I’ve been using Jesper Jensen’s example configuration with some minor changes for firmware 1.8.0.
Its been tested with Azure ARM (doesn’t seem to be working with classic)
This setup is for the “old” policy based S2S.
set vpn ipsec esp-group esp-azure pfs disable set vpn ipsec esp-group esp-azure mode tunnel set vpn ipsec esp-group esp-azure proposal 1 set vpn ipsec esp-group esp-azure proposal 1 encryption aes256 set vpn ipsec esp-group esp-azure proposal 1 hash sha1 set vpn ipsec esp-group esp-azure compression disable set vpn ipsec esp-group esp-azure lifetime 3600 set vpn ipsec ike-group ike-azure set vpn ipsec ike-group ike-azure lifetime 28800 set vpn ipsec ike-group ike-azure proposal 1 set vpn ipsec ike-group ike-azure proposal 1 dh-group 2 set vpn ipsec ike-group ike-azure proposal 1 encryption aes256 set vpn ipsec ike-group ike-azure proposal 1 hash sha1 set vpn ipsec ipsec-interfaces interface eth0 set vpn ipsec logging log-modes ike set vpn ipsec nat-traversal enable set vpn ipsec auto-firewall-nat-exclude enable set vpn ipsec site-to-site peer <AzurePublicIP> set vpn ipsec site-to-site peer <AzurePublicIP> local-address any set vpn ipsec site-to-site peer <AzurePublicIP> authentication mode pre-shared-secret set vpn ipsec site-to-site peer <AzurePublicIP> authentication pre-shared-secret <YourPSK> set vpn ipsec site-to-site peer <AzurePublicIP> connection-type initiate set vpn ipsec site-to-site peer <AzurePublicIP> default-esp-group esp-azure set vpn ipsec site-to-site peer <AzurePublicIP> ike-group ike-azure set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 esp-group esp-azure set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 local prefix <YourLocalPrefix> set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 remote prefix <YourRemotePrefix> set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 allow-nat-networks disable set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 allow-public-networks disable
The set vpn ipsec auto-firewall-nat-exclude enable seems to help with traffic not being passed through from on-prem to Azure, its equivalent of setting the
“Automatically open firewall and exclude from NAT” option from GUI.