Azure Site 2 Site VPN only work als Responder not as an reciever

Question

Hello everyone,

i create an azure vpn gateway and was able to establish a vpn tunnel between my azure gate and my mikrotik router. The Tunnel only worked when in the connection mode in azure was set to default. In this case only the mikrotik router always created the connection as initiator.

When it try to set azure as Initiator its doenst work.

mikrotik

also in the next hop of the vm-nic the correct hop with pip from gateway is correct.

The vpn connection only work when mikrotik is initiator but i cannot get it work when azure should be the initiator which is for my use case very important.

I hope someone can help.

Greetings,

Till

Answer 1

It sounds like you are experiencing issues with the connection mode settings for your Azure VPN Gateway. When you set the Azure connection mode to Initiator only, it may not accept connection requests from your Mikrotik router, which is likely configured to initiate the connection.

To resolve this, you can try the following:

1. Ensure that the connection mode in Azure is set to Default or Responder only. This allows the Mikrotik router to initiate the connection without issues.
2. If you need Azure to act as the initiator, ensure that the Mikrotik router is configured to accept incoming connection requests.
3. Verify that both devices have matching configurations for the Diffie-Hellman (DH) group and other IPsec/IKE parameters. Mismatched configurations can lead to connectivity issues.

If these steps do not resolve the issue, consider reaching out to your VPN device vendor for further assistance.

Answer 2

Hello **Till Voelkner
**Thank you for your questions and for highlighting the concern about VPN tunnel initiation behavior. This is an important point, and we appreciate the chance to clarify how Azure VPN Gateway works in this context.

After our analysis and testing, we found that Azure VPN Gateway is mainly designed to act as a responder for site-to-site IPsec VPN connections. Although the Azure portal shows an “Initiator” option, this does not mean Azure will consistently or proactively start IKE negotiations like a traditional on-premises firewall or router.

In real-world use, Azure VPN Gateway does not reliably send the initial IKE_SA_INIT messages to start a tunnel on its own. Tunnel setup is generally driven by network traffic and is responder-based. Therefore, if the on-premises device (such as the MikroTik router) is set to wait for Azure to initiate the tunnel, the VPN may not establish reliably.

Regarding the “Azure as Initiator” setting: it is mainly for compatibility and legacy reasons across various VPN vendors. It allows Azure to initiate a tunnel when traffic triggers it, but it should not be seen as Azure actively bringing up the tunnel. The portal wording may imply more capability than is actually available.

For best results, we recommend the following configuration:

• Azure VPN Gateway connection mode set to Default
• MikroTik router configured as the initiator
• Enable proper DPD/keepalive settings on the MikroTik for tunnel stability

This setup keeps the VPN tunnel established at the network layer, regardless of Azure VM activity. VM scaling events won’t require extra scripts or traffic generation, and all VMs will have connectivity as soon as they start.

We agree that using VM-based ping scripts to initiate a VPN tunnel is not a professional or cloud-native solution, and it is unnecessary with the recommended configuration.