Ubiquiti Edgerouter Azure Site-to-Site VPN configuration (Route Based)

Here is a working configuration for the newer Route Based Azure S2S, tested on Edgerouter Lite with firmware 1.8.5 and ARM.


set vpn ipsec esp-group esp-azure pfs disable
set vpn ipsec esp-group esp-azure mode tunnel
set vpn ipsec esp-group esp-azure proposal 1
set vpn ipsec esp-group esp-azure proposal 1 encryption aes256
set vpn ipsec esp-group esp-azure proposal 1 hash sha1
set vpn ipsec esp-group esp-azure compression disable
set vpn ipsec ike-group ike-azure
set vpn ipsec ike-group ike-azure lifetime 10800
set vpn ipsec ike-group ike-azure proposal 1
set vpn ipsec ike-group ike-azure proposal 1 dh-group 2
set vpn ipsec ike-group ike-azure proposal 1 encryption aes256
set vpn ipsec ike-group ike-azure proposal 1 hash sha1
set vpn ipsec ike-group ike-azure key-exchange ikev2
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec logging log-modes all
set vpn ipsec nat-traversal enable
set vpn ipsec site-to-site peer <AzurePublicIP>
set vpn ipsec site-to-site peer <AzurePublicIP> local-address any
set vpn ipsec site-to-site peer <AzurePublicIP> authentication mode pre-shared-secret
set vpn ipsec site-to-site peer <AzurePublicIP> authentication pre-shared-secret <YourPSK>
set vpn ipsec site-to-site peer <AzurePublicIP> connection-type initiate
set vpn ipsec site-to-site peer <AzurePublicIP> default-esp-group esp-azure
set vpn ipsec site-to-site peer <AzurePublicIP> ike-group ike-azure
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 esp-group esp-azure
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 local prefix <YourLocalPrefix>
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 remote prefix <YourRemotePrefix>
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 allow-public-networks disable
set vpn ipsec auto-firewall-nat-exclude enable