Azure Site-to-site with mikrotik: Payload missing: ID_R

Question

I'm trying to establish Site-to-site connection between Azure Virtual Network Gateway and local site using Mikrotik (RouterOS 6.43.10).

I followed various configuration manuals:

• https://blogs.technet.microsoft.com/netgeeks/2017/07/11/creating-a-site-to-site-vpn-ipsec-ikev2-with-azure-and-mikrotik-routeros/
• https://github.com/Azure/Azure-vpn-config-samples/blob/bdc2939a90210a7aa8957f49a40eb0e8312530aa/MikroTik/Current/Site-to-Site_VPN_using_MikroTik_RouterOS.md
• http://www.dataone.nz/?p=561

According the ipsec log, all of them fail with error payload missing: ID_R.

Any ideas?

Answer 1

I just had this same issue setting up an Azure Site-to-Site VPN for a customer through a third party vendor. Not getting any real support from them, I ended up creating an Azure test environment and finding the resolution... what right in front of the third party engineer the whole time: "Use policy based traffic selector" needs to be enabled.

The issue is that the Mikrotik router doesn't currently support VTI and requires the exchange of policy based traffic selectors (TS_R, TS_I) in order to choose which IPSEC policy to use.

The Azure Virtual Network Gateway Connection by default has the setting "Use policy based traffic selector" disabled. All you need to do is enable this setting and Azure will send the proper IKEv2 payloads and your connection will come right up.

Answer 2

According to RFC 4306, The optional payload IDr enables the initiator to specify which of the responder's identities it wants to talk to. This is useful when the machine on which the responder is running is hosting multiple identities at the same IP address.

Your device expects IDr and Azure Gateway is not sending it. Can you check if you can disable the feature which expects IDr payload?