08-15-2019 09:13 AM
Trying to open a secure tunnel from an ASR 1004 to an AZURE cloud service.
After setting up the cloud side we got a quick script with the cisco setup.
Without really going through it , copied all the config to the ASR and it did not work.
So Started looking into it. IT was a basic outline and did not have all the information.
After looking online , it stated I needed a Map.
So I wrote a map policy and attached it to the port.
And that did not work.
crypto ikev2 proposal OnPrem1-Conn-proposal
encryption aes-cbc-256
integrity sha1
group 2
!
crypto ikev2 policy OnPrem1-Conn-policy
match address local xxx.xxx.xxx.xxx
proposal OnPrem1-Conn-proposal
!
crypto ikev2 keyring OnPrem1-Conn-keyring
peer xxx.xxx.xxx.xxx
address xxx.xxx.xxx.xxx
pre-shared-key <key>
!
!
!
crypto ikev2 profile OnPrem1-Conn-profile
match address local xxx.xxx.xxx.xxx
match identity remote address xxx.xxx.xxx.xxx 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local OnPrem1-Conn-keyring
lifetime 3600
dpd 10 5 on-demand
crypto ipsec transform-set OnPrem1-Conn-TransformSet esp-gcm 256
mode tunnel
!
crypto ipsec profile OnPrem1-Conn-IPsecProfile
set transform-set OnPrem1-Conn-TransformSet
set ikev2-profile OnPrem1-Conn-profile
!
!
!
crypto map OnPrem1-Conn-map 1 ipsec-isakmp
set peer xxx.xxx.xxx.xxx
set security-association lifetime seconds 28800
set security-association dummy seconds 5
set transform-set OnPrem1-Conn-TransformSet
match address 101
interface GigabitEthernet0/2/5
description to AZURE
ip address xxx.xxx.xxx.xxx 255.255.255.240
negotiation auto
crypto map OnPrem1-Conn-map
ip route 10.xxx.xxx.xxx 255.255.255.0 Tunnel11
ip route 10.xxx.xxx.xxx 255.255.255.0 Tunnel11
access-list 101 permit ip 10.xxx.xxx.xxx 0.0.0.255 10.xxx.xxx.xxx 0.0.0.255
access-list 101 permit ip 10.xxx.xxx.xxx 0.0.0.255 10.xxx.xxx.xxx 0.0.0.255
access-list 101 permit ip 10.xxx.xxx.xxx 0.0.0.255 10.xxx.xxx.xxx 0.0.0.255
access-list 101 permit ip 10.xxx.xxx.xxx 0.0.0.255 10.xxx.xxx.xxx 0.0.0.255
access-list 101 permit esp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx
access-list 101 permit udp host xxx.xxx.xxx.xxx eq isakmp host xxx.xxx.xxx.xxx
access-list 101 permit udp host xxx.xxx.xxx.xxx eq non500-isakmp host xxx.xxx.xxx.xxx
Thank you
08-15-2019 09:38 AM
There are a couple of things in the partial config that you posted that I am not sure about. It appears to be a fairly traditional config for an ipsec site to site vpn. But there are a couple of static routes specifying tunnel 1. What is tunnel 1. Are they intending traditional ipsec site to site or are then intending GRE tunnel encrypted by ipsec?
access list 101 looks mostly like an acl for traditional ipsec site to site (without GRE) when it specifies a set of source IP subnets to a set of destination subnets. But then it also includes permits for ESP and for ISAKMP which are more usual on an acl applied to the outside interface than applied in a crypto map.
You tell us that you configured the map etc and it does not work. Can you be a bit more specific about what does not work? Is there any crypto negotiation for isakmp? Is there any crypto negotiation for ipsec? If you use the command show crypto ipsec sa is there any output?
HTH
Rick
08-15-2019 11:27 AM
08-15-2019 01:08 PM
Thanks for the additional information. It is good to know that this is a standard ipsec site to site and not a GRE with ipsec. So perhaps the tunnel 1 is associated with something else and not the vpn. So perhaps we do not need to worry about that tunnel.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide