cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
376
Views
0
Helpful
1
Replies

Problem Establing VPN Cisco ASA against Azure

Hello,

We are having problems to establish a VPN L2L against Azure. We successfully up the tunnel at phase 1 and phase 2. These are the data:

Azure Network: 192.168.69.0/24

Azure Gateway: 192.168.70.0/24

Local Networks:

192.168.100.0/24

192.168.68.0/24

And this is my config on the ASA:

crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800

crypto ipsec ikev1 transform-set azure-ipsec-proposal-set esp-aes-256 esp-sha-hmac

crypto map VPNsZAL 45 match address azure-vpn-acl
crypto map VPNsZAL 45 set peer 13.94.234.139
crypto map VPNsZAL 45 set ikev1 transform-set azure-ipsec-proposal-set
crypto map VPNsZAL 45 set security-association lifetime seconds 3600
crypto map VPNsZAL 45 set security-association lifetime kilobytes 102400000

crypto map VPNsZAL interface outside

tunnel-group 13.94.234.139 type ipsec-l2l
tunnel-group 13.94.234.139 ipsec-attributes
 ikev1 pre-shared-key *****

access-list azure-vpn-acl extended permit ip object-group zal-networks object-group azure-networks

object-group network azure-networks
 network-object 192.168.69.0 255.255.255.0
 network-object 192.168.70.0 255.255.255.0
object-group network zal-networks
 network-object 192.168.100.0 255.255.255.0
 network-object 192.168.68.0 255.255.255.0

nat (inside,outside) source static zal-networks zal-networks destination static azure-networks azure-networks

S* 0.0.0.0 0.0.0.0 [1/0] via 212.31.45.1, outside
S 10.120.0.0 255.255.252.0 [1/0] via 192.168.100.1, inside
C 10.255.255.0 255.255.255.0 is directly connected, LANFAIL
L 10.255.255.1 255.255.255.255 is directly connected, LANFAIL
S 192.168.0.0 255.255.0.0 [1/0] via 192.168.100.1, inside
S 192.168.69.0 255.255.255.0 [1/0] via 13.94.234.139, outside
S 192.168.70.0 255.255.255.0 [1/0] via 13.94.234.139, outside

I have to create the routes to azure networks case we have 192.168.0.0/16 route through inside and that overlaps the tunnel ranges of Azure.

Isee that, the ACL matches traffic:

access-list azure-vpn-acl line 1 extended permit ip object-group zal-networks object-group azure-networks (hitcnt=710) 0xb6e5e4b5
  access-list azure-vpn-acl line 1 extended permit ip 192.168.100.0 255.255.255.0 192.168.69.0 255.255.255.0 (hitcnt=710) 0xbe330afa
  access-list azure-vpn-acl line 1 extended permit ip 192.168.68.0 255.255.255.0 192.168.69.0 255.255.255.0 (hitcnt=702) 0xd22c02dd
  access-list azure-vpn-acl line 1 extended permit ip 192.168.100.0 255.255.255.0 192.168.70.0 255.255.255.0 (hitcnt=72) 0xc9e149b2
  access-list azure-vpn-acl line 1 extended permit ip 192.168.68.0 255.255.255.0 192.168.70.0 255.255.255.0 (hitcnt=664) 0x4003880a

And from the debug of the icmp trace when i did tests. I saw Azure Virtual Networks reaching me:

ICMP echo request from outside:192.168.69.0 to inside:192.168.68.0 ID=1 seq=20777 len=4
ICMP echo request from outside:192.168.69.0 to inside:192.168.100.0 ID=1 seq=20778 len=4
ICMP echo request from inside:192.168.69.0 to inside:192.168.68.0 ID=1 seq=20777 len=4
ICMP echo request from inside:192.168.69.0 to inside:192.168.68.0 ID=1 seq=20777 len=4
ICMP echo request from outside:192.168.70.0 to inside:192.168.68.0 ID=1 seq=20779 len=4
ICMP echo request from outside:192.168.70.0 to inside:192.168.100.0 ID=1 seq=20780 len=4
ICMP echo request from inside:192.168.69.0 to inside:192.168.68.0 ID=1 seq=20777 len=4
ICMP echo request from inside:192.168.70.0 to inside:192.168.68.0 ID=1 seq=20779 len=4

The weird thing is, the first packets from Azure come from outside and after that goes through inside and then, I always see the virtual networks of azure coming from inside...

I had a contact who allowed to me to connect to one of their machines on azure and do tests. We see ICMP was open so I tried to do ping to some devices on my local networks and did not work.

1   IKE Peer: 13.94.234.139
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

Crypto map tag: VPNsZAL, seq num: 45, local addr: 212.31.45.50

      access-list azure-vpn-acl extended permit ip 192.168.68.0 255.255.255.0 192.168.69.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.68.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.69.0/255.255.255.0/0/0)
      current_peer: 13.94.234.139


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 212.31.45.50/0, remote crypto endpt.: 13.94.234.139/0
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: F6F7BC52
      current inbound spi : 6440C427
              
    inbound esp sas:
      spi: 0x6440C427 (1681966119)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 85069824, crypto-map: VPNsZAL
         sa timing: remaining key lifetime (kB/sec): (97199999/3523)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000005
    outbound esp sas:
      spi: 0xF6F7BC52 (4143430738)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 85069824, crypto-map: VPNsZAL
         sa timing: remaining key lifetime (kB/sec): (97200000/3523)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: VPNsZAL, seq num: 45, local addr: 212.31.45.50

      access-list azure-vpn-acl extended permit ip 192.168.68.0 255.255.255.0 192.168.70.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.68.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.70.0/255.255.255.0/0/0)
      current_peer: 13.94.234.139


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 212.31.45.50/0, remote crypto endpt.: 13.94.234.139/0
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 548A0046
      current inbound spi : C3000B47

    inbound esp sas:
      spi: 0xC3000B47 (3271560007)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 85069824, crypto-map: VPNsZAL
         sa timing: remaining key lifetime (kB/sec): (97199999/3523)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000005
    outbound esp sas:
      spi: 0x548A0046 (1418330182)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 85069824, crypto-map: VPNsZAL
         sa timing: remaining key lifetime (kB/sec): (97200000/3523)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: VPNsZAL, seq num: 45, local addr: 212.31.45.50

      access-list azure-vpn-acl extended permit ip 192.168.100.0 255.255.255.0 192.168.69.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.69.0/255.255.255.0/0/0)
      current_peer: 13.94.234.139


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 212.31.45.50/0, remote crypto endpt.: 13.94.234.139/0
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: B7325432
      current inbound spi : B08B5565

    inbound esp sas:
      spi: 0xB08B5565 (2961921381)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 85069824, crypto-map: VPNsZAL
         sa timing: remaining key lifetime (kB/sec): (97199999/3522)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000005
    outbound esp sas:
      spi: 0xB7325432 (3073528882)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 85069824, crypto-map: VPNsZAL
         sa timing: remaining key lifetime (kB/sec): (97200000/3522)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: VPNsZAL, seq num: 45, local addr: 212.31.45.50

      access-list azure-vpn-acl extended permit ip 192.168.100.0 255.255.255.0 192.168.70.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.70.0/255.255.255.0/0/0)
      current_peer: 13.94.234.139
              

      #pkts encaps: 41, #pkts encrypt: 41, #pkts digest: 41
      #pkts decaps: 49, #pkts decrypt: 49, #pkts verify: 49
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 41, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 212.31.45.50/0, remote crypto endpt.: 13.94.234.139/0
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 52392FA2
      current inbound spi : 3EDB82DD

    inbound esp sas:
      spi: 0x3EDB82DD (1054573277)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 85069824, crypto-map: VPNsZAL
         sa timing: remaining key lifetime (kB/sec): (97199998/641)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x0007FFFF 0xFFFFFFFD
    outbound esp sas:
      spi: 0x52392FA2 (1379479458)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 85069824, crypto-map: VPNsZAL
         sa timing: remaining key lifetime (kB/sec): (97199997/640)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

I think maybe I have something bad on my side or on the part of Azure is being blocked somehow.

Thanks for the help.

Regards

1 Reply 1

May someone help to identify if there is something wrong on the ASA side?

Thanks,

Aitor

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: