Azure Site-to-Site VPN works, but RDP/Server Manager/Replication does not.

Hi,

At home, I have a Raspberry Pi with Raspbian as OS. I have installed OpenSwan to make a Site-to-Site VPN between the Raspberry and Azure. The Raspberry has an IP Address of 192.168.1.2 behind NAT. Ping works from both sites, but I'm not able to RDP or for example manage the servers within the Server Manager. The AD Replication doesn't work either, but I was able to join a VM in Azure over this VPN. I'm using the following configuration:

• 192.168.1.0/24 - Home network
• 192.168.2.0/24 - Azure network
• 192.168.1.1 - Home router's private IP
• 192.168.1.2 - Raspberry Pi

I enabled L2TP Passthrough in the router firewall and I tried to forward the following ports to my RPI:
• UDP 500
• UDP 4500
I also tried to place the Pi in the DMZ.

My ipsec.conf looks like this:
version 2.0

config setup
    nat_traversal=yes
    virtual_private=%4:192.168.1.0/24
    protostack=auto
    interfaces="ipsec0=eth0"

conn azure
    authby=secret
    auto=start
    type=tunnel
    left=192.168.1.2
    leftsubnet=192.168.1.0/24
    leftnexthop=192.168.1.1
    right=[Azure IP]
    rightsubnet=192.168.2.0/24
    ike=3des-sha1-modp1024,aes128-sha1-modp1024
    esp=3des-sha1,aes128-sha1
    pfs=no

ipsec.secrets:
192.168.1.2 [Azure IP] : PSK "AzureSecret"

That got the link up and running, to allow routing between sites:
/etc/sysctl.conf:
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1

IPtables rules:
iptables -A FORWARD -s 192.168.2.0/24 -m policy --dir in --pol ipsec -j ACCEPT
iptables -A FORWARD -s 192.168.1.0/24 -m policy --dir out --pol ipsec -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT
iptables -A INPUT -p esp -j ACCEPT

The NAT table allows the Azure VM's to connect to any machine on my home network:
iptables -A PREROUTING –t nat -i eth0 -p udp -m udp --dport 4500 -j DNAT --to-destination [Azure IP]:4500
iptables -A PREROUTING –t nat -i eth0 -p udp -m udp --dport 500 -j DNAT --to-destination [Azure IP]:500
iptables –t nat -A POSTROUTING -o eth0 -j MASQUERADE

With all this I can ping and communicate in both directions, all Azure VM's can see my home network, all home network machines can see my Azure VM's.

Any idea what's going wrong? Thank you!