This how-to is a step-by-step guide to configure an IPSec VPN Connection from an on-premise Cisco vEdge device to Microsoft Azure.
⚠️ NOTE: If you are looking for a guide to setup Azure CloudOnramp for IaaS in an automated way via vManage, please see this configuration guide.
Hardware and Software used in this guide
vEdge running software version 18.4.0
Microsoft Azure account with valid subscription
vEdge must be fully registered to vBond / vSmart / vManage.
This guide assumes that the Azure cloud hasn't been configured, some of these steps can be skipped if the resources are already established.
Configuring a VPN Gateway in Azure
Create a virtual network (VNET) in Azure. The address space should ideally not overlap with any other subnets you have in use anywhere else in your network. Also create a first subnet within the virtual network. In this example we use 10.1.0.0/16 as the address space for the entire VNET and 10.1.0.0/24 for the first subnet. The names for the VNET and the subnet are arbitrary.
Create a so called "Gateway Subnet" inside the new VNET. The Gateway Subnet can be of size /27 to conserve IP address space.
Create a virtual network gateway. This is the VPN endpoint inside Azure to which your vEdge will establish the IPSec connection.
Arbitrary name for this virtual network gateway
Select VPN to enable IPSesc
Select Route-based which should generally be preferred over policy-based (crypto-map) VPNs.
Need to select VpnGw1 or greater based on the amount of traffic needed. Basic doesn't support BGP
Enable active/active mode
Disable. This how-to does currently not support active/active mode.
Public IP address
Create a new public IP address
Configure BGP ASN
Autonomous system number (ASN)
Leave this as the default 65515. This is the ASN Azure presents itself as.
Create a local network gateway. The local network gateway represents your vEdge.
Arbitrary name for your local vEdge
Public IP address of your vEdge
Address space for the tunnel interface
Configure BGP Settings
Check to enable BGP
ASN configured on the vEdge
BGP peer IP address
IP address on the vEdge which terminates the BGP connection
Create a new connection between the virtual network gateway and the local network gateway.
Retrieve the public IPv4 address of the virtual network gateway in Azure.
Login to your vEdge to create & configure the IPSec interface.
The tunnel source interface (ge0/0 in the example below) needs to be the WAN facing interface which is configured with the public IP (i.e. B.B.B.B in the case of this how-to). It needs to be reachable from the Azure virtual network gateways public IP (i.e. from A.A.A.A in the case of this how-to).
vedge1# config vedge1(config)# vpn 0 interface ipsec1 vedge1(config-interface-ipsec1)# ip address 192.168.100.1/30 vedge1(config-interface-ipsec1)# tunnel-source-interface ge0/0 vedge1(config-interface-ipsec1)# tunnel-destination A.A.A.A vedge1(config-interface-ipsec1)# mtu 1400 vedge1(config-interface-ipsec1)# tcp-mss-adjust 1350 vedge1(config-interface-ipsec1)# no shutdown
Configure the IKE Version 2 parameters.
vedge1(config)# vpn 0 interface ipsec1 ike vedge1(config-ike)# version 2 vedge1(config-ike)# group 2 vedge1(config-ike)# cipher-suite aes256-cbc-sha2 vedge1(config-ike)# rekey 86400 vedge1(config-ike)# authentication-type pre-shared-key pre-shared-secret ChooseSomeSecretPassword vedge1(config-pre-shared-key)# local-id B.B.B.B vedge1(config-pre-shared-key)# remote-id A.A.A.A
Commit all changes on vEdge and exit configuration mode.
vedge1(config)# commit vedge1(config)# end
Perform the following steps to verify the IPSec tunnel on vEdge
Verify the ipsec1 interface is in up/up state and receiving / transmitting packets.
vedge1# show interface | include ipsec1 0 ipsec1 ipv4 192.168.100.1/30 Up Up NA vlan service 1400 00:00:00:00:00:01 1000 full 1316 0:00:29:28 1943 37
Verify the sate of the IPSec IKE session, check for SPIs and state.
vedge1# show ipsec ike sessions | include ipsec1 0 ipsec1 2 10.0.0.7 4500 A.A.A.A 4500 d12a70f1676929a3 f447897484c3dd7e aes256-cbc-sha2 2 (MODP-1024) IKE_UP_IPSEC_UP 0:00:33:59
Verify that the BGP connection is established.
vedge1# show bgp summary vpn 0 vpn 0 bgp-router-identifier 18.104.22.168 local-as 65000 rib-entries 4 rib-memory 448 total-peers 1 peer-memory 4816 Local-soo SoO:0:600 ignore-soo MSG MSG OUT PREFIX PREFIX PREFIX NEIGHBOR AS RCVD SENT Q UPTIME RCVD VALID INSTALLED STATE --------------------------------------------------------------------------- 10.1.1.254 65515 23 22 0 0:00:18:32 3 3 3 established
Verify that BGP is receiving routes from Azure.
vedge1# show ip routes vpn 0 bgp Codes Proto-sub-type: IA -> ospf-intra-area, IE -> ospf-inter-area, E1 -> ospf-external1, E2 -> ospf-external2, N1 -> ospf-nssa-external1, N2 -> ospf-nssa-external2, e -> bgp-external, i -> bgp-internal Codes Status flags: F -> fib, S -> selected, I -> inactive, B -> blackhole, R -> recursive
PROTOCOL NEXTHOP NEXTHOP NEXTHOP VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS ------------------------------------------------------------------------------------------------------ 0 10.1.0.0/16 bgp i - 10.1.1.254 - - - - F,S,R 0 192.168.100.0/30 bgp i - 10.1.1.254 - - - - - 0 192.168.100.1/32 bgp i - 10.1.1.254 - - - - -
Perform the following steps to verify the IPSec tunnel in Azure
Check the status of the connection to vEdge in the virtual network gateway
Please see these links for additional information:
Hello im trying to put together a SDWAN solution. from what i understand I need to order the subscription for example DNA-P-10M-E-3Y this will include the entitlement for all the controllers however i still need to attach this to a router. my questio...
Cisco Champion Radio · S8|E3 The Cisco DNA Center Machine Reasoning Engine
Machine Reasoning is a new category of AI/ML that you will soon hear a lot about. It saves your IT team time by automating complex and tedious networking tasks. It can also...
Is it possible to run ip unnumbered on ptp ethernet interfaces on Cat9K's and peer with eigrp? Links seem to peer, but no routes are advertised and eventually eigrp goodbyes are received. I have the following configuration: 9500-1:interfac...
Could you add a non-vPC vlan (a vlan that is not on the vPC Peer Link) successfully to a vPC member port (a vPC portchannel) without the added vlan getting suspended. Please see attached topology diagram. Your advice is much appreciated. ...
We have a growing environment of NCS 55A2's for our new backbone. We are planning to upgrade the code to 7.1.2. A previous employee left instructions about using SCP to transfer .tar files to the harddisk of the NCS devices. I have been trying this in the...