration (FIAP), and today I am the current founder of CloudSquad, a content sharing blog about Cloud Computing. The site covers tips and tricks about Office 365 and Azure and is a hub for practical solutions to complex problems.

Carlos Oliveira has 32 posts and counting. See all posts by Carlos Oliveira

pt_BR en_US