@kdurigan 

Are the two IPsec tunnels using IKEv1? Have you tried IKEv2? And have you tried Local ID Type to select Name?

I have not tried IKEv2 so both tunnels are IKEv1. In the past IKEv2 was not possible with the older TP-Link Router I had so when I upgraded the router I just copied the old configuration. Later I added the second tunnel and that is when I started having issues. I can give IKEv2 a try but not for a couple of days.

After a fair amount of work, here is the problem and solution: - in Azure you can configure a policy-based or route-based gateway.

 

- Basic gateway sku's are cheap - less than $1 per day but have limitations such as throughput, connection limits and diagnostics.

- Standard gateways cost more but are faster and have more features. A Standard type 1 gateway sku is about $5 per day.

- Azure Basic policy-based gateways only support IKEv1. This type of gateway will reconnect every 5 minutes if there is no traffic, and may do so even if there is traffic. I reproduced this error in West US 3 and West Central US regions, so I suspect it is the same everywhere.

- I have successfully set up both Basic and Standard IKEv2 route-based gateways and they do not experience the 5-minute reconnection issue.

- According to the Microsoft documentation I am not supposed to be able to set up a route-based Basic sku IKEv2 gateway but I did... So for now, I can have multiple always-on Site to Site VPN connections to Azure for about $0.86 per day per tunnel. It is stable and reliable with the ER7206 router with firmware 1.2.3.

- I have 5 tunnels - perfect for Azure testing.

 

Hopefully this helps others looking to set up a cheap lab environment.