Ubiquiti Edgerouter Azure Site-to-Site VPN configuration (Route Based)

Here is a working configuration for the newer Route Based Azure S2S, tested on Edgerouter Lite with firmware 1.8.5 and ARM.


set vpn ipsec esp-group esp-azure pfs disable
set vpn ipsec esp-group esp-azure mode tunnel
set vpn ipsec esp-group esp-azure proposal 1
set vpn ipsec esp-group esp-azure proposal 1 encryption aes256
set vpn ipsec esp-group esp-azure proposal 1 hash sha1
set vpn ipsec esp-group esp-azure compression disable
set vpn ipsec ike-group ike-azure
set vpn ipsec ike-group ike-azure lifetime 10800
set vpn ipsec ike-group ike-azure proposal 1
set vpn ipsec ike-group ike-azure proposal 1 dh-group 2
set vpn ipsec ike-group ike-azure proposal 1 encryption aes256
set vpn ipsec ike-group ike-azure proposal 1 hash sha1
set vpn ipsec ike-group ike-azure key-exchange ikev2
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec logging log-modes all
set vpn ipsec nat-traversal enable
set vpn ipsec site-to-site peer <AzurePublicIP>
set vpn ipsec site-to-site peer <AzurePublicIP> local-address any
set vpn ipsec site-to-site peer <AzurePublicIP> authentication mode pre-shared-secret
set vpn ipsec site-to-site peer <AzurePublicIP> authentication pre-shared-secret <YourPSK>
set vpn ipsec site-to-site peer <AzurePublicIP> connection-type initiate
set vpn ipsec site-to-site peer <AzurePublicIP> default-esp-group esp-azure
set vpn ipsec site-to-site peer <AzurePublicIP> ike-group ike-azure
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 esp-group esp-azure
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 local prefix <YourLocalPrefix>
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 remote prefix <YourRemotePrefix>
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 allow-public-networks disable
set vpn ipsec auto-firewall-nat-exclude enable

Ubiquiti Edgerouter Azure Site-to-Site VPN configuration (Policy Based)

I’ve been using Jesper Jensen’s example configuration  with some minor changes for firmware 1.8.0.
Its been tested with Azure ARM (doesn’t seem to be working with classic)
This setup is for the “old” policy based S2S.


set vpn ipsec esp-group esp-azure pfs disable
set vpn ipsec esp-group esp-azure mode tunnel
set vpn ipsec esp-group esp-azure proposal 1
set vpn ipsec esp-group esp-azure proposal 1 encryption aes256
set vpn ipsec esp-group esp-azure proposal 1 hash sha1
set vpn ipsec esp-group esp-azure compression disable
set vpn ipsec esp-group esp-azure lifetime 3600
set vpn ipsec ike-group ike-azure
set vpn ipsec ike-group ike-azure lifetime 28800
set vpn ipsec ike-group ike-azure proposal 1
set vpn ipsec ike-group ike-azure proposal 1 dh-group 2
set vpn ipsec ike-group ike-azure proposal 1 encryption aes256
set vpn ipsec ike-group ike-azure proposal 1 hash sha1
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec logging log-modes ike
set vpn ipsec nat-traversal enable
set vpn ipsec auto-firewall-nat-exclude enable
set vpn ipsec site-to-site peer <AzurePublicIP>
set vpn ipsec site-to-site peer <AzurePublicIP> local-address any
set vpn ipsec site-to-site peer <AzurePublicIP> authentication mode pre-shared-secret
set vpn ipsec site-to-site peer <AzurePublicIP> authentication pre-shared-secret <YourPSK>
set vpn ipsec site-to-site peer <AzurePublicIP> connection-type initiate
set vpn ipsec site-to-site peer <AzurePublicIP> default-esp-group esp-azure
set vpn ipsec site-to-site peer <AzurePublicIP> ike-group ike-azure
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 esp-group esp-azure
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 local prefix <YourLocalPrefix>
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 remote prefix <YourRemotePrefix>
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 allow-public-networks disable

The set vpn ipsec auto-firewall-nat-exclude enable seems to help with traffic not being passed through from on-prem to Azure, its equivalent of setting the
“Automatically open firewall and exclude from NAT” option from GUI.