Recently I had a lot of fun trying to create a cross-premises virtual network between Microsoft Azure and a Juniper SSG20.

Although the process is quite simple and straight forward, there are a couple of gotchas along the way that can make the process time consuming.

I will not get into the Azure side of things as does a great job of walking one through the virtual network creation process in Azure. However the fun begins after step 7 in the “Start the Gateway” section.

For the most part the “VPN Device Config Script” is okay but it misses out on one important command regarding nat traversal for the Juniper …

set ike gateway “Azure Gateway” nat-traversal keepalive-frequency 0

Here is the configuration that worked for me, I hope it helps you save some troubleshooting time.


set interface tunnel.4 zone untrust

set interface tunnel.4 ip unnumbered interface ethernet0/0

set route <AZURE ADDRESS SPACE>/<CIDR> interface tunnel.4

set ike gateway “Azure Gateway” address <GATEWAY> Main outgoing-interface ethernet0/0 preshare ABCDEFGHIJKLMNOPQRSTUVWZYX123456  proposal “pre-g2-aes128-sha”

set ike gateway “Azure Gateway” dpd-liveness interval 10

set ike gateway “Azure Gateway” nat-traversal

unset ike gateway “Azure Gateway” nat-traversal udp-checksum

set ike gateway “Azure Gateway” nat-traversal keepalive-frequency 0

set vpn “P2″ gateway “Azure Gateway” no-replay tunnel idletime 0 proposal “nopfs-esp-aes128-sha”

set vpn “P2″ monitor optimized rekey

set vpn “P2″ bind interface tunnel.4

set vpn “P2″ proxy-id check

set vpn “P2″ proxy-id local-ip <LOCAL NETWORK>/<CIDR> remote-ip <AZURE ADDRESS SPACE>/<CIDR> “ANY”


set policy id 39 from “Trust” to “Untrust” “<LOCAL NETWORK>/<CIDR>” “<AZURE ADDRESS SPACE>/<CIDR>” “ANY” permit log

set policy id 39


set policy id 38 from “Untrust” to “Trust” “<AZURE ADDRESS SPACE>/<CIDR>” “<LOCAL NETWORK>/<CIDR>” “ANY” permit set policy id 38


Re-blogged from: