cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3363
Views
0
Helpful
5
Replies
Highlighted
Beginner

Establish VPN between Azure and CSR 1000V

I have CSR setup in my Virtual Private Cloud and we would like to establish VPN tunnel between Cisco CSR 1000V router with Azure. Is it possible? Any documentation referring this will be supported will be great help.

Thanks

5 REPLIES 5
Highlighted
Beginner

Yes pretty easy. My

Yes pretty easy. My recommendation is to do it as a single arm setup.

  1. Create VPC in Amazon say 10.0.0.0/16
  2. Create a Subnet for public facing traffic say 10.0.254.0/24
  3. Create CSR1000v Instance in that subnet with IP 10.0.254.254. Make sure you leave the default 8gb drive size or you'll hate life when you try to restore an image. Test restores and reloads.  I screwed up my configs a few times where it wouldnt reload - seems to take about 4-5 mintes on an m3.medium.
  4. IMPORTANT: Create Elastic IP and assign that IP to instance - You never want to lose this IP if you have to restart the CSR for some reason and get a new public.
  5. on your AWS global routes point your Azure IP range(s) and point at 10.0.254.254 interface
  6. Disable source/destination checking on interface
  7. on CSR use this template to help create the config https://github.com/Azure/Azure-vpn-config-samples/blob/master/Cisco/cisco-isr-ios-15.1-dynamic-routing.cfg
  8. on Azure you'll want a dynamic VPN (you can only have 1 subnet connected otherwise) so as your VNet changes you can just use ACLs to allow or disallow traffic. https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-vnet-vnet-rm-ps/

Simplified config looks like this (I believe for multi-sa dynamic ikev2 beyond this you will have to do front-door vrf too):


crypto ikev2 proposal AzureVPN_IKEV2
encryption aes-cbc-256 aes-cbc-128 3des
integrity sha1
group 2
!
crypto ikev2 policy AzureVPN_IKEV2_Policy
proposal AzureVPN_IKEV2
!
crypto ikev2 keyring AzureVPN_IKEV2Keyring
peer <AZURE_IP_ADDRESS>
address <AZURE_IP_ADDRESS>
pre-shared-key <AZURE_PRE-SHARED-KEY>
!
!
!
crypto ikev2 profile AzureVPN_IKEV2Profile
match address local interface GigabitEthernet1
match identity remote address <AZURE_IP_ADDRESS> 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local AzureVPN_IKEV2Keyring
!

!
!
crypto ipsec transform-set AzureVPN_IPSecTransform esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto ipsec profile AzureVPN_IPSecProfile
set transform-set AzureVPN_IPSecTransform
set ikev2-profile AzureVPN_IKEV2Profile
!


interface Tunnel1
ip address 169.254.0.1 255.255.255.0
ip tcp adjust-mss 1350
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel destination <AZURE_IP_ADDRESS>
tunnel protection ipsec profile AzureVPN_IPSecProfile
!

! dhcp will get the default routes for AS
interface GigabitEthernet1
ip address dhcp
ip access-group GW_INT_ALLOWED_IN in
negotiation auto
!


ip route <AZURE_VNET> <AZURE_VNET_MASK> Tunnel1
!
ip access-list extended GW_INT_ALLOWED_IN
remark Prevent fragmented packets
deny tcp any any fragments
deny udp any any fragments
deny icmp any any fragments
deny ip any any fragments
remark Allow inbound traffic for VPN tunneling
permit esp any any
permit udp any any eq isakmp
permit udp any eq isakmp any
permit udp any eq non500-isakmp any
permit udp any any eq non500-isakmp
remark Allow inbound ICMP for testing interface up
permit icmp any any
remark allow DHCP to the primary interface for AWS - important or it wont restart
permit udp any eq bootps any eq bootpc
permit udp any eq bootpc any eq bootps

Highlighted
Beginner

Hi,

Hi,

I established the Tunnel but it fails every 5 or 10 minutes. any ideas?

Regards

Highlighted

You need to have some traffic

You need to have some traffic to keep tunnel up.

Not sure that it's possible to tune some timers from Azure side.

Highlighted
Beginner

hi,

hi,

thanks, will try to do that.

Highlighted
Beginner

For anyone trying to access

For anyone trying to access the link, this is always the latest and greatest:

https://github.com/Azure/Azure-vpn-config-samples/tree/master/Cisco/Current

CSR1000v to VNET vpn

This widget could not be displayed.