With the newest release of the Cisco ASA, I have read and noticed the ability to create a VTI (Virtual Tunnel Interface). My goal has been to create a HighPerformance (Azure SKU) site to site tunnel to my onPremise Cisco ASA 5516-X. I haven't had any luck, my connection just stays at connecting. If anyone has been able to get this VTI featured running with BGP protocol between their onPremise ASA and Azure VPN Gateway. Please send me a sample config or point me to a blog that covers the process, including the Azure Powershell configuration.
Here is what I tried on the Azure Powershell Side:
Select-AzureRmSubscription -SubscriptionName "Pay-As-You-Go"
//Build Resource Group
New-AzureRmResourceGroup -Name GCGCorp -Location 'South Central US'
//create a network in this resource group
$subnet1 = New-AzureRmVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -AddressPrefix 10.0.0.0/27
$subnet2 = New-AzureRmVirtualNetworkSubnetConfig -Name 'Subnet1' -AddressPrefix '10.0.1.0/28'
//execute the creation
New-AzureRmVirtualNetwork -Name GCGAzureVNet -ResourceGroupName GCGCorp `
-Location 'South Central US' -AddressPrefix 10.0.0.0/16 -Subnet $subnet1, $subnet2
//create a local network gateway of your onPremise Network
New-AzureRmLocalNetworkGateway -Name GCGNCDC -ResourceGroupName GCGCorp `
-Location 'South Central US' -GatewayIpAddress '188.8.131.52' -AddressPrefix '192.168.99.0/22'
//Get an Azure Public IP address
$gwpip= New-AzureRmPublicIpAddress -Name gwpip -ResourceGroupName GCGCorp -Location 'South Central US' -AllocationMethod Dynamic
/Configure the gateway with the public
$vnet = Get-AzureRmVirtualNetwork -Name GCGAzureVNet -ResourceGroupName GCGCorp
$subnet = Get-AzureRmVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -VirtualNetwork $vnet
$gwipconfig = New-AzureRmVirtualNetworkGatewayIpConfig -Name gwipconfig1 -SubnetId $subnet.Id -PublicIpAddressId $gwpip.Id
//turn on the gateway
New-AzureRmVirtualNetworkGateway -Name vnetgw1 -ResourceGroupName GCGCorp `
-Location 'South Central US' -IpConfigurations $gwipconfig -GatewayType Vpn `
-VpnType RouteBased -GatewaySku HighPerformance
//get the public ip of the gateway
Get-AzureRmPublicIpAddress -Name gwpip -ResourceGroupName GCGCorp
$gateway1 = Get-AzureRmVirtualNetworkGateway -Name vnetgw1 -ResourceGroupName GCGCorp
$local = Get-AzureRmLocalNetworkGateway -Name GCGNCDC -ResourceGroupName GCGCorp
New-AzureRmVirtualNetworkGatewayConnection -Name MyGWConnection -ResourceGroupName GCGCorp `
-Location 'South Central US' -VirtualNetworkGateway1 $gateway1 -LocalNetworkGateway2 $local `
-ConnectionType IPsec -RoutingWeight 10 -SharedKey 'mySuperPassword'
Get-AzureRmVirtualNetworkGatewayConnection -Name MyGWConnection -ResourceGroupName GCGCorp -Debug
Here is what I tried on the Cisco ASA Config Side:
group-policy tunnelGP internal
group-policy tunnelGP attributes
tunnel-group 184.108.40.206 type ipsec-l2l
tunnel-group 220.127.116.11 general-attributes
tunnel-group 18.104.22.168 ipsec-attributes
ikev1 pre-shared-key mySuperSec
isakmp keepalive threshold 10 retry 2
crypto ipsec ikev1 transform-set TUNNELTRANS esp-aes-256 esp-sha-hmac
crypto ipsec profile IPSECPROF
set ikev1 transform-set TUNNELTRANS
set pfs group2
set security-association lifetime kilobytes unlimited
set security-association lifetime seconds 86400
########VTI Configuration for both WAN circuits
ip address 10.0.0.31 255.255.255.0
tunnel source interface OUTSIDE
tunnel destination 22.214.171.124
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSECPROF
#########bgp config with multipath
router bgp 64513
address-family ipv4 unicast
neighbor 10.0.0.30 remote-as 64512
But no tunnel is turning up even if I start trying to send interesting traffic.
Any thoughts or materials on this exact goal? I was able to complete the Basic (Azure SKU) for a normal site to site tunnel with crypto maps and such but that will only run at 100 Mb/s whereas the VTI on the HighPerformance (Azure SKU) will operate at 200 MB/s.
Please advise. I would love to make a complete powershell script that sets up my gateways and connection config as well as the BGP peering stuff.
MS Azure doesn't support BGP or dynamic routing implementation. For that you need to deploy something like CSR.
Also, for ikev1, Azure supports crypto maps. VTI won't work. VTI will work if you use IKEv2
Are you sure they don't support BGP for VPN Gateways.
Someone has done what I am requesting with Azure:
I'm not sure if your correct on the functionality of Azure Route Based VPN Gateways.
Were you able to deploy this in the end? I have same problem, I have VTI tunnel up but now not sure what is the IP of other end of the VTI tunnel that's on the Azure side.