EdgeRouter - Route-Based Site-to-Site VPN to Azure (VTI over IKEv2/IPsec)


Readers will learn how to configure a Route-Based Site-to-Site IPsec VPN between a Microsoft Azure VPN gateway and an EdgeRouter using static routing. The following VPN options are available when connecting to Azure:

Microsoft recommends to use Route-Based IKEv2 VPNs over Policy-Based IKEv1 VPNs as it offers additional rich connectivity features. These features include Point-to-Site VPNs, Active Routing Support (BGP), Support for multiple tunnels as well as ECMP with metric routing, Active-Active Azure Gateway configurations for redundancy, Transit Routing with Point-to-Site, DPD detection and Virtual Network Peering.

Applicable to EdgeOS firmware v1.10.0 and up on all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and advanced networking knowledge is required. Please see the Related Articles below for more information and see the attachments for the configuration used in this article.
More info about Azure VPNs and their requirements can be found here.
Devices used in this article:

Table of Contents

  1. Network Diagram
  2. Configuring a Route-Based VPN
  3. Setting up the Azure Gateway
  4. Testing and Verification
  5. Related Articles

Network Diagram

Back to Top

The network topology is shown below and the following interfaces are in use on the EdgeRouter and Azure:


  • eth0 (WAN) -
  • eth1 (LAN) -
  • vti0 - no address

Azure VGW

  • Virtual Gateway -
  • Virtual Network -
  • Default Subnet -

The type of VPN that will be created is a VTI over IKEv2/IPsec tunnel. Static routing will be used to facilitate routing between the sites.

Configuring a Route-Based VPN

Back to Top

For the purpose of this article, it is assumed that the routing and interface configurations are already in place and that reachability has been tested.

CLI: Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Enter configuration mode.


2. Enable the auto-firewall-nat-exclude feature which automatically creates the IPsec firewall/NAT policies in the iptables firewall.

set vpn ipsec auto-firewall-nat-exclude enable

3. Create the IKE / Phase 1 (P1) Security Associations (SAs) and set the key-exchange to IKEv2.

set vpn ipsec ike-group FOO0 key-exchange ikev2
set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 2
set vpn ipsec ike-group FOO0 proposal 1 encryption aes256
set vpn ipsec ike-group FOO0 proposal 1 hash sha1

4. Create the ESP / Phase 2 (P2) SAs and disable Perfect Forward Secrecy (PFS).

set vpn ipsec esp-group FOO0 lifetime 27000
set vpn ipsec esp-group FOO0 pfs disable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes256
set vpn ipsec esp-group FOO0 proposal 1 hash sha1
NOTE: Azure also supports other encryption and hashing methods. For the full list of supported SAs please see the Microsoft article here.

5. Define the Azure VPN Gateway peering address and set the connection-type to respond.

set vpn ipsec site-to-site peer authentication mode pre-shared-secret
set vpn ipsec site-to-site peer authentication pre-shared-secret <secret>
set vpn ipsec site-to-site peer connection-type respond
set vpn ipsec site-to-site peer description ipsec
set vpn ipsec site-to-site peer local-address
ATTENTION: It is of vital importance that the connection-type is set to respond.

6. Link the SAs created above to the Azure peer and bind the VPN to a virtual tunnel interface (vti0).

set vpn ipsec site-to-site peer ike-group FOO0
set vpn ipsec site-to-site peer vti bind vti0
set vpn ipsec site-to-site peer vti esp-group FOO0

7. Configure the virtual tunnel interface (vti0) without an IP address assigned to it.

set interfaces vti vti0

8. Lower the TCP Maximum Segment Size (MSS) on the vti interfaces to 1350.

set firewall options mss-clamp interface-type vti
set firewall options mss-clamp mss 1350

9. Create a static route for the remote subnet.

set protocols static interface-route next-hop-interface vti0

10. Commit the changes and save the configuration.

commit ; save

Setting up the Azure Gateway

Back to Top

The Microsoft Azure side of the Site-to-Site VPN connection is based on this Microsoft article.

GUI: Access the Azure Management Portal.

1. Create a Virtual Network.

Dashboard > New > Networking > Virtual Network

Name: ServerNetwork
Address Space:
Subnet name: default
Subnet Address Space:
Resource Group: ServerNetwork

2. Create a Gateway Subnet.

Dashboard > Virtual Networks > ServerNetwork > Subnets > + Gateway subnet

Name: GatewaySubnet (Required / cannot be changed)
Address Range: (Cannot be the same as the default subnet address space)


3. Create a Virtual Network Gateway.

Dashboard > New > Networking > Virtual Network Gateway

Name: VirtualGateway
Gateway Type: VPN
VPN Type: Route-Based
SKU: Basic (depends on usage)
Virtual Network: ServerNetwork
Public IP Address: Create new > VirtualGateway
NOTE: The provisioning process for a new Virtual Gateway will take time. The Gateway Stock-Keeping Unit (SKU) defines the throughput capabilities of the VPN connection. More info about SKUs can be found in this Microsoft article.

4. Create a Local Network Gateway.

Dashboard > New > Networking > Local Network Gateway

Name: LocalGateway
IP Address:
Address Space:


5. Create a VPN Connection and link the LocalGateway to the VirtualGateway.

Daskboard >Virtual Network Gateways > VirtualGateway > Connections > + Add

Name: IPsecER
Connection Type: Site-to-Site (IPsec)
Virtual Network Gateway: VirtualGateway
Local Network Gateway: LocalGateway
Shared Key: <secret>



Testing and Verification

Back to Top

1. Verify the IPsec Security Associations (SAs) and tunnel status.

show vpn ipsec sa
peer- #2, ESTABLISHED, IKEv2, ecdf3193545e701f:ee1b587910cc8b32
 local  '' @
 remote '' @
 established 787s ago, rekeying in 27228s
   installed 787 ago, rekeying in 25448s, expires in 26213s
   in  c92b831a,   4180 bytes,    85 packets,     3s ago
   out 596eba1a,   3366 bytes,    62 packets,     3s ago
NOTE: If there is no (or only partial) output, the tunnel is not established. Verify that the in and out traffic counters are increasing at the same time and that the remote and local subnets are listed as in the output.

2. Verify the IPsec strongSwan configuration file.

sudo cat /etc/ipsec.conf
# generated by /opt/vyatta/sbin/vpn-config.pl

config setup

conn peer-
#conn peer-

3. Capture the IPsec traffic on the WAN interface.

sudo tcpdump -i eth0 -n udp dst port 500 or port 4500 or esp
IP > isakmp: phase 1 I ident
IP > isakmp: phase 1 R ident
IP > isakmp: phase 1 I ident[E]
IP > isakmp: phase 1 R ident[E]
IP > isakmp: phase 2/others I oakley-quick[E]
IP > isakmp: phase 2/others R oakley-quick[E]
NOTE: This is a live capture of IPsec traffic.

4. Capture and analyze the IPsec VPN log messages.

sudo swanctl --log
[KNL] creating acquire job for policy[icmp/8] ===[icmp/8] with reqid {1}
[IKE] initiating Main Mode IKE_SA peer-[1] to
[ENC] generating ID_PROT request 0 [ SA V V V V ]
[NET] sending packet: from[500] to[500] (160 bytes)
[NET] received packet: from[500] to[500] (108 bytes)
[ENC] parsed ID_PROT response 0 [ SA V ]
[IKE] received NAT-T (RFC 3947) vendor ID
[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
[ENC] parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
[ENC] generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
[ENC] parsed ID_PROT response 0 [ ID HASH ]
[IKE] IKE_SA peer-[1] established between[]...[]
[ENC] generating QUICK_MODE request 561157166 [ HASH SA No ID ID ]
[ENC] parsed QUICK_MODE response 561157166 [ HASH SA No ID ID N((24576)) ]
[IKE] <peer-|1> CHILD_SA peer-{1} established with SPIs and TS               
NOTE: This is a live capture of IPsec traffic.

5. Verify the routing table.

show ip route
S    *> [1/0] is directly connected, vti0

6. Verify the Azure Virtual Gateway Connection (only relevant output is shown).

Get-AzureRmVirtualNetworkGatewayConnection -Name "IPsecER" -ResourceGroupName "ServerNetwork"

Name                    : IPsecER
ResourceGroupName       : ServerNetwork
Location                : eastus
ProvisioningState       : Succeeded
ConnectionStatus        : Connected
EgressBytesTransferred  : 3854
IngressBytesTransferred : 3104
NOTE: More info on how to use Windows PowerShell to manage Azure can be found in the this Microsoft article.

Related Articles

Back to Top