We are trying to setup a IpSec Site-to-Site VPN between our office and Windows Azure.
The VPN does not establish with the following error

14:00:32 ipsec,debug respond new phase 2 negotiation: 103.29.yy.xx[500]<=>23.101.yyy.xxx[500]
14:00:32 ipsec,error authtype mismatched: my:hmac-sha1 peer:hmac-sha256
14:00:32 ipsec,debug not matched

As far as I understand we can not change any related settings on the Azure side. Therefore
I have tried to find a matching setting in the MT phase 2 but the menu does not offer
a SHA256 phase 2 authentication.

Is that a bug or simply not a capability supported by mikrotik or can it be added?

Does any one has that VPN working, if so could you share the config please.

mikrotik isn't technically supported by azure i just grab the prebuilt cisco configs from the generator, apply your ios=ros translation skills. Here's a sanatised snip from a working azure setup i've got running for a traditional site-to-site tunnel:
z.z.z.z = azure network gateway ip
x.x.x.x = public IP of the site mikrotik
y.y.y.y = azure internal subnet
w.w.w.w = internal lan subnet

Hope that helps you.

Hi rjickity

Thank you for your replay.
I have tried your config with the same result:

dec/18 10:28:33 ipsec,error authtype mismatched: my:hmac-sha1 peer:hmac-sha256 dec/18 10:28:33 ipsec,debug not matched

As per my first post I don't see an option to select a aes256 auth for phase2 in the menue.

When consulting the wiki I found the following command line options for the phase2 proposal:
auth-algorithms (md5|sha1|null|sha256|sha512; Default: sha1)

So my proposal looks like this:
name="azure256" auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=8h pfs-group=modp1024

After adding this proposal I have the tunnel now connecting and standing up.
All errors are gone from the ipsec log but still not able to ping the other side.....

When connecting between mikrotiks with the same settings there are no problems (given they are on the same firmware) and hosts are able to ping....

So my problem was that the menue in my Winbox did not show all available options.
Therefore I could "only" select SHA1 even dough the commandline offers more options.

For your information I am using v6.23

Thanks
Andy

hi aeg, sorry for the late reply.

if you haven't figured out already - azure does not like ping. do not use it as diagnostic as it is always dropped.

check your sa's and make sure your byte counts are increasing and test out another protocol like ssh or rdp to your vm instance.

aeg,

So my problem was that the menue in my Winbox did not show all available options.
Therefore I could "only" select SHA1 even dough the commandline offers more options.

Please make sure you are using newest Winbox (possible). 2.2.18 or even better Winbox 3 from MikroTik.com
There should be all algorithms available at Proposal configuration.

Hi there, I have RouterBoard 951-2n (OS 6.33.5) and it works fine with same settings in sha1 mode, but I see in error log:
authtype mismatched: my:hmac-sha1 peer:hmac-sha256

Should it work with sha256 also?

I tried to set sha256 in peer and proposal settings, but it just stopped to work - no packets, no error messages, until I set it back to sha1.
Any thoughts?...

Make sure you are using at least v6.34 where sha256 incompatibility with other vendors is fixed.

Mrz, many thanks!
Just updated to 6.34.1 and now it works in sha256 mode.

One last thing: I still have those errors in log every 2 minutes:

phase1 negotiation failed due to time up <azure gateway ip>[500]<=><mikrotik gateway ip>[500]

But why?... tunnel works!
Here is my Mikrotik configs:

Hi all,
yesterday it just stopped to log this error (I didn't change anything).
Looks like it was something wrong on other (Azure) side and was fixed after a while (probably timeout 24 hours or something like this) .

So now it works great.