Showing results for 
Search instead for 
Did you mean: 

Establish VPN between Azure and CSR 1000V


I have CSR setup in my Virtual Private Cloud and we would like to establish VPN tunnel between Cisco CSR 1000V router with Azure. Is it possible? Any documentation referring this will be supported will be great help.


5 Replies 5


Yes pretty easy. My recommendation is to do it as a single arm setup.

  1. Create VPC in Amazon say
  2. Create a Subnet for public facing traffic say
  3. Create CSR1000v Instance in that subnet with IP Make sure you leave the default 8gb drive size or you'll hate life when you try to restore an image. Test restores and reloads.  I screwed up my configs a few times where it wouldnt reload - seems to take about 4-5 mintes on an m3.medium.
  4. IMPORTANT: Create Elastic IP and assign that IP to instance - You never want to lose this IP if you have to restart the CSR for some reason and get a new public.
  5. on your AWS global routes point your Azure IP range(s) and point at interface
  6. Disable source/destination checking on interface
  7. on CSR use this template to help create the config
  8. on Azure you'll want a dynamic VPN (you can only have 1 subnet connected otherwise) so as your VNet changes you can just use ACLs to allow or disallow traffic.

Simplified config looks like this (I believe for multi-sa dynamic ikev2 beyond this you will have to do front-door vrf too):

crypto ikev2 proposal AzureVPN_IKEV2
encryption aes-cbc-256 aes-cbc-128 3des
integrity sha1
group 2
crypto ikev2 policy AzureVPN_IKEV2_Policy
proposal AzureVPN_IKEV2
crypto ikev2 keyring AzureVPN_IKEV2Keyring
pre-shared-key <AZURE_PRE-SHARED-KEY>
crypto ikev2 profile AzureVPN_IKEV2Profile
match address local interface GigabitEthernet1
match identity remote address <AZURE_IP_ADDRESS>
authentication remote pre-share
authentication local pre-share
keyring local AzureVPN_IKEV2Keyring

crypto ipsec transform-set AzureVPN_IPSecTransform esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec profile AzureVPN_IPSecProfile
set transform-set AzureVPN_IPSecTransform
set ikev2-profile AzureVPN_IKEV2Profile

interface Tunnel1
ip address
ip tcp adjust-mss 1350
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel destination <AZURE_IP_ADDRESS>
tunnel protection ipsec profile AzureVPN_IPSecProfile

! dhcp will get the default routes for AS
interface GigabitEthernet1
ip address dhcp
ip access-group GW_INT_ALLOWED_IN in
negotiation auto

ip route <AZURE_VNET> <AZURE_VNET_MASK> Tunnel1
ip access-list extended GW_INT_ALLOWED_IN
remark Prevent fragmented packets
deny tcp any any fragments
deny udp any any fragments
deny icmp any any fragments
deny ip any any fragments
remark Allow inbound traffic for VPN tunneling
permit esp any any
permit udp any any eq isakmp
permit udp any eq isakmp any
permit udp any eq non500-isakmp any
permit udp any any eq non500-isakmp
remark Allow inbound ICMP for testing interface up
permit icmp any any
remark allow DHCP to the primary interface for AWS - important or it wont restart
permit udp any eq bootps any eq bootpc
permit udp any eq bootpc any eq bootps


I established the Tunnel but it fails every 5 or 10 minutes. any ideas?


You need to have some traffic to keep tunnel up.

Not sure that it's possible to tune some timers from Azure side.


thanks, will try to do that.

For anyone trying to access the link, this is always the latest and greatest:

CSR1000v to VNET vpn

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers