I'm currently exploring my options for running a client VPN server within Azure. I've examined the Point-to-Site VPN functionality, and it seems to be more of a method for administrators to dial in, rather than a fully-fledged client VPN solution.
One of the remaining options is to run a client VPN server within an Azure VM. Many of the client VPN options make use of IPsec in one way or another, which uses IP protocols other than TCP/UDP for operation (ESP/AH). As far as I can tell, Azure does not allow traffic other than TCP/UDP to your virtual machines. Endpoint-based ACLs only permit you to select TCP or UDP. I've just been investigating Network Security Groups (NSGs) in the hope they may offer a solution, but they also only offer 'TCP', 'UDP' or '*' as a protocol option within ACLs. This leads me to believe that it's not possible to run an IPsec server within Azure. Is this correct, or are there options available that I've not come across? Obviously there are options that only require TCP/UDP (Microsoft SSTP comes to mind), but specifically on the question of IPsec?
As a side-question, what other solutions have people settled on when it comes to providing a client VPN to resources hosted within Azure?