- Cisco Community
- Technology and Support
- Security
- Network Security
- Problem Establing VPN Cisco ASA against Azure
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Problem Establing VPN Cisco ASA against Azure
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-02-2017 02:10 AM - edited 03-12-2019 02:27 AM
Hello,
We are having problems to establish a VPN L2L against Azure. We successfully up the tunnel at phase 1 and phase 2. These are the data:
Azure Network: 192.168.69.0/24
Azure Gateway: 192.168.70.0/24
Local Networks:
192.168.100.0/24
192.168.68.0/24
And this is my config on the ASA:
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
crypto ipsec ikev1 transform-set azure-ipsec-proposal-set esp-aes-256 esp-sha-hmac
crypto map VPNsZAL 45 match address azure-vpn-acl
crypto map VPNsZAL 45 set peer 13.94.234.139
crypto map VPNsZAL 45 set ikev1 transform-set azure-ipsec-proposal-set
crypto map VPNsZAL 45 set security-association lifetime seconds 3600
crypto map VPNsZAL 45 set security-association lifetime kilobytes 102400000
crypto map VPNsZAL interface outside
tunnel-group 13.94.234.139 type ipsec-l2l
tunnel-group 13.94.234.139 ipsec-attributes
ikev1 pre-shared-key *****
access-list azure-vpn-acl extended permit ip object-group zal-networks object-group azure-networks
object-group network azure-networks
network-object 192.168.69.0 255.255.255.0
network-object 192.168.70.0 255.255.255.0
object-group network zal-networks
network-object 192.168.100.0 255.255.255.0
network-object 192.168.68.0 255.255.255.0
nat (inside,outside) source static zal-networks zal-networks destination static azure-networks azure-networks
S* 0.0.0.0 0.0.0.0 [1/0] via 212.31.45.1, outside
S 10.120.0.0 255.255.252.0 [1/0] via 192.168.100.1, inside
C 10.255.255.0 255.255.255.0 is directly connected, LANFAIL
L 10.255.255.1 255.255.255.255 is directly connected, LANFAIL
S 192.168.0.0 255.255.0.0 [1/0] via 192.168.100.1, inside
S 192.168.69.0 255.255.255.0 [1/0] via 13.94.234.139, outside
S 192.168.70.0 255.255.255.0 [1/0] via 13.94.234.139, outside
I have to create the routes to azure networks case we have 192.168.0.0/16 route through inside and that overlaps the tunnel ranges of Azure.
Isee that, the ACL matches traffic:
access-list azure-vpn-acl line 1 extended permit ip object-group zal-networks object-group azure-networks (hitcnt=710) 0xb6e5e4b5
access-list azure-vpn-acl line 1 extended permit ip 192.168.100.0 255.255.255.0 192.168.69.0 255.255.255.0 (hitcnt=710) 0xbe330afa
access-list azure-vpn-acl line 1 extended permit ip 192.168.68.0 255.255.255.0 192.168.69.0 255.255.255.0 (hitcnt=702) 0xd22c02dd
access-list azure-vpn-acl line 1 extended permit ip 192.168.100.0 255.255.255.0 192.168.70.0 255.255.255.0 (hitcnt=72) 0xc9e149b2
access-list azure-vpn-acl line 1 extended permit ip 192.168.68.0 255.255.255.0 192.168.70.0 255.255.255.0 (hitcnt=664) 0x4003880a
And from the debug of the icmp trace when i did tests. I saw Azure Virtual Networks reaching me:
ICMP echo request from outside:192.168.69.0 to inside:192.168.68.0 ID=1 seq=20777 len=4
ICMP echo request from outside:192.168.69.0 to inside:192.168.100.0 ID=1 seq=20778 len=4
ICMP echo request from inside:192.168.69.0 to inside:192.168.68.0 ID=1 seq=20777 len=4
ICMP echo request from inside:192.168.69.0 to inside:192.168.68.0 ID=1 seq=20777 len=4
ICMP echo request from outside:192.168.70.0 to inside:192.168.68.0 ID=1 seq=20779 len=4
ICMP echo request from outside:192.168.70.0 to inside:192.168.100.0 ID=1 seq=20780 len=4
ICMP echo request from inside:192.168.69.0 to inside:192.168.68.0 ID=1 seq=20777 len=4
ICMP echo request from inside:192.168.70.0 to inside:192.168.68.0 ID=1 seq=20779 len=4
The weird thing is, the first packets from Azure come from outside and after that goes through inside and then, I always see the virtual networks of azure coming from inside...
I had a contact who allowed to me to connect to one of their machines on azure and do tests. We see ICMP was open so I tried to do ping to some devices on my local networks and did not work.
1 IKE Peer: 13.94.234.139
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Crypto map tag: VPNsZAL, seq num: 45, local addr: 212.31.45.50
access-list azure-vpn-acl extended permit ip 192.168.68.0 255.255.255.0 192.168.69.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.68.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.69.0/255.255.255.0/0/0)
current_peer: 13.94.234.139
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 212.31.45.50/0, remote crypto endpt.: 13.94.234.139/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: F6F7BC52
current inbound spi : 6440C427
inbound esp sas:
spi: 0x6440C427 (1681966119)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 85069824, crypto-map: VPNsZAL
sa timing: remaining key lifetime (kB/sec): (97199999/3523)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000005
outbound esp sas:
spi: 0xF6F7BC52 (4143430738)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 85069824, crypto-map: VPNsZAL
sa timing: remaining key lifetime (kB/sec): (97200000/3523)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: VPNsZAL, seq num: 45, local addr: 212.31.45.50
access-list azure-vpn-acl extended permit ip 192.168.68.0 255.255.255.0 192.168.70.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.68.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.70.0/255.255.255.0/0/0)
current_peer: 13.94.234.139
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 212.31.45.50/0, remote crypto endpt.: 13.94.234.139/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 548A0046
current inbound spi : C3000B47
inbound esp sas:
spi: 0xC3000B47 (3271560007)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 85069824, crypto-map: VPNsZAL
sa timing: remaining key lifetime (kB/sec): (97199999/3523)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000005
outbound esp sas:
spi: 0x548A0046 (1418330182)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 85069824, crypto-map: VPNsZAL
sa timing: remaining key lifetime (kB/sec): (97200000/3523)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: VPNsZAL, seq num: 45, local addr: 212.31.45.50
access-list azure-vpn-acl extended permit ip 192.168.100.0 255.255.255.0 192.168.69.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.69.0/255.255.255.0/0/0)
current_peer: 13.94.234.139
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 212.31.45.50/0, remote crypto endpt.: 13.94.234.139/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: B7325432
current inbound spi : B08B5565
inbound esp sas:
spi: 0xB08B5565 (2961921381)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 85069824, crypto-map: VPNsZAL
sa timing: remaining key lifetime (kB/sec): (97199999/3522)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000005
outbound esp sas:
spi: 0xB7325432 (3073528882)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 85069824, crypto-map: VPNsZAL
sa timing: remaining key lifetime (kB/sec): (97200000/3522)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: VPNsZAL, seq num: 45, local addr: 212.31.45.50
access-list azure-vpn-acl extended permit ip 192.168.100.0 255.255.255.0 192.168.70.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.70.0/255.255.255.0/0/0)
current_peer: 13.94.234.139
#pkts encaps: 41, #pkts encrypt: 41, #pkts digest: 41
#pkts decaps: 49, #pkts decrypt: 49, #pkts verify: 49
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 41, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 212.31.45.50/0, remote crypto endpt.: 13.94.234.139/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 52392FA2
current inbound spi : 3EDB82DD
inbound esp sas:
spi: 0x3EDB82DD (1054573277)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 85069824, crypto-map: VPNsZAL
sa timing: remaining key lifetime (kB/sec): (97199998/641)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x0007FFFF 0xFFFFFFFD
outbound esp sas:
spi: 0x52392FA2 (1379479458)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 85069824, crypto-map: VPNsZAL
sa timing: remaining key lifetime (kB/sec): (97199997/640)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
I think maybe I have something bad on my side or on the part of Azure is being blocked somehow.
Thanks for the help.
Regards
- Labels:
-
NGFW Firewalls
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-02-2017 02:11 AM
May someone help to identify if there is something wrong on the ASA side?
Thanks,
Aitor
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
