Thanks Greg. If that is the case, do you know how Azure can support a Windows RRAS behind a NAT server to be the IPSec client on the customer network? That's what I had set up before trying to use the LTM instead, which I would prefer over a Windows machine anyday. Do you know if there's something different about the VPN connection when the endpoint is Windows RRAS? Does the publicly-routable IP requirement only apply to policy-based and not route-based connections? I'll upgrade to v12 in any case, but if I could use the LTM behind my FW as a Azure VPN client, that would be great.