11-13-2015 07:37 AM - edited 03-12-2019 07:20 AM
I have CSR setup in my Virtual Private Cloud and we would like to establish VPN tunnel between Cisco CSR 1000V router with Azure. Is it possible? Any documentation referring this will be supported will be great help.
Thanks
11-19-2015 08:35 AM
Yes pretty easy. My recommendation is to do it as a single arm setup.
Simplified config looks like this (I believe for multi-sa dynamic ikev2 beyond this you will have to do front-door vrf too):
crypto ikev2 proposal AzureVPN_IKEV2
encryption aes-cbc-256 aes-cbc-128 3des
integrity sha1
group 2
!
crypto ikev2 policy AzureVPN_IKEV2_Policy
proposal AzureVPN_IKEV2
!
crypto ikev2 keyring AzureVPN_IKEV2Keyring
peer <AZURE_IP_ADDRESS>
address <AZURE_IP_ADDRESS>
pre-shared-key <AZURE_PRE-SHARED-KEY>
!
!
!
crypto ikev2 profile AzureVPN_IKEV2Profile
match address local interface GigabitEthernet1
match identity remote address <AZURE_IP_ADDRESS> 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local AzureVPN_IKEV2Keyring
!
!
!
crypto ipsec transform-set AzureVPN_IPSecTransform esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto ipsec profile AzureVPN_IPSecProfile
set transform-set AzureVPN_IPSecTransform
set ikev2-profile AzureVPN_IKEV2Profile
!
interface Tunnel1
ip address 169.254.0.1 255.255.255.0
ip tcp adjust-mss 1350
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel destination <AZURE_IP_ADDRESS>
tunnel protection ipsec profile AzureVPN_IPSecProfile
!
! dhcp will get the default routes for AS
interface GigabitEthernet1
ip address dhcp
ip access-group GW_INT_ALLOWED_IN in
negotiation auto
!
ip route <AZURE_VNET> <AZURE_VNET_MASK> Tunnel1
!
ip access-list extended GW_INT_ALLOWED_IN
remark Prevent fragmented packets
deny tcp any any fragments
deny udp any any fragments
deny icmp any any fragments
deny ip any any fragments
remark Allow inbound traffic for VPN tunneling
permit esp any any
permit udp any any eq isakmp
permit udp any eq isakmp any
permit udp any eq non500-isakmp any
permit udp any any eq non500-isakmp
remark Allow inbound ICMP for testing interface up
permit icmp any any
remark allow DHCP to the primary interface for AWS - important or it wont restart
permit udp any eq bootps any eq bootpc
permit udp any eq bootpc any eq bootps
03-07-2016 03:00 AM
Hi,
I established the Tunnel but it fails every 5 or 10 minutes. any ideas?
Regards
03-10-2016 03:11 AM
You need to have some traffic to keep tunnel up.
Not sure that it's possible to tune some timers from Azure side.
03-11-2016 01:29 AM
hi,
thanks, will try to do that.
01-24-2017 12:01 PM
For anyone trying to access the link, this is always the latest and greatest:
https://github.com/Azure/Azure-vpn-config-samples/tree/master/Cisco/Current
CSR1000v to VNET vpn
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide