Unable to receive return traffic through Azure VPN Tunnel (ISR 1941)

harri.phu · ‎12-17-2015

Hi all,

I'm trying to connect Azure to my first site in a multiple site-to-site VPN config.

I have the tunnel up and running but might be missing something as I'm not able to receive return traffic through the tunnel.

The machine on the Azure side can receive pings from local side just fine but when it responds, no ping packets make it back to the machine on the local network.

The subnets are as follows:

Azure: 192.168.200.0/22

Site 1: 192.168.0.1/24 (local workstations) & 192.168.31.0/24 (machines that need to talk to azure).

Site 2: 192.168.0.2/24 (local workstations) & 192.168.32.0/24 (machines that need to talk to azure).

Here's a copy of the config file.

Hope somebody can help! Thanks in advance.

wfhwatgw#show running-config
Building configuration...

Current configuration : 7016 bytes
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname wfhwatgw
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
!
!
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool Default
 import all
 network 192.168.1.0 255.255.255.128
 dns-server 192.168.1.10
 default-router 192.168.1.1
!
!
!
ip domain name wfh.local
ip name-server 203.8.183.1
ip name-server 192.189.54.33
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
crypto pki trustpoint TP-self-signed-930478159
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-930478159
 revocation-check none
 rsakeypair TP-self-signed-930478159
!
!
crypto pki certificate chain TP-self-signed-930478159
 certificate self-signed 01
  30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 39333034 37383135 39301E17 0D313531 30323230 31303631
  335A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3933 30343738
  31353930 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  AA09432E 1CD882EA 4ACE6CA2 FB2D65D9 A779E861 C8D6E462 3A6DA653 DB587703
  A08486C2 C9C0E517 CA948D80 3626CB63 E15C46DA BAD47A07 21BCEDCC CF13D682
  09AA1CA8 33028713 CE4E0A46 79F4797E 96CADDA7 A41AC4A9 24851926 5707C8A5
  239794E0 2D92AF07 CEDFA3C7 6D9B2B53 923F1ACE 3DF6636A 8F3A454A 07B5A8FB
  02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
  23041830 168014AE 9E16B1D8 6B4B306E E7139775 D2CFD1D2 B235D130 1D060355
  1D0E0416 0414AE9E 16B1D86B 4B306EE7 139775D2 CFD1D2B2 35D1300D 06092A86
  4886F70D 01010505 00038181 007EF058 8D7DD324 75F3DFCF 81A00AF7 846298E1
  17264021 83EF919A 2F80FB22 2AC0F570 A3683687 BB0E10AD 2F9E3035 13D6E497
  241AF42A 71E2158C 3A72182B F2610CBB B13529B4 015EC062 E47C9452 7FBD76A7
  F037D93C 3A1F803D 4FA093ED 03EA9CEF 75E8372E 0672F5D8 D6829951 E37786A1
  E121F71B C7D24A84 9597B4FD CD
        quit
license udi pid CISCO1941/K9 sn xxxxxx
license boot module c1900 technology-package securityk9
!
!
username admin privilege 15 secret 5 $1$EKdt$JnArUet2M7sgxD5gtABPJ/
!
redundancy
!
crypto ikev2 proposal Azure-Proposal
 encryption aes-cbc-256 aes-cbc-128 3des
 integrity sha1
 group 2
!
crypto ikev2 policy Azure-Policy
 proposal Azure-Proposal
!
crypto ikev2 keyring Azure-Keyring
 peer xxx.xxx.xxx.xxx
  address xxx.xxx.xxx.xxx
  pre-shared-key xxxxxx
 !
!
!
crypto ikev2 profile Azure-Profile
 match address local interface Dialer1
 match identity remote address xxx.xxx.xxx.xxx 255.255.255.255
 authentication remote pre-share
 authentication local pre-share
 keyring local Azure-Keyring
!
!
!
!
!
!
crypto ipsec transform-set Azure-IPSec-Proposal-Set esp-aes 256 esp-sha-hmac
 mode tunnel
!
!
crypto ipsec profile vti
 set transform-set Azure-IPSec-Proposal-Set
 set ikev2-profile Azure-Profile
!
!
!
!
!
!
interface Tunnel1
 ip address 169.254.0.1 255.255.255.0
 ip tcp adjust-mss 1350
 tunnel source Dialer1
 tunnel mode ipsec ipv4
 tunnel destination xxx.xxx.xxx.xxx
 tunnel protection ipsec profile vti
!
interface Embedded-Service-Engine0/
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description ETH-SW-LAUNCH$INTF-INFO-GE 0/0$ETH-LAN$
 ip address 192.168.31.254 255.255.255.0 secondary
 ip address 192.168.1.1 255.255.255.0 secondary
 ip address 192.168.1.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description WAN Connection
 no ip address
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Dialer1
 mtu 1350
 ip address negotiated
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1310
 dialer pool 1
 ppp chap hostname xxxxx@line.aapt.com.au
 ppp chap password 0 xxxxx
 ppp pap sent-username xxxxx@ip-line.aapt.com.au password 0 xxxxx
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list DSL_ACCESSLIST interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.200.0 255.255.252.0 Tunnel1
ip route 192.168.200.0 255.255.255.0 Tunnel1
!
ip access-list extended DSL_ACCESSLIST
 permit ip 192.168.1.0 0.0.0.255 any
 permit ip 192.168.31.0 0.0.0.255 any
!
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
dialer-list 3 protocol ip permit
!
!
access-list 101 permit ip 192.168.31.0 0.0.0.255 192.168.200.0 0.0.3.255
!
control-plane
!
!
banner exec ^C

Philip D'Ath · ‎12-22-2015

I'm not familiar with Azure, but does Azure have a return route back to your network?