Hi all,


I've been using a DrayTek Vigor 2860n+ router in a small business environment for about 18 months. It has a site-to-site IPsec VPN set up to a Cisco ASA in a data center so we can access remote servers as if they were on the LAN. We are migrating some services to Azure, so want to achieve a similar level of VPN-ness for our Azure servers.

In Azure, I have two VMs on a virtual network. I created a 'virtual network gateway' (route based a.k.a. dynamic routing) with a public IP address, and a 'connection' back to the office. In the connection, I specify the public IP of the 2860n+ and supply a key. On the 2860n+, I have created a new LAN-to-LAN connection in a similar way to that for my Cisco ASA, but using Azure's IP addressing and key.

It doesn't work. I cannot get it to connect. The DrayTek log utility shows me this, whilst the Azure side shows me nothing.

1412017-01-04 14:07:28Jan 4 14:07:23IAMTechNorthShoreRouterRe-dial L2L[4], ifno: 11, status: 0 from WEB...
1412017-01-04 14:07:28Jan 4 14:07:23IAMTechNorthShoreRouterDialing Node4 (Azure Wiz) : 40.69.93.8
1412017-01-04 14:07:28Jan 4 14:07:23IAMTechNorthShoreRouterInitiating IKE Main Mode to 40.69.93.8
1412017-01-04 14:07:28Jan 4 14:07:23IAMTechNorthShoreRouter[IPSEC/IKE][L2L][4:Azure Wiz][@40.69.93.8] Initiating IKE Main Mode
1412017-01-04 14:07:28Jan 4 14:07:23IAMTechNorthShoreRouterIKE ==>, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
1412017-01-04 14:07:41Jan 4 14:07:36IAMTechNorthShoreRouter[IPSEC][L2L][4:Azure Wiz][@40.69.93.8] IKE link timeout: state linking

If I understand this correctly, it looks like the 2860n+ is trying to connect out to the Azure VPN, but getting no response, hence the timeout.

Has anyone connected one of these routers to Azure? What special settings do I need? I have read lots of guides and the Microsoft help, along with trying lots of different IPsec settings, but still no joy.

I'd happily extract the config and share it here, but I'm not sure how to do that.

Any suggestions welcome.


Cheers,
Richard.

Typical! I spend several days on-and-off having no success, so I post here. Then I find the answer!

On the Azure side, create your Virtual Network Gateway as 'policy based' (also known as static routing). The new/recommended/default is 'route based' (also known as dynamic routing) but that doesn't work with the 2860n+.

Azure seems to have a couple of annoying patterns: you cannot rename anything, and you often find you can't change certain object properties without deleting and re-creating them. So in the case of my virtual network gateway, I had to delete and re-build - thankfully this didn't require me to delete my virtual network and/or virtual machines!

Thanks for posting the answer, and glad you solved it

The issue is that Static Routing on Azure allows for IKE V1 connections. The other VPN gateway types require IKE V2 as a minimum which still isn't supported on DrayTek (I was told this was coming soon nearly a year ago now!)

Can someone from Draytek advise on the situation for IKE2...

If you ask them, I guess