Creating a Site to Site VPN IPSec IKEv. Azure and Mikro. Tik Router. OS Resolving complex networking issues. Authors Daniel Pires and Daniel Mauser. Introduction. In this article, we are going to show you how to setup a IPSec Site to Site VPN between Azure and On premises location by using Mikro. Tik Router. Another blog post has been published few years ago about the same subject Creating a site to site VPN with Windows Azure and Mikro. Tik Router. OS. However, we have some major updates in this article. First, we are going to setup Site to Site VPN using Azure Resource Manager Portal http portal. Classic Azure Portal. Second, VPN Gateway in this blog post is Route Based which will leverage IKE version 2 IKEv. Policy Based Gateway on first article leveraging IKE version 1IKEv. If you are not familiar with the terminology of IPSec Parameters, in particular IKEv. About VPN devices and IPsecIKE parameters for Site to Site VPN Gateway connections. Scenario. Below we have a diagram of the scenario covered in this step by step. Relevant information on the diagram above necessary to configure the Site to Site VPN. Windows gui this is an Open Source tray based service that was created by Joe Jaro. EXE to install the software and it will deal with starting. Mikrotik RouterOS FAQ Frequently Asked Questions. FAQ Content. About MikroTik RouterOS What is MikroTik RouterOS Can I test the RouterOS befor i buy itAzure Side VNET Subnet 1. Public IP of the Azure VPN Gateway 1. XXOn Premises Side Subnet 1. Public IP of On Prem Gateway 4. YYAzure Configuring Route Based IPSec Site to Site VPNThis section we will go over step by step on configuring Site to Site VPN on the Azure side. The steps demonstrated here are the same in the official documentation Create a Site to Site connection in the Azure portal. So, we are not going to cover specific step by step on how to get to the screens, you can use the official documentation as reference. Also, If you are already familiar with those steps feel free to jump right the way on the session below Mikro. Tik On Premises Configuring IPSec IKEv. If you want to log in with 192. IP address and get the authority of the modem, then you must know some initial details. In this article, we are going to show you how to setup a IPSec SitetoSite VPN between Azure and Onpremises location by using MikroTik Router. Another. NetFlow is a feature that was introduced on Cisco routers that provides the ability to collect IP network traffic as it enters or exits an interface. Online references and manuals for MikroTik RouterOS Software products. Site to Site VPN. Create a virtual network. Specify a DNS server Optional for this and not necessary for this demonstration to work3. Create the gateway subnet a. Select Gateway Subnetb. Add Gateway subnet. Basic HotSpot equipment is inexpensive. A Hotspot basically consists of an Internet connection ADSL, Cable etc. Server computer that controls customers. Mui Page Directory Installdir. In this case I will use the final 2. VPN Gateways and subnet is 1. Installing DDWRT on a router in most cases is almost as simple as installing a program onto your computer. However, doing it incorrectly can leave you with a router. CnyIigP.jpg' alt='Mikrotik Basic Setup: Software' title='Mikrotik Basic Setup: Software' />Create the Virtual Network Gateway. It is important here to highlight we are going to use VPN Type Route Based Also for your lab purposes you can use SKU Basic, for production workloads it is recommend at least Standard SKU. More information about VPN Gateway sizes consult Gateway SKUs. Creating the Virtual Network Gateway named VNET1. GWb After you create Virtual Network Gateway you can see the status as well as the Public IP that is going to be used 5. Create the local network gateway which requires you specify Public IP of your VPN Device 4. YY as well as the On premises Subnets 1. Configure your VPN device See section Mikro. Tik On Premises Configuring IPSec IKEv. Site to Site VPN. Create the VPN connection. Verify the VPN connection. Mikro. Tik On Premises Configuring IPSec IKEv. Site to Site VPNMikro. Tik Router. OS has several models and there are very affordable devices models that you can use also to play and learn how to configure Site to Site VPN with Azure. DISCLAIMER Although we demonstrate Mikrotik in this article, it is important to mention Microsoft does not support the device configuration directly. In case you have issue, please contact device manufacturer for additional support and configuration instructions. One important point to highlight is IKEv. Therefore, make sure you have a compatible version to be able to proceed with the configuration demonstrated in this article which we used Router. BOARD 7. 50 and software version Router. OS 6. 3. 9. In this tutorial Winbox management utility has been used to perform Mikro. Tik configuration and here are the necessary steps to configure Mikro. Tik correctly Add IPSec Policy by Selecting on Menu IP and IPSec On Policies tab click plus sign to add a New Policy. On General tab add both subnets Source On Prem and Destination Azure as shown On the same screen but Action Tab Select Tunnel and specify On Prem Source Public IP and Destination Azure Gateway Public IP which can be obtained after you Create Virtual Network Gateway See Azure S2. S VPN section Step 4bOn Peers Tab Click Plus and add a new IPSec Peer. In IPSec terminology we are working on IKE Phase 1 Main Mode on this configuration tab. Here we need Azure Gateway Public IP, specify Pre Shared Key which can be specified on Part I Step 7 Create the VPN connection. Note If you Mikro. Tik does not show IKEv. Route. OS release 6. Before that release only IKEv. On the same screen, go to Advance Tab and make adjustment on Lifetime to 8h 2. Azure official documentation IPSecIKE parameters SA security association for IKE Phase 1 Main Mode. On Encryption Tab, you can use the default which are supported by Azure or make adjustment for a stronger Hash and Encryption See details here IPSecIKE parameters. For this article the following have been selected Now, lets move on to IKE Phase 2 Quick Mode which is represented in Mikro. Tik by Proposals. For this one you can either create a new one sign or change the default one. In case you create a new, make sure to change the Step 2 IP Sec Policy and Action Tab and select the appropriate Proposal. For this article, we will change the default IPSec Proposal which the following have been selected based on official Azure information for IKE Phase 2 in IPSecIKE parameters The last step to make sure VPN will route correctly between On Prem and Azure is to configure a NAT Rule. This is done by going IP and select Firewall Select NAT tab. Add Chain as srcnat and both subnets On Prem and Azure Subnet. On Action tab select accept. Validating the IPSec Tunnel. Ping between two computers in each side. In the right side On Prem computer 1. Azure VM 1. 0. 4. In both sides we see TTL of 1. Gateways getting decremented. Default TTL of Windows machines is 1. Note By default ICMP is disabled. Make sure you allow ICMP by running the following Power. Shell command Set Netfirewall. Rule  Name FPS ICMP4 ERQ In  Enable True. On Azure Side. On Azure Portal you can validate brand new tunnel created as showed on item 8. Verify the VPN connection above. That can be also validated by Power. Shell by using command Get Azure. Rm. Virtual. Network. Diagnosis In Organizational Change Programs. Gateway. Connection Name From Azure to Mikrotik Resource. Group. Name S2. SVPNDemo. On Mikro. Tik Side. There are multiple ways to validate the IPSec VPN connection to Azure on Mikro. Tik. Here are some ways 1. IPSec Policies tab. It shows if the IKE Phase 2 is working correctly. Remote Peers tab. This shows if IKE Phase 1 Main mode is working correctly. Installed SAs tab shows current Security Associations IPSec Troubleshooting. If something does not work for some reason during your configuration, you can do a troubleshooting to determine what is going on. Mikro. Tik provides a good interface for logging and troubleshooting IPSec in case you want to get more detailed information on what is going on. Events can be visualized in Log Menu but to ensure you can get IPSec events exposed you need to make a simple change in Logging configuration System Logging and add the IPSec as a Topic After you add this new Logging rule you have will see the following detailed IPSec events Conclusion. In this article we demonstrated how to setup a IPSec Site to Site VPN using IKEv. Route Based between Azure and Mikro. Tik Router. Board.