Solved: Error with Site to Site VPN (Azure and Cisco ASA)

kamal.bernard · ‎03-16-2022

Hi I have configured a site to site Vpn with Azure and my remote site uses Cisco ASA firewall.

in my Azure the status shows as connected but in the site end it shows the below error..

"IKEv2 Selected IKEv2 encryption algorithm (AES-CBC-128) is not strong enough to secure proposed IPsec encryption algorithm (AES-CBC-256)."

we are not able to ping from site to azure and azure to site due to this.

MHM Cisco World · ‎03-16-2022

ASA(config)# crypto ikev2 proposal proposal-1

ASA(config-ikev2-proposal)# encryption aes-cbc-256<- if this not found then by default the AES-256 use CBC.

View solution in original post

kamal.bernard · ‎03-16-2022

Dear MHM Cisco World

Thank you for the reply will check on this and let you know

View solution in original post

Rob Ingram · ‎03-16-2022

@kamal.bernard I would check the IKEv2 Policy, as the error would seem to indicate you've got a more secure algorithm (AES 256) configured for the IPSec proposal than you do for the IKEv2 policy (AES 128?).

Check "show run crypto ikev2" and ensure you are using AES CBC 256.

View solution in original post

kamal.bernard · ‎03-16-2022

Hi Rob

Thank you for the reply

View solution in original post

MHM Cisco World · ‎03-16-2022

ASA(config)# crypto ikev2 proposal proposal-1

ASA(config-ikev2-proposal)# encryption aes-cbc-256<- if this not found then by default the AES-256 use CBC.

kamal.bernard · ‎03-16-2022

Dear MHM Cisco World

Thank you for the reply will check on this and let you know

Rob Ingram · ‎03-16-2022

@kamal.bernard I would check the IKEv2 Policy, as the error would seem to indicate you've got a more secure algorithm (AES 256) configured for the IPSec proposal than you do for the IKEv2 policy (AES 128?).

Check "show run crypto ikev2" and ensure you are using AES CBC 256.

kamal.bernard · ‎03-16-2022

Hi Rob

Thank you for the reply