Site to Site VPN between Azure and Cisco ASA

antoniokida · ‎09-13-2020

Hello Guys,

Hopefully, you can provide me some guidance, I'm trying to set up a Site to Site VPN between Azure (I) and Cisco ASA (Customer), on the Azure side I created it as Route based and sent the script to the customer, however, I'm not able to get the VPN connected. On the Azure side first, it showed an error saying there was a mismatch in the IPSEC/IKE policy. Checking the logs on Azure I saw this mismatch error and asked the Customer to verify the policy, I think he did a change because later on the logs the policy mismatch error was no longer there, now I saw the tunnel was being created but then it gets closed:

[LOCAL_MSG] IKE Tunnel created for tunnelId 0x1

...

[LOCAL_MSG] IKE Tunnel closed for tunnelId 0x1 with status Main mode SA lifetime expired or peer sent a main mode delete.

Can you help me see why the tunnel is being close, I'm attaching the logs.

PS. I have asked the customer to provide me their configuration so I can check on my own and make sure the parameters match. Also, I have asked for the debug info for both Phase1 and Phase2.

Thanks in advance!!

Antonio

marce1000 · ‎09-14-2020

- Check if this guide can help you :

https://www.petenetlive.com/KB/Article/0001166

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

antoniokida · ‎09-14-2020

Hello Guys, it appears that the remote side does not support tunnel-group <public-ip> "type ipsec-l2l"

At least is not showing the "type" command on the CLI, do you know if there are restrictions to this command?

Thanks

marce1000 · ‎09-14-2020

- Check if this guide can help you :

https://community.cisco.com/t5/security-documents/configure-l2tp-over-ipsec-using-cisco-asa-8-4-and-local/ta-p/3139257

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !