Creating a site-to-site VPN with Windows Azure and Mikrotik ( RouterOS )


As many of you I have a small lab in my home, to test different solutions. I had been playing around with running virtual machines in Windows Azure, and I needed to connect them to my home lab using site-to-site VPN.

A word of caution: Virtual Machines and Network is still in preview. Everything in this article is based on the preview version.

If you have Cisco or Juniper VPN devices, you could download the configuration from the Windows Azure portal. However, this do not mean that you cannot connect other VPN devices, like in my case, the cheap Mikrotik 751 based on the RouterOS.

You can follow this guide to create the Virtual Network in Windows Azure:

http://www.windowsazure.com/en-us/manage/services/networking/cross-premises-connectivity/

 

image Here is a simple diagram of my network setup. As you can see I have defined three subnets in Windows Azure – where one of them is dedicated to the gateway (GatewaySubnet).

For this article I have one server running on my backend network 10.200.3.0/24 named azure-srv-01

In my lab I am running the Mikrotik 751 router, and I have one defined subnet, 192.168.88.0/24.

I also run one DNS server on premise at 192.168.88.50 that would be used for name resolution for internal resources.

Steps:

  1. Configure Peers
  2. Define the policy
  3. Configure your proposal
  4. Configure firewall
  5. Test connectivity

 

Configuring the Mikrotik 751 router (RouterOS)

 

The following is the necessary information for configuring IPSec tunnel with Windows Azure:
  • VPN device must have a public facing IPv4 address
  • VPN device must support IKEv1
  • Establish IPsec Security Associations in Tunnel mode
  • VPN device must support NAT-T
  • VPN device must support AES 128-bit encryption function, SHA-1 hashing function, and Diffie-Hellman Perfect Forward Secrecy in "Group 2" mode (named modp1024 in the Mikrotik RouterOS)
  • VPN device must fragment packets before encapsulating with the VPN headers

For this configuration I am using the Winbox v5.11 to carry out the configuration on my Mikrotik 751.

After logging into your Mikrotik router, open the IPSec configuration by clicking IP->IPSec.
Here we will define the necessary IPSec configuration to connecto to Windows Azure Gateway.

image

Step 1 – Configure Peers:

image

On the Peers tab, click the plus sign to add a new peer:

image

Here you need to add your Secret key generated by Windows Azure.
Log on to the WIndows Azure management portal, and get your key. To do that, go to your Virtual Network, and select manage key. 

image


Step 2: Define the policy

Next up is to define the policy. As I understand it, the MIkrotik router uses the policies to route traffic through the tunnel.

On the General tab I define the source and destination IP-subnets like this:

image

For the Action tab, I define the SA Source and destination addresses, and also that it should be a IPSec tunnel :

image

Step 3: Configure your proposal

If you look at my proposal tab, I have the default proposal defined like this:

image

 

Step 4: Configure firewall

In my configuration I am using NAT (masqurade) when accessing Internet. However, I have to override this rule for my IPSec tunnel. Open up the Firewall configuration from IP->Firewall:

image

Next, configure the firewall to not NAT traffic destinated for the IPSec tunnel.

Open the NAT tab, and click the + sign to add the following:

image

Make sure the Action is set to Accept

image

And make sure that this rule is above any conflicting rules you might have defined.

image

 

Step 5: Test connectivity

The only thing left now is to test the connectivity. I do know my virtual machine in Windows Azure is configured with the IP of 10.200.3.4:

image

From my workstation, I open Powershell, and I try to ping 10.200.3.4:

image

 

Then I RDP into my Windows Azure virtual machine, and try to ping my onpremise DNS host (192.168.88.50) :

image

If I check my router for security associations under the Installed SAs tab, I can see the following:

image

 

If you want to try Windows Azure – you can get yourself a 90 days free trial at www.windowsazure.com

Comments (7)
  1. VPN device with Dynamic DNS says:

    Hi,

    Have you found any way for this solution to work with without a static IP address on the Mikrotik side?

    Thanks

  2. Cristian says:

    Hi, do you know if I can set up a route-based vpn with mikrotik router and azure site-multisite vpn. I have 3 on-premises site that I need to connect to azure vnet.

  3. odang says:

    hi, my mikrotik router is version 2.23 and there is no "MyID User FQDN" field to input, what should I do? is it supported or not?

  4. HansHinnekint says:

    Do you have an update for RouterOS 6.x ?

    On my setup, something must be missing to make it fully operational.

    Tunnel is up and I can puing in both directions, but using RDP through the tunnel gives an internal connection error, same with other protocols.

  5. Vpn says:

    For More About Vpn You USe ALso Cloud Server My Site Is on Cloud You can Visit Here
    http://tricksntech.com

  6. Invite You says:

    For Guest Post You Can Put This Post in Our Website Visit
    http://tricksntech.com

Comments are closed.

Skip to main content