Azure VPN Gateway and Mikrotik IPSEC/IKE Configuration

Microsoft Azure has a list of supported and tested VPN devices that work with Azure VPN Gateway at; https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices. Unfortunately Mikrotik is not on this list which means you are on your own to figure out how to setup the VPN connection between these devices. Running a Mikrotik I would assume that anyone running one would be quite an expert in networking as Mikrotik routers are very powerful and not what I would call super user friendly, but if you are finding yourself stuck configuring a VPN connection between Mikrotik and Azure VPN Gateway read on and hopefully the information below will help get you sorted.

Requirements:
(1) Mikrotik router
(1) Azure subscription

First I will start on the Azure side, you will create and configure a “Virtual network gateway”. Go to the Azure portal; https://portal.azure.com and create a resource.

You will need a virtual network and a gateway subnet named “GatewaySubnet” in the virtual network to use. Select settings similar to the below, changing names for your own.

After the settings are done create the gateway. This can take some time to complete, 5-45 minutes.

While the creation is ongoing you can create the “Local network gateway” as well. In the Azure portal search for “Local network gateway”.

Enter a name for the local gateway and enter your Mikrotik’s public IP address and select the subscription, Resource group and Location.

After the settings are done, click create.

When the creation is complete browse to the new gateway and select “Connections” and add a new connection.

That’s all for the Azure side.

On the Mikrotik router it’s time to setup the IPSEC tunnel. I will show in Winbox but the command line can also be used.

Your router should already have a default IPSEC profile called “default”. If not, add one with the below information. The algorithms must match as the Azure IPSEC gateway only supports specific algorithms. If “NAT Traversal” is checked, uncheck it.

Next configure the peers, this is the public IP information for both sides on the tunnel. Select the “Peers” tab and click the “+” button to add a peer.

Enter a name and the Azure/destination address and your local router public IP in the “Local Address”, select IKE2 Exchange Mode.

Add a new IPSec Identity/key using the same key you entered in the Azure connection setup.

The IPSEC Proposal on the Mikrotik equals the Phase 2 or IPSec Policy. The authentication and encryption algorithms need to match what Azure supports. Select “none” for “PFS Group”.

Enter a name, select “Tunnel” and enter the local subnet information for both sides of the network. My home is 10.0.0.0/16 network and the Azure gateway subnet can be found in the Virtual Network subnets page. It is 10.1.1.0/24.

If all of the settings match you should see the connection. In the “Active Peers” tab. If there is no connection and you make changes to either side you can “Kill Connections” to “Reboot” the connection. Usually the IKE Phase 1/IKE Policy will pass but the Proposal/Phase 2 will not, update settings and “kill Connections” to try the connection again.

Make sure that there were NAT rules added when adding the IPSEC Policy. There should be 1 srcnat chain for outbound and 1 dstnat chain for inbound traffic.

Good luck, this is not an easy setup but it is possible, just recheck settings and try to match them on both sides of the tunnel. There are no many options on the Azure side just make sure it is set to IKE2 and no BGP and your key and IP addresses are correct. Then concentrate on the Mikrotik settings this is where there are many chances for mistakes.