Ubiquiti Edgerouter Azure Site-to-Site VPN configuration (Route Based)

Here is a working configuration for the newer Route Based Azure S2S, tested on Edgerouter Lite with firmware 1.8.5 and ARM.


set vpn ipsec esp-group esp-azure pfs disable
set vpn ipsec esp-group esp-azure mode tunnel
set vpn ipsec esp-group esp-azure proposal 1
set vpn ipsec esp-group esp-azure proposal 1 encryption aes256
set vpn ipsec esp-group esp-azure proposal 1 hash sha1
set vpn ipsec esp-group esp-azure compression disable
set vpn ipsec ike-group ike-azure
set vpn ipsec ike-group ike-azure lifetime 10800
set vpn ipsec ike-group ike-azure proposal 1
set vpn ipsec ike-group ike-azure proposal 1 dh-group 2
set vpn ipsec ike-group ike-azure proposal 1 encryption aes256
set vpn ipsec ike-group ike-azure proposal 1 hash sha1
set vpn ipsec ike-group ike-azure key-exchange ikev2
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec logging log-modes all
set vpn ipsec nat-traversal enable
set vpn ipsec site-to-site peer <AzurePublicIP>
set vpn ipsec site-to-site peer <AzurePublicIP> local-address any
set vpn ipsec site-to-site peer <AzurePublicIP> authentication mode pre-shared-secret
set vpn ipsec site-to-site peer <AzurePublicIP> authentication pre-shared-secret <YourPSK>
set vpn ipsec site-to-site peer <AzurePublicIP> connection-type initiate
set vpn ipsec site-to-site peer <AzurePublicIP> default-esp-group esp-azure
set vpn ipsec site-to-site peer <AzurePublicIP> ike-group ike-azure
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 esp-group esp-azure
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 local prefix <YourLocalPrefix>
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 remote prefix <YourRemotePrefix>
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 allow-public-networks disable
set vpn ipsec auto-firewall-nat-exclude enable

2 thoughts on “Ubiquiti Edgerouter Azure Site-to-Site VPN configuration (Route Based)

  1. You’re certain the last line, set vpn ipsec auto-firewall-nat-exclude enable , is in the config ?
    Local firewall on the machine you try to ping is disabled I assume ?
    We’ve been using it with both 1.8.5 and 1.9.

  2. hi! thank you for your post.
    I’m trying to make it work on 1.9.0 (did not try on 1.8.0 yet) and everything is working, except connection from Azure back to local – no pings… Any ideas?

Leave a Comment