cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1400
Views
0
Helpful
3
Replies

Secure VPN , ASR to Azure

dgragg002
Level 1
Level 1

Trying to open a secure tunnel from an ASR 1004 to an AZURE cloud service.

After setting up the cloud side we got a quick script with the cisco setup.
Without really going through it , copied all the config to the ASR and it did not work.
So Started looking into it. IT was a basic outline and did not have all the information.

After looking online , it stated I needed a Map.

So I wrote a map policy and attached it to the port.
And that did not work.

 

 

crypto ikev2 proposal OnPrem1-Conn-proposal
encryption aes-cbc-256
integrity sha1
group 2
!
crypto ikev2 policy OnPrem1-Conn-policy
match address local xxx.xxx.xxx.xxx
proposal OnPrem1-Conn-proposal
!
crypto ikev2 keyring OnPrem1-Conn-keyring
peer xxx.xxx.xxx.xxx
address xxx.xxx.xxx.xxx
pre-shared-key <key>
!
!
!
crypto ikev2 profile OnPrem1-Conn-profile
match address local xxx.xxx.xxx.xxx
match identity remote address xxx.xxx.xxx.xxx 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local OnPrem1-Conn-keyring
lifetime 3600
dpd 10 5 on-demand


crypto ipsec transform-set OnPrem1-Conn-TransformSet esp-gcm 256
mode tunnel
!
crypto ipsec profile OnPrem1-Conn-IPsecProfile
set transform-set OnPrem1-Conn-TransformSet
set ikev2-profile OnPrem1-Conn-profile
!
!
!
crypto map OnPrem1-Conn-map 1 ipsec-isakmp
set peer xxx.xxx.xxx.xxx
set security-association lifetime seconds 28800
set security-association dummy seconds 5
set transform-set OnPrem1-Conn-TransformSet
match address 101


interface GigabitEthernet0/2/5
description to AZURE
ip address xxx.xxx.xxx.xxx 255.255.255.240
negotiation auto
crypto map OnPrem1-Conn-map

ip route 10.xxx.xxx.xxx 255.255.255.0 Tunnel11
ip route 10.xxx.xxx.xxx 255.255.255.0 Tunnel11

access-list 101 permit ip 10.xxx.xxx.xxx 0.0.0.255 10.xxx.xxx.xxx 0.0.0.255
access-list 101 permit ip 10.xxx.xxx.xxx 0.0.0.255 10.xxx.xxx.xxx 0.0.0.255
access-list 101 permit ip 10.xxx.xxx.xxx 0.0.0.255 10.xxx.xxx.xxx 0.0.0.255
access-list 101 permit ip 10.xxx.xxx.xxx 0.0.0.255 10.xxx.xxx.xxx 0.0.0.255
access-list 101 permit esp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx
access-list 101 permit udp host xxx.xxx.xxx.xxx eq isakmp host xxx.xxx.xxx.xxx
access-list 101 permit udp host xxx.xxx.xxx.xxx eq non500-isakmp host xxx.xxx.xxx.xxx

 

Thank you

 

3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

There are a couple of things in the partial config that you posted that I am not sure about. It appears to be a fairly traditional config for an ipsec site to site vpn. But there are a couple of static routes specifying tunnel 1. What is tunnel 1. Are they intending traditional ipsec site to site or are then intending GRE tunnel encrypted by ipsec?

 

access list 101 looks mostly like an acl for traditional ipsec site to site (without GRE) when it specifies a set of source IP subnets to a set of destination subnets. But then it also includes permits for ESP and for ISAKMP which are more usual on an acl applied to the outside interface than applied in a crypto map.

 

You tell us that you configured the map etc and it does not work. Can you be a bit more specific about what does not work? Is there any crypto negotiation for isakmp? Is there any crypto negotiation for ipsec? If you use the command show crypto ipsec sa is there any output?

 

HTH

 

Rick

HTH

Rick

Thank you Rick for the response.
Other than the map all of the set up came from the Microsoft set up script.
The map is assigned to port 5 of my ASR. The ACCL is applied to that map on that port. That port has an outside IP to the internet.
According to the Azure set up (done by another person) this is a IPSEC Tunnel and no gre tunnel.
So for what is not working , I cannot even get the tunnel to set up , let alone any traffic.

show int tunnel 11
Tunnel11 is up, line protocol is down
Hardware is Tunnel
Internet address is 169.254.0.1/32
MTU 10000 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel linestate evaluation down - linestate mode reg down
Tunnel source xxx.xxx.xxx.xxx, destination xxx.xxx.xxx.xxx
Tunnel protocol/transport IPSEC/IP




Thanks for the additional information. It is good to know that this is a standard ipsec site to site and not a GRE with ipsec. So perhaps the tunnel 1 is associated with something else and not the vpn. So perhaps we do not need to worry about that tunnel.

 

HTH

 

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco