This is a short tutorial how to configure your MikroTik router to connect to Azure network with site-to-site VPN.
The things you need to do:
Prepare your Azure virtual net, gateway and link configuration by following the article you can find here. There is nothing very tricky here, you just need to be careful with the following difference:
When you run the New-AzureRmVirtualNetworkGateway, be sure that you use the VPN type: PolicyBased.
- Configure your MikroTik router. For this, you can search the Internet and study my screenshots.
Filter Rules needed for tunnel to work.
fast-track rule affects ipsec traffic. So for tunnel mode to work properly you need to allow tunneled traffic before fast-track so use place-before=0
/ip firewall filter
add chain=forward comment="Allow from Azure" dst-address=10.10.0.0/16 src-address=192.168.1.0/24 place-before=0
add chain=forward dst-address=192.168.1.0/24 src-address=10.10.0.0/16 place-before=0
add chain=input comment="Allow from Azure" log=yes protocol=ipsec-esp src-address=51.X.X.X place-belore=0
/ip firewall nat add chain=srcnat comment="Azure VPN Tunnel" dst-address=10.200.0.0/16 log=yes src-address=192.168.1.0/24 place-before=0
10.10.0.0/16 Azure Network
192.168.1.9/24 Local Network
51.X.X.X Azure VPN end Point
I’m not sure if this configuration is the best, but this seems to be working.
The Firewall configuration:
Here you need to be able to exclude traffic from masquerading, fasttrack and let in the traffic from Azure virtual subnets. These screenshots show here a completely open firewall configuration between local subnets (192.168.0.0/16) and Azure subnets (10.0.0.0/16), but probably this is what you want first.
Filter table configuration for let in traffic from Azure and exclude IPsec from fasttrack.
NAT table configuration to exclude traffic from masquerading.
IPsec configuration:
IPsec policy General tab.
IPsec policy Action tab.
Enter here your pre shared key to the Secret field.
IPsec peer configuration.
IPsec proposal configuration.