Showing results for 
Search instead for 
Did you mean: 

Secure VPN , ASR to Azure


Trying to open a secure tunnel from an ASR 1004 to an AZURE cloud service.

After setting up the cloud side we got a quick script with the cisco setup.
Without really going through it , copied all the config to the ASR and it did not work.
So Started looking into it. IT was a basic outline and did not have all the information.

After looking online , it stated I needed a Map.

So I wrote a map policy and attached it to the port.
And that did not work.



crypto ikev2 proposal OnPrem1-Conn-proposal
encryption aes-cbc-256
integrity sha1
group 2
crypto ikev2 policy OnPrem1-Conn-policy
match address local
proposal OnPrem1-Conn-proposal
crypto ikev2 keyring OnPrem1-Conn-keyring
pre-shared-key <key>
crypto ikev2 profile OnPrem1-Conn-profile
match address local
match identity remote address
authentication remote pre-share
authentication local pre-share
keyring local OnPrem1-Conn-keyring
lifetime 3600
dpd 10 5 on-demand

crypto ipsec transform-set OnPrem1-Conn-TransformSet esp-gcm 256
mode tunnel
crypto ipsec profile OnPrem1-Conn-IPsecProfile
set transform-set OnPrem1-Conn-TransformSet
set ikev2-profile OnPrem1-Conn-profile
crypto map OnPrem1-Conn-map 1 ipsec-isakmp
set peer
set security-association lifetime seconds 28800
set security-association dummy seconds 5
set transform-set OnPrem1-Conn-TransformSet
match address 101

interface GigabitEthernet0/2/5
description to AZURE
ip address
negotiation auto
crypto map OnPrem1-Conn-map

ip route Tunnel11
ip route Tunnel11

access-list 101 permit ip
access-list 101 permit ip
access-list 101 permit ip
access-list 101 permit ip
access-list 101 permit esp host host
access-list 101 permit udp host eq isakmp host
access-list 101 permit udp host eq non500-isakmp host


Thank you


3 Replies 3

Richard Burts
VIP Community Legend VIP Community Legend
VIP Community Legend

There are a couple of things in the partial config that you posted that I am not sure about. It appears to be a fairly traditional config for an ipsec site to site vpn. But there are a couple of static routes specifying tunnel 1. What is tunnel 1. Are they intending traditional ipsec site to site or are then intending GRE tunnel encrypted by ipsec?


access list 101 looks mostly like an acl for traditional ipsec site to site (without GRE) when it specifies a set of source IP subnets to a set of destination subnets. But then it also includes permits for ESP and for ISAKMP which are more usual on an acl applied to the outside interface than applied in a crypto map.


You tell us that you configured the map etc and it does not work. Can you be a bit more specific about what does not work? Is there any crypto negotiation for isakmp? Is there any crypto negotiation for ipsec? If you use the command show crypto ipsec sa is there any output?







Thank you Rick for the response.
Other than the map all of the set up came from the Microsoft set up script.
The map is assigned to port 5 of my ASR. The ACCL is applied to that map on that port. That port has an outside IP to the internet.
According to the Azure set up (done by another person) this is a IPSEC Tunnel and no gre tunnel.
So for what is not working , I cannot even get the tunnel to set up , let alone any traffic.

show int tunnel 11
Tunnel11 is up, line protocol is down
Hardware is Tunnel
Internet address is
MTU 10000 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel linestate evaluation down - linestate mode reg down
Tunnel source, destination
Tunnel protocol/transport IPSEC/IP

Thanks for the additional information. It is good to know that this is a standard ipsec site to site and not a GRE with ipsec. So perhaps the tunnel 1 is associated with something else and not the vpn. So perhaps we do not need to worry about that tunnel.






Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers