Here is a working configuration for the newer Route Based Azure S2S, tested on Edgerouter Lite with firmware 1.8.5 and ARM.
set vpn ipsec esp-group esp-azure pfs disable set vpn ipsec esp-group esp-azure mode tunnel set vpn ipsec esp-group esp-azure proposal 1 set vpn ipsec esp-group esp-azure proposal 1 encryption aes256 set vpn ipsec esp-group esp-azure proposal 1 hash sha1 set vpn ipsec esp-group esp-azure compression disable set vpn ipsec ike-group ike-azure set vpn ipsec ike-group ike-azure lifetime 10800 set vpn ipsec ike-group ike-azure proposal 1 set vpn ipsec ike-group ike-azure proposal 1 dh-group 2 set vpn ipsec ike-group ike-azure proposal 1 encryption aes256 set vpn ipsec ike-group ike-azure proposal 1 hash sha1 set vpn ipsec ike-group ike-azure key-exchange ikev2 set vpn ipsec ipsec-interfaces interface eth0 set vpn ipsec logging log-modes all set vpn ipsec nat-traversal enable set vpn ipsec site-to-site peer <AzurePublicIP> set vpn ipsec site-to-site peer <AzurePublicIP> local-address any set vpn ipsec site-to-site peer <AzurePublicIP> authentication mode pre-shared-secret set vpn ipsec site-to-site peer <AzurePublicIP> authentication pre-shared-secret <YourPSK> set vpn ipsec site-to-site peer <AzurePublicIP> connection-type initiate set vpn ipsec site-to-site peer <AzurePublicIP> default-esp-group esp-azure set vpn ipsec site-to-site peer <AzurePublicIP> ike-group ike-azure set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 esp-group esp-azure set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 local prefix <YourLocalPrefix> set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 remote prefix <YourRemotePrefix> set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 allow-nat-networks disable set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 allow-public-networks disable set vpn ipsec auto-firewall-nat-exclude enable
You’re certain the last line, set vpn ipsec auto-firewall-nat-exclude enable , is in the config ?
Local firewall on the machine you try to ping is disabled I assume ?
We’ve been using it with both 1.8.5 and 1.9.
hi! thank you for your post.
I’m trying to make it work on 1.9.0 (did not try on 1.8.0 yet) and everything is working, except connection from Azure back to local – no pings… Any ideas?