I have followed the Microsoft Mikrotik<>Azure VPN howto and I can get to a point where Azure is showing that there is a connection established but I can not transfer data between them.

https://blogs.technet.microsoft.com/rha ... -routeros/

However the Peer configuration looks slightly different, I can’t set the My Id setting as I get back "Couldn’t change IPsec Peer address id must be used in main mode"

I’m getting an error in the logs saying "Phase 1 negotiation failed due to time up" but azure says the connection is up.

Also my Installed SAs are showing Current Bytes out bound from the Mikrotik but nothing shows in-bound.

Has anyone managed to get this going with newer OS version?

/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=8h name=azure
/ip ipsec peer
add address=<azure gateway>/32 enc-algorithm=aes-256,aes-128 nat-traversal=no secret=secret
/ip ipsec policy
add dst-address=192.168.8.0/24 sa-dst-address=<azure gateway> sa-src-address=<MT Gateway>  src-address=192.168.0.0/21 tunnel=yes

Tim

Boom.. Got it (for me at least)

In my locked down firewall state I had to enter the following:

add action=accept chain=input comment="Allow - IPsec Allow in" in-interface=WAN-Interface log-prefix="" protocol=ipsec-esp \
src-address=<Azure VPN IP>

I already had port 500 open for other VPN services:

add action=accept chain=input comment="Allow - In - l2tp" dst-port=500,4500,1701,800 in-interface=ether1-WAN log-prefix="" \
    protocol=udp

**NOTE** Don’t rely on ping as your test method. The azure server I created has its firewall up and wont respond. mstsc/rdp was my test method (or use the cloudapp.net rdp and test ping the other way)