This how-to is a step-by-step guide to configure an IPSec VPN Connection from an on-premise Cisco vEdge device to Microsoft Azure.
⚠️ NOTE: If you are looking for a guide to setup Azure CloudOnramp for IaaS in an automated way via vManage, please see this configuration guide.
Hardware and Software used in this guide
vEdge running software version 18.4.0
Microsoft Azure account with valid subscription
vEdge must be fully registered to vBond / vSmart / vManage.
This guide assumes that the Azure cloud hasn't been configured, some of these steps can be skipped if the resources are already established.
Configuring a VPN Gateway in Azure
Create a virtual network (VNET) in Azure. The address space should ideally not overlap with any other subnets you have in use anywhere else in your network. Also create a first subnet within the virtual network. In this example we use 10.1.0.0/16 as the address space for the entire VNET and 10.1.0.0/24 for the first subnet. The names for the VNET and the subnet are arbitrary.
Create a so called "Gateway Subnet" inside the new VNET. The Gateway Subnet can be of size /27 to conserve IP address space.
Create a virtual network gateway. This is the VPN endpoint inside Azure to which your vEdge will establish the IPSec connection.
Arbitrary name for this virtual network gateway
Select VPN to enable IPSesc
Select Route-based which should generally be preferred over policy-based (crypto-map) VPNs.
Need to select VpnGw1 or greater based on the amount of traffic needed. Basic doesn't support BGP
Enable active/active mode
Disable. This how-to does currently not support active/active mode.
Public IP address
Create a new public IP address
Configure BGP ASN
Autonomous system number (ASN)
Leave this as the default 65515. This is the ASN Azure presents itself as.
Create a local network gateway. The local network gateway represents your vEdge.
Arbitrary name for your local vEdge
Public IP address of your vEdge
Address space for the tunnel interface
Configure BGP Settings
Check to enable BGP
ASN configured on the vEdge
BGP peer IP address
IP address on the vEdge which terminates the BGP connection
Create a new connection between the virtual network gateway and the local network gateway.
Retrieve the public IPv4 address of the virtual network gateway in Azure.
Login to your vEdge to create & configure the IPSec interface.
The tunnel source interface (ge0/0 in the example below) needs to be the WAN facing interface which is configured with the public IP (i.e. B.B.B.B in the case of this how-to). It needs to be reachable from the Azure virtual network gateways public IP (i.e. from A.A.A.A in the case of this how-to).
vedge1# config vedge1(config)# vpn 0 interface ipsec1 vedge1(config-interface-ipsec1)# ip address 192.168.100.1/30 vedge1(config-interface-ipsec1)# tunnel-source-interface ge0/0 vedge1(config-interface-ipsec1)# tunnel-destination A.A.A.A vedge1(config-interface-ipsec1)# mtu 1400 vedge1(config-interface-ipsec1)# tcp-mss-adjust 1350 vedge1(config-interface-ipsec1)# no shutdown
Configure the IKE Version 2 parameters.
vedge1(config)# vpn 0 interface ipsec1 ike vedge1(config-ike)# version 2 vedge1(config-ike)# group 2 vedge1(config-ike)# cipher-suite aes256-cbc-sha2 vedge1(config-ike)# rekey 86400 vedge1(config-ike)# authentication-type pre-shared-key pre-shared-secret ChooseSomeSecretPassword vedge1(config-pre-shared-key)# local-id B.B.B.B vedge1(config-pre-shared-key)# remote-id A.A.A.A
Commit all changes on vEdge and exit configuration mode.
vedge1(config)# commit vedge1(config)# end
Perform the following steps to verify the IPSec tunnel on vEdge
Verify the ipsec1 interface is in up/up state and receiving / transmitting packets.
vedge1# show interface | include ipsec1 0 ipsec1 ipv4 192.168.100.1/30 Up Up NA vlan service 1400 00:00:00:00:00:01 1000 full 1316 0:00:29:28 1943 37
Verify the sate of the IPSec IKE session, check for SPIs and state.
vedge1# show ipsec ike sessions | include ipsec1 0 ipsec1 2 10.0.0.7 4500 A.A.A.A 4500 d12a70f1676929a3 f447897484c3dd7e aes256-cbc-sha2 2 (MODP-1024) IKE_UP_IPSEC_UP 0:00:33:59
Verify that the BGP connection is established.
vedge1# show bgp summary vpn 0 vpn 0 bgp-router-identifier 188.8.131.52 local-as 65000 rib-entries 4 rib-memory 448 total-peers 1 peer-memory 4816 Local-soo SoO:0:600 ignore-soo MSG MSG OUT PREFIX PREFIX PREFIX NEIGHBOR AS RCVD SENT Q UPTIME RCVD VALID INSTALLED STATE --------------------------------------------------------------------------- 10.1.1.254 65515 23 22 0 0:00:18:32 3 3 3 established
Verify that BGP is receiving routes from Azure.
vedge1# show ip routes vpn 0 bgp Codes Proto-sub-type: IA -> ospf-intra-area, IE -> ospf-inter-area, E1 -> ospf-external1, E2 -> ospf-external2, N1 -> ospf-nssa-external1, N2 -> ospf-nssa-external2, e -> bgp-external, i -> bgp-internal Codes Status flags: F -> fib, S -> selected, I -> inactive, B -> blackhole, R -> recursive
PROTOCOL NEXTHOP NEXTHOP NEXTHOP VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS ------------------------------------------------------------------------------------------------------ 0 10.1.0.0/16 bgp i - 10.1.1.254 - - - - F,S,R 0 192.168.100.0/30 bgp i - 10.1.1.254 - - - - - 0 192.168.100.1/32 bgp i - 10.1.1.254 - - - - -
Perform the following steps to verify the IPSec tunnel in Azure
Check the status of the connection to vEdge in the virtual network gateway
Please see these links for additional information:
SD-Access product compatibility shows 15.2(7)E1a for 3560-CX as extended node. But when we click on provided link we get access to 15.2(7)E1 (not E1a)
Could you please confirm what version should be used and make appropriate corrections to the compati...
I get something new C9300L switch, we need downgrade switch firmware 16.12.02 to 16.09.04, base on guide config downgrade firmware but switch can't be loading ios. Switch#request platform software package install switch all file flash:?flash:.i...
Hi,I am trying identify a port that has a particular IP attached to it. I am using 5 x Cisco c3750X in a stack. The device responds to Ping, but I am unable to identify it via HTTP, Telnet etc... A sh arp command returns... Internet 10.1.1.241&n...