MikroTik site-to-site IPsec VPN connection to Azure Resource Manager based gateway

This is a short tutorial how to configure your MikroTik router to connect to Azure network with site-to-site VPN.

The things you need to do:

  1. Prepare your Azure virtual net, gateway and link configuration by following the article you can find here. There is nothing very tricky here, you just need to be careful with the following difference:
    When you run the New-AzureRmVirtualNetworkGateway, be sure that you use the VPN type: PolicyBased.
  2. Configure your MikroTik router. For this, you can search the Internet and study my screenshots.

I’m not sure if this configuration is the best, but this seems to be working.
The Firewall configuration:
Here you need to be able to exclude traffic from masquerading, fasttrack and let in the traffic from Azure virtual subnets. These screenshots show here a completely open firewall configuration between local subnets (192.168.0.0/16) and Azure subnets (10.0.0.0/16), but probably this is what you want first.

Mangle configuration to mark IPsec traffic.

Mangle table configuration to mark IPsec traffic.

Filter table configuration for let in traffic from Azure and exclude IPsec from fasttrack.

Filter table configuration for let in traffic from Azure and exclude IPsec from fasttrack.

NAT table configuration to exclude traffic from masquerading.

NAT table configuration to exclude traffic from masquerading.

IPsec configuration:

IPsec policy General tab.

IPsec policy General tab.

IPsec policy Action tab.

IPsec policy Action tab.

Enter here your pre shared key to the Secret field.

IPsec peer configuration.

IPsec peer configuration.

IPsec proposal configuration.

IPsec proposal configuration.

Please leave your comment if you have ideas to improve the configuration.

Leave a Reply

Your email address will not be published. Required fields are marked *

*