ASA 5500 Series VTI S2S to Microsoft Azure VPN Gateway

Nathan Brock · ‎05-27-2017

With the newest release of the Cisco ASA, I have read and noticed the ability to create a VTI (Virtual Tunnel Interface). My goal has been to create a HighPerformance (Azure SKU) site to site tunnel to my onPremise Cisco ASA 5516-X. I haven't had any luck, my connection just stays at connecting. If anyone has been able to get this VTI featured running with BGP protocol between their onPremise ASA and Azure VPN Gateway. Please send me a sample config or point me to a blog that covers the process, including the Azure Powershell configuration.

Here is what I tried on the Azure Powershell Side:

Login-AzureRmAccount

Select-AzureRmSubscription -SubscriptionName "Pay-As-You-Go"

//Build Resource Group
New-AzureRmResourceGroup -Name GCGCorp -Location 'South Central US'

//create a network in this resource group
$subnet1 = New-AzureRmVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -AddressPrefix 10.0.0.0/27
$subnet2 = New-AzureRmVirtualNetworkSubnetConfig -Name 'Subnet1' -AddressPrefix '10.0.1.0/28'

//execute the creation
New-AzureRmVirtualNetwork -Name GCGAzureVNet -ResourceGroupName GCGCorp `
-Location 'South Central US' -AddressPrefix 10.0.0.0/16 -Subnet $subnet1, $subnet2

//create a local network gateway of your onPremise Network
New-AzureRmLocalNetworkGateway -Name GCGNCDC -ResourceGroupName GCGCorp `
-Location 'South Central US' -GatewayIpAddress '65.255.11.99' -AddressPrefix '192.168.99.0/22'

//Get an Azure Public IP address
$gwpip= New-AzureRmPublicIpAddress -Name gwpip -ResourceGroupName GCGCorp -Location 'South Central US' -AllocationMethod Dynamic

/Configure the gateway with the public
$vnet = Get-AzureRmVirtualNetwork -Name GCGAzureVNet -ResourceGroupName GCGCorp
$subnet = Get-AzureRmVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -VirtualNetwork $vnet
$gwipconfig = New-AzureRmVirtualNetworkGatewayIpConfig -Name gwipconfig1 -SubnetId $subnet.Id -PublicIpAddressId $gwpip.Id

//turn on the gateway
New-AzureRmVirtualNetworkGateway -Name vnetgw1 -ResourceGroupName GCGCorp `
-Location 'South Central US' -IpConfigurations $gwipconfig -GatewayType Vpn `
-VpnType RouteBased -GatewaySku HighPerformance

//get the public ip of the gateway
Get-AzureRmPublicIpAddress -Name gwpip -ResourceGroupName GCGCorp

$gateway1 = Get-AzureRmVirtualNetworkGateway -Name vnetgw1 -ResourceGroupName GCGCorp
$local = Get-AzureRmLocalNetworkGateway -Name GCGNCDC -ResourceGroupName GCGCorp

New-AzureRmVirtualNetworkGatewayConnection -Name MyGWConnection -ResourceGroupName GCGCorp `
-Location 'South Central US' -VirtualNetworkGateway1 $gateway1 -LocalNetworkGateway2 $local `
-ConnectionType IPsec -RoutingWeight 10 -SharedKey 'mySuperPassword'

Get-AzureRmVirtualNetworkGatewayConnection -Name MyGWConnection -ResourceGroupName GCGCorp -Debug

Here is what I tried on the Cisco ASA Config Side:

en
conf t
group-policy tunnelGP internal
group-policy tunnelGP attributes
vpn-session-timeout none
vpn-idle-timeout none
vpn-tunnel-protocol ikev1
exit

tunnel-group 13.84.225.200 type ipsec-l2l
tunnel-group 13.84.225.200 general-attributes
default-group-policy tunnelGP
tunnel-group 13.84.225.200 ipsec-attributes
ikev1 pre-shared-key mySuperSec
isakmp keepalive threshold 10 retry 2
exit

crypto ipsec ikev1 transform-set TUNNELTRANS esp-aes-256 esp-sha-hmac
crypto ipsec profile IPSECPROF
set ikev1 transform-set TUNNELTRANS
set pfs group2
set security-association lifetime kilobytes unlimited
set security-association lifetime seconds 86400
exit

########VTI Configuration for both WAN circuits
int Tunnel1
nameif VTI_1
ip address 10.0.0.31 255.255.255.0
tunnel source interface OUTSIDE
tunnel destination 13.84.225.200
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSECPROF
exit

#########bgp config with multipath
router bgp 64513
address-family ipv4 unicast
neighbor 10.0.0.30 remote-as 64512
maximum-paths 2
exit-address-family
bgp graceful-restart

But no tunnel is turning up even if I start trying to send interesting traffic.

Any thoughts or materials on this exact goal? I was able to complete the Basic (Azure SKU) for a normal site to site tunnel with crypto maps and such but that will only run at 100 Mb/s whereas the VTI on the HighPerformance (Azure SKU) will operate at 200 MB/s.

Please advise. I would love to make a complete powershell script that sets up my gateways and connection config as well as the BGP peering stuff.

Thanks,

Nate

Mohammed al Baqari · ‎05-28-2017

MS Azure doesn't support BGP or dynamic routing implementation. For that you need to deploy something like CSR.

Also, for ikev1, Azure supports crypto maps. VTI won't work. VTI will work if you use IKEv2

Nathan Brock · ‎05-28-2017

Are you sure they don't support BGP for VPN Gateways.

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-bgp-resource-manager-ps

Someone has done what I am requesting with Azure:

https://community.ubnt.com/t5/EdgeMAX/Config-Microsoft-Azure-route-based-VPN/td-p/1573062

I'm not sure if your correct on the functionality of Azure Route Based VPN Gateways.

Nathan Brock · ‎05-28-2017

I did get the IKEv2 VTI tunnel up and established to Azure and My ASA. What routing method do you recommend?

NetworkResponsible · ‎10-18-2017

Hi Nathan

We are trying to deploy VTI from Cisco 5545 to Azure Cloud. What is the config required on Azure cloud side to support VTI ? Do we need to have any special subscription to implement VTI from ASA to Azure. As a matter of fact, iam totally new to Azure concepts. Please help.

Damir Reic · ‎01-30-2018

Were you able to deploy this in the end? I have same problem, I have VTI tunnel up but now not sure what is the IP of other end of the VTI tunnel that's on the Azure side.

sciarrino · ‎11-13-2018

I'm having the same issue not sure what IP to use for the VTI or remote side. With Ikev2 connection to Azure without BGP