I recently got myself a Ubiquiti EdgeRouter Lite at home, and of course the first thing to do is establish an Azure VPN 🙂
Since the EdgeRouter does not support route based VPN’s the configuration will be based on Policy Based Azure VPN, also known as static routing. You can refer to my guide here, to see how to configure the Azure end of the VPN, just replace “RouteBased” with “PolicyBased” when doing New-AzureVirtualNetworkGateway.
The configuration below is what I used on my EdgeRouter with EdgeOS 1.7.0. I’ve seen other configurations for Azure around the web, but they seem to be for older versions and the commands has changed a bit. You should replace the values surrounded by “<>” with your own information – without the “<>”.
set vpn ipsec esp-group esp-azure pfs disable set vpn ipsec esp-group esp-azure mode tunnel set vpn ipsec esp-group esp-azure proposal 1 set vpn ipsec esp-group esp-azure proposal 1 encryption aes256 set vpn ipsec esp-group esp-azure proposal 1 hash sha1 set vpn ipsec esp-group esp-azure compression disable set vpn ipsec ike-group ike-azure set vpn ipsec ike-group ike-azure lifetime 28800 set vpn ipsec ike-group ike-azure proposal 1 set vpn ipsec ike-group ike-azure proposal 1 dh-group 2 set vpn ipsec ike-group ike-azure proposal 1 encryption aes256 set vpn ipsec ike-group ike-azure proposal 1 hash sha1 set vpn ipsec ipsec-interfaces interface eth0 set vpn ipsec logging log-modes all set vpn ipsec nat-traversal enable set vpn ipsec site-to-site peer <Azure GW IP> set vpn ipsec site-to-site peer <Azure GW IP> local-address <Local GW IP or 'any'> set vpn ipsec site-to-site peer <Azure GW IP> authentication mode pre-shared-secret set vpn ipsec site-to-site peer <Azure GW IP> authentication pre-shared-secret <shared secret> set vpn ipsec site-to-site peer <Azure GW IP> connection-type initiate set vpn ipsec site-to-site peer <Azure GW IP> default-esp-group esp-azure set vpn ipsec site-to-site peer <Azure GW IP> ike-group ike-azure set vpn ipsec site-to-site peer <Azure GW IP> tunnel 1 set vpn ipsec site-to-site peer <Azure GW IP> tunnel 1 esp-group esp-azure set vpn ipsec site-to-site peer <Azure GW IP> tunnel 1 local prefix <Local subnet> set vpn ipsec site-to-site peer <Azure GW IP> tunnel 1 remote prefix <Azure subnet> set vpn ipsec site-to-site peer <Azure GW IP> tunnel 1 allow-nat-networks disable set vpn ipsec site-to-site peer <Azure GW IP> tunnel 1 allow-public-networks disable
To check the tunnel state, use ‘show vpn ike sa’ and ‘show vpn ipsec sa’ commands:
Great guide, works like a charm to get a VPN tunnel up. Can successfully connect from local network to resources within Azure. But the reverse does not work. An Azure VM cannot ping a local computer. Any ideas to why?
LikeLike
Hi Björn. My guess is that the firewall is blocking traffic. I fixed this by allowing traffic to flow from the Azure subnet to my local network. Let me know if it makes sense 🙂
LikeLike
Correct again, modifying the firewall rules did the trick. Traffic now can flow in both directions. Many thanks for you advice!
LikeLike
I sent an email to Ubiquiti earlier this week to ask if dynamic routing was supported as that is how my Azure VPN is currently set up. They replied stating that dynamic site-to-site is supported by all their EdgeRouters. Did you have to set yours up static or is that just what you chose based on your Azure VPN setup? Thanks
LikeLike
From my knowledge, the EdgeRouter series does not support route-based VPN’s (Azure Dynamic Routing). I am new to those routers though, so I might be wrong. Will have to test it soon.
LikeLike
I just came across this thread: https://community.ubnt.com/t5/EdgeMAX/ERL-site-to-site-Azure-Dynamic-virtual-network/m-p/1402075
Seems Dynamic routing is working. Will try to test next week.
LikeLike
Thanks – I appreciate it.
LikeLike
Hi again. I’ve noticed that the tunnel goes down if not used for some time. Won’t come back up unless a “restart VPN” command is issued. Any ideas to why? Added DPD to the VPN config but that did not resolve the issue. Perhaps a ping monitor is needed.
LikeLike
Did you configure the Azure VPN Gateway as static or dynamic? It should be static with the above configuration. That’s the primary reason I see with this issue (regardless of VPN device on-premises).
LikeLike
Hi Jesper. The Gateway Type is set to Static Routing in Azure. Any other ideas? Open for all suggestions.
LikeLike
Not from the top of my head, sorry. Is it hours or days we’re talking, before tunnel goes down?
LikeLike
Found the problem. Need to have this line in the configuration:
set vpn ipsec site-to-site peer connection-type respond
Otherwise the tunnel won’t come back up after being idle.
Full background here:
https://community.ubnt.com/t5/EdgeMAX-Beta/IPSec-connection-type-initiate-not-working/m-p/1399870#U1399870
LikeLike
Seems that I cannot have have angle brackets in the comments 🙂
Correct config line should be:
set vpn ipsec site-to-site peer Azure-GW-IP connection-type respond
LikeLike
I am the original poster of the ubnt post Jesper found. I got my tunnel to stay up by using the following commands, 1. dead-peer-detection action restart 2. dead-peer-detection interval 30, 3. dead-peer-detection timeout 120. These were all applied to my ike-group. I’m still trying to figure out how to pass traffic across the tunnel. I’ve tried several things, but nothing seems to work.
LikeLike