Hi,

I have a RB951G-2HnD connected to Azure using IPSEC.

With static routing, it works without problem, but when I use BGP to pass the routes I'm not able to make it work.

I create the BGP peering and the routes are propagated both from Azure to my RB951G-2HnD and from the RB951G-2HnD to Azure. Although the routers are there, I cannot reach the azure remote networks (I only reach the Azure GW).

This is my config:

192.168.100.0/24 -> My local network.
192.168.200.0/24 -> The network where the Azure GW is connected to.
192.168.202.0/24 -> A test network in Azure with a VM.


/ip ipsec policy
add dst-address=192.168.202.254/32 sa-dst-address=a.b.c.d \
sa-src-address=a.b.c.d src-address=192.168.100.0/24 tunnel=yes

/ip ipsec peer
add address=a.b.c.d/32 dh-group=modp1024 enc-algorithm=aes-256,aes-128 \
exchange-mode=ike2 lifetime=8h secret=********

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=\
7h30m pfs-group=none

/routing bgp instance
set default as=65000 redistribute-connected=yes

/routing bgp peer
add multihop=yes name=peer1 remote-address=192.168.202.254 remote-as=65515 \
ttl=default

/ip firewall nat
add action=accept chain=srcnat comment=AzureNAT-BGP dst-address=\
192.168.202.0/24 src-address=192.168.100.0/24
add action=accept chain=srcnat comment=AzureNAT-BGP2 dst-address=\
192.168.200.0/24 src-address=192.168.100.0/24

/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.100.0/24 src-address=\
192.168.202.0/24
add action=notrack chain=prerouting dst-address=192.168.202.0/24 src-address=\
192.168.100.0/24
add action=notrack chain=prerouting dst-address=192.168.100.0/24 src-address=\
192.168.200.0/24
add action=notrack chain=prerouting dst-address=192.168.200.0/24 src-address=\
192.168.100.0/24

I have found some documentation using IPIP and GRE but these protocols are not supported in Azure. Any idea?

Regards.

When you are configuring the Azure side, the system give you an example config script for different routers.

I have downloaded the Cisco ASR-ISR.

Cisco config attached. In theory, I would need an equivalent config for RouterOS.

To have fully functional BGP over IPSec tunnel, you need the support of Route-based IPSec, or as others called it VTI.

With VTI, you have a dedicated interface for IPSec tunnel, and policy is set to allow any to any within this tunnel, and then you manage your traffic on the route level, instead of managing IPSec policies.

Mikrotik does not have this feature, though it requested 10 years ago (check the forum).

You can still connect Mikrotik to Azure route-based Gateway and advertise your routes to Azure via Mikrotik BGP instance, but the routes received from Azure will not work on Mikrotik.

You have to use static IPSec policies on the Mikrotik level. As I tested, Azure gateway does not support transport IPSec mode, only tunnel mode. So creating Transport IPsec policy for IPIP tunnel on Mikrotik will not work...

I don't know how flexible that Azure gateway is (probably not very...) but it should still be possible to layer an IPIP or GRE tunnel on top of a tunnel-mode IPsec policy, and that should work.
(I have done this between MikroTik and plain Linux systems)

I spent a couple of sleepless nights trying to make IPIP work with Azure gateway, and no success. Would appreciate if you find a way to make it work...

As i found, the issue with Azure Gateway is it requires Tunnel mode and does not work in transport IPsec mode.

I know this is an old thread, but maybe I can save someone from sleepless nights with this info:
Azure supports only 3 OSI layer 4 protocols: TCP/IP, UDP and ICMP. Everything else is silently dropped. That means no OSPF, no IPIP, no EoIP, no GRE.
If you want to use something other than the mentioned 3 protocols, you'll need an L2TP connection and terminate it in a VM (like a Mikrotik CHR) in Azure.

Do did somebody make it work , I am also interested in BGP for both ways sharing / announcing routes
RouterOS 7.1.3 (stable)

@hkusulja after 4 hours with Azure Premier support, we were able to get both IPSec tunnels up with Mikrotik and the BGP connection stablished on both tunnels as well Today. I'm receiving the VNet routes advertised by Azure and they appear both in my Routes table.

However, None of the routes I'm advertising from MikroTik are received and learned on the Azure side.

I'm using a CCR2004-1G-12S+2XS with RouterOS v7.1.5.

I wonder if anyone ever got that to work.

Thank you!

@hkusulja after 4 hours with Azure Premier support, we were able to get both IPSec tunnels up with Mikrotik and the BGP connection stablished on both tunnels as well Today. I'm receiving the VNet routes advertised by Azure and they appear both in my Routes table.

However, None of the routes I'm advertising from MikroTik are received and learned on the Azure side.

I'm using a CCR2004-1G-12S+2XS with RouterOS v7.1.5.

I wonder if anyone ever got that to work.

Thank you!

And? What did you end up using? Do you have a routed interface? IPIP? GRE?

it does advertise to azure via BGP, make sure to add your networks in (Mikrotik BGP Networks) unless you have BGP redistribute defined, also make sure to enable EBGP Multihop you are not using VTI subnet