Azure VPN Gateway and Mikrotik

IPSEC/IKE Configuration
BY CHAD · MAY 21, 2020
Microsoft Azure has a list of supported and tested VPN devices that work
with Azure VPN Gateway at; https://docs.microsoft.com/en-us/azure/vpn-
gateway/vpn-gateway-about-vpn-devices. Unfortunately Mikrotik is not on
this list which means you are on your own to figure out how to setup the
VPN connection between these devices. Running a Mikrotik I would
assume that anyone running one would be quite an expert in networking
as Mikrotik routers are very powerful and not what I would call super user
friendly, but if you are finding yourself stuck configuring a VPN connection
between Mikrotik and Azure VPN Gateway read on and hopefully the
information below will help get you sorted.
Requirements:
(1) Mikrotik router
(1) Azure subscription

First I will start on the Azure side, you will create and configure a “Virtual
network gateway”. Go to the Azure portal; https://portal.azure.com and
create a resource.

Create a resource Virtual network gateway

Virtual network
gateway create
You will need a virtual network and a gateway subnet named
“GatewaySubnet” in the virtual network to use. Select settings similar to
the below, changing names for your own.
Virtual network gateway details
After the settings are done create the gateway. This can take some time
to complete, 5-45 minutes.

Create button
While the creation is ongoing you can create the “Local network gateway”
as well. In the Azure portal search for “Local network gateway”.
 Add local gateway
Enter a name for the local gateway and enter your Mikrotik’s public IP
address and select the subscription, Resource group and Location.

Create local network gateway

After the settings are done, click create.

Create button
When the creation is complete browse to the new gateway and select
“Connections” and add a new connection.
 Gateway connection

Add connection
That’s all for the Azure side.

On the Mikrotik router it’s time to setup the IPSEC tunnel. I will show in
Winbox but the command line can also be used.

Your router should already have a default IPSEC profile called “default”. If
not, add one with the below information. The algorithms must match as
the Azure IPSEC gateway only supports specific algorithms. If “NAT
Traversal” is checked, uncheck it.

IPSEC Profile
Next configure the peers, this is the public IP information for both sides on
the tunnel. Select the “Peers” tab and click the “+” button to add a peer.

IPS
EC Peers
Enter a name and the Azure/destination address and your local router
public IP in the “Local Address”, select IKE2 Exchange Mode.

IPSEC Peer
Add a new IPSec Identity/key using the same key you entered in the
Azure connection setup.

IPSEC Identity
The IPSEC Proposal on the Mikrotik equals the Phase 2 or IPSec Policy.
The authentication and encryption algorithms need to match what Azure
supports. Select “none” for “PFS Group”.
 IPSEC Proposal
Enter a name, select “Tunnel” and enter the local subnet information for
both sides of the network. My home is 10.0.0.0/16 network and the Azure
gateway subnet can be found in the Virtual Network subnets page. It is
10.1.1.0/24.

IPSEC Policy

IPSEC Policy Actions

If all of the settings match you should see the connection. In the “Active
Peers” tab. If there is no connection and you make changes to either side
you can “Kill Connections” to “Reboot” the connection. Usually the IKE
Phase 1/IKE Policy will pass but the Proposal/Phase 2 will not, update
settings and “kill Connections” to try the connection again.

IPSEC Connection
Make sure that there were NAT rules added when adding the IPSEC
Policy. There should be 1 srcnat chain for outbound and 1 dstnat chain
for inbound traffic.

IPSEC NAT
Good luck, this is not an easy setup but it is possible, just recheck
settings and try to match them on both sides of the tunnel. There are no
many options on the Azure side just make sure it is set to IKE2 and no
BGP and your key and IP addresses are correct. Then concentrate on the
Mikrotik settings this is where there are many chances for mistakes.