Creating a site-to-site VPN with Windows Azure and Mikrotik ( RouterOS )

As many of you I have a small lab in my home, to test different solutions. I had been playing around with running virtual machines in Windows Azure, and I needed to connect them to my home lab using site-to-site VPN.

A word of caution: Virtual Machines and Network is still in preview. Everything in this article is based on the preview version.

If you have Cisco or Juniper VPN devices, you could download the configuration from the Windows Azure portal. However, this do not mean that you cannot connect other VPN devices, like in my case, the cheap Mikrotik 751 based on the RouterOS.

You can follow this guide to create the Virtual Network in Windows Azure:


image Here is a simple diagram of my network setup. As you can see I have defined three subnets in Windows Azure – where one of them is dedicated to the gateway (GatewaySubnet).

For this article I have one server running on my backend network named azure-srv-01

In my lab I am running the Mikrotik 751 router, and I have one defined subnet,

I also run one DNS server on premise at that would be used for name resolution for internal resources.


  1. Configure Peers
  2. Define the policy
  3. Configure your proposal
  4. Configure firewall
  5. Test connectivity


Configuring the Mikrotik 751 router (RouterOS)


The following is the necessary information for configuring IPSec tunnel with Windows Azure:
  • VPN device must have a public facing IPv4 address
  • VPN device must support IKEv1
  • Establish IPsec Security Associations in Tunnel mode
  • VPN device must support NAT-T
  • VPN device must support AES 128-bit encryption function, SHA-1 hashing function, and Diffie-Hellman Perfect Forward Secrecy in "Group 2" mode (named modp1024 in the Mikrotik RouterOS)
  • VPN device must fragment packets before encapsulating with the VPN headers

For this configuration I am using the Winbox v5.11 to carry out the configuration on my Mikrotik 751.

After logging into your Mikrotik router, open the IPSec configuration by clicking IP->IPSec.
Here we will define the necessary IPSec configuration to connecto to Windows Azure Gateway.


Step 1 – Configure Peers:


On the Peers tab, click the plus sign to add a new peer:


Here you need to add your Secret key generated by Windows Azure.
Log on to the WIndows Azure management portal, and get your key. To do that, go to your Virtual Network, and select manage key. 


Step 2: Define the policy

Next up is to define the policy. As I understand it, the MIkrotik router uses the policies to route traffic through the tunnel.

On the General tab I define the source and destination IP-subnets like this:


For the Action tab, I define the SA Source and destination addresses, and also that it should be a IPSec tunnel :


Step 3: Configure your proposal

If you look at my proposal tab, I have the default proposal defined like this:



Step 4: Configure firewall

In my configuration I am using NAT (masqurade) when accessing Internet. However, I have to override this rule for my IPSec tunnel. Open up the Firewall configuration from IP->Firewall:


Next, configure the firewall to not NAT traffic destinated for the IPSec tunnel.

Open the NAT tab, and click the + sign to add the following:


Make sure the Action is set to Accept


And make sure that this rule is above any conflicting rules you might have defined.



Step 5: Test connectivity

The only thing left now is to test the connectivity. I do know my virtual machine in Windows Azure is configured with the IP of


From my workstation, I open Powershell, and I try to ping



Then I RDP into my Windows Azure virtual machine, and try to ping my onpremise DNS host ( :


If I check my router for security associations under the Installed SAs tab, I can see the following:



If you want to try Windows Azure – you can get yourself a 90 days free trial at

Comments (7)
  1. VPN device with Dynamic DNS says:


    Have you found any way for this solution to work with without a static IP address on the Mikrotik side?


  2. Cristian says:

    Hi, do you know if I can set up a route-based vpn with mikrotik router and azure site-multisite vpn. I have 3 on-premises site that I need to connect to azure vnet.

  3. odang says:

    hi, my mikrotik router is version 2.23 and there is no "MyID User FQDN" field to input, what should I do? is it supported or not?

  4. HansHinnekint says:

    Do you have an update for RouterOS 6.x ?

    On my setup, something must be missing to make it fully operational.

    Tunnel is up and I can puing in both directions, but using RDP through the tunnel gives an internal connection error, same with other protocols.

  5. Vpn says:

    For More About Vpn You USe ALso Cloud Server My Site Is on Cloud You can Visit Here

  6. Invite You says:

    For Guest Post You Can Put This Post in Our Website Visit

Comments are closed.

Skip to main content