So after spending some hours (you have to wait 45 minutes for the gateway to be deployed), I managed to get Draytek 3200 and Azure VPN Site-to-Site to work.
The solution wasn’t easy if you are not too careful, so I’m going to show you what you have to be careful of in order to possibly integrate with other IPSec routers.
First of all before you start go to: About VPN devices and IPsec/IKE parameters for Site-to-Site VPN Gateway connections.
Go down to the page to the IPsec/IKE parameters part. There you will find the requirements needed. You have to go to your router settings (in this case Draytek 3200) and look at what options you have in order for Azure and Draytek to talk to each other.
First of all go down to IKEv2 in the list and check if you can configure it as Route-Based or Policy-Based VPN. This is an option when you create your gateway. Don’t get it wrong! If you do you have to wait another 45 minutes for the right one to be provisioned!
So I got it setup with IKEv1 (so Policy-Based). Draytek IKE phase 1 proposal mode is: AES128_SHA1_G2. That would correspond to the Microsoft list as follows:
IKE Version: IKEv1
Diffie-Hellman Group: Group 2 (1024 bit) – It’s the G2 at the end
Authentication Method: Pre-Shared Key (you select AES with authentication on Draytek)
Encryption & Hashing Algorithms: 3. AES128, SHA1 (this is a pair that has to be supported from the router as a pair as well).
So here are the settings and the guide for Draytek 3200:
Follow this guide from Microsoft
On the 2nd step make sure you select Policy-based (not Route-based as it is in the screenshot).
So for step 6. Configure your VPN device here is what you need on the Draytek side:
Create a LAN-to-LAN VPN profile and make sure it’s Dial-out and you select the correct WAN port (it has to be the IP you setup on step 5 from the Microsoft guide above).
Server IP is the Public IP of the VPN gateway (Guide-Step 4)
Pre-Shared Key is the key you specified for the Connection (Guide-Step 7)
Select High(ESP) – AES with Authentication
Set the settings as above. AES128_SHA1_G2, AES128_SHA1, 28800, 3600. Note that the lifetimes are settings you get as well from the Microsoft requirements.
Last but not least set up your network subnets correctly as below:
Remote Network IP: 10.0.0.0 is the range of your Azure VNET while Local Network IP is the range of your local network.
Go to Connection Management and Dial it. Then you should connect:
You can try pinging your resources (VMs) you might have in Azure or from Azure back to your local network.
Worked for me 🙂