cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1711
Views
0
Helpful
1
Replies

IKEv1 IPsec Tunnel Issues

Nathan Farrar
Level 1
Level 1

Having issues getting the CSR 1000v in Azure to form any IPsec tunnels. The remote site is a SonicWall and unfortunately I do not have access to its configuration... let's assume it's configured correctly for IKEv1 route based tunnels..

 

I've also stood up a physcial FortiGate at a remote site and another CSR 1000v in Azure for testing. No matter what I cannot get past phase 1. It looks like phase 1 comes up but phase 2 just will not. Here is the config on the CSR:

 

*I'm using IP unnumbered because the remote SonicWall IT folks are telling me that they do not have a tunnel IP address. 

 

crypto keyring ECW-VPN-KEYRING  
  pre-shared-key address 0.0.0.0 0.0.0.0 key SuperSecret0101
!
!
!
!
!
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp keepalive 10 periodic
crypto isakmp profile VPN-PROFILE
   keyring VPN-KEYRING
   match identity address <remote site public> 255.255.255.255 
!
!
crypto ipsec transform-set VPN-XFORM esp-aes 256 esp-sha-hmac 
 mode tunnel
!
crypto ipsec profile IPSEC-PROFILE
 set security-association lifetime seconds 28800
 set transform-set VPN-XFORM 
 set isakmp-profile VPN-PROFILE
!
!
!
!
!
!
! 
! 
!
!
interface Loopback0
 ip address 192.168.100.1 255.255.255.0
!
interface Tunnel0
 ip address unnumbered GigabitEthernet1
 tunnel source GigabitEthernet1
 tunnel destination <remote site public>
 tunnel protection ipsec profile IPSEC-PROFILE
!
interface GigabitEthernet1
 ip address dhcp
 negotiation auto
 no mop enabled
 no mop sysid
1 Reply 1

ctm-tech
Level 1
Level 1

Cannot comment on the config.

But we are using a CSR in Azure and the issues we have had all relate to the Network security group in place on our CSR.

We've opened 500,4500 Inbound and we have successful connections.