Re: ASA Ikev2 and MS Azure

g.mantuano · ‎02-12-2018

To who need to configure VPN between ASA and Azure Gateway Cloud, here are commands how to do it on ASA ver 9.8.2

crypto map Outside_map0 1 match address Outside_cryptomap_1
crypto map Outside_map0 1 set pfs group24
crypto map Outside_map0 1 set peer 13.xxxxxxxxxxx
crypto map Outside_map0 1 set ikev2 ipsec-proposal Azure
crypto map Outside_map0 1 set ikev2 pre-shared-key *****
crypto map Outside_map0 1 set security-association lifetime seconds 3600
crypto map Outside_map0 1 set security-association lifetime kilobytes 2048
crypto map Outside_map0 1 set reverse-route

access-list Outside_cryptomap_1 extended permit ip object-group Azure-Exempt object MS_Azure

crypto ipsec ikev2 ipsec-proposal Azure
crypto ipsec profile AzureProfile

crypto ipsec ikev2 ipsec-proposal Azure
protocol esp encryption aes-256
protocol esp integrity sha-384 sha-256 sha-1

crypto ipsec profile AzureProfile
set ikev2 ipsec-proposal Azure
set pfs group24
set security-association lifetime kilobytes 2048
set security-association lifetime seconds 3600

crypto ikev2 enable Outside

On MS side please refer to this guide:

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-ipsecikepolicy-rm-powershell

jcote2528 · ‎05-17-2018

I have a VPN to Azure as well and wanted to put my config out there with anyone running 9.7 or higher ASA code as policy-based VPN was not working. I couldn't complete Phase1/Phase2, below you will see how I used Route-Based VTI and IKEv2 to get the tunnel up:

interface Tunnel1
nameif VTI_Azure
ip address 169.254.0.1 255.255.255.0
tunnel source interface Outside
tunnel destination 51.XXX.XXX.XX
tunnel mode ipsec ipv4
tunnel protection ipsec profile Azure_profile

route VTI_Azure 10.152.0.0 255.255.0.0 169.254.0.0 1

crypto ipsec ikev2 ipsec-proposal Azure_proposal
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto ipsec profile Azure_profile
set ikev2 ipsec-proposal Azure_proposal
set security-association lifetime kilobytes 2048
set security-association lifetime seconds 3600
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association pmtu-aging infinite

crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 2
prf sha
lifetime seconds 28800
crypto ikev2 policy 20
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 28800

crypto ikev2 enable Outside

group-policy GroupPolicy_52.XXX.XXX.XX internal
group-policy GroupPolicy_51.XXX.XXX.XX attributes
vpn-tunnel-protocol ikev2

tunnel-group 51.XXX.XXX.XX type ipsec-l2l
tunnel-group 51.XXX.XXX.XX general-attributes
default-group-policy GroupPolicy_51.XXX.XXX.XX
tunnel-group 51.XXX.XXX.XX ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

rhyshobden · ‎05-25-2018

This is excellent,
However the stronger of your two policies does not work (ikev2 policy 10)
The Azure basic SKU supplies the following proposals:
Proposal 1: AES-CBC-256 SHA1 SHA96 DH_GROUP_1024_MODP/Group 2
Proposal 2: AES-CBC-256 SHA256 SHA256 DH_GROUP_1024_MODP/Group 2
Proposal 3: AES-CBC-128 SHA1 SHA96 DH_GROUP_1024_MODP/Group 2
Proposal 4: AES-CBC-128 SHA256 SHA256 DH_GROUP_1024_MODP/Group 2
Proposal 5: 3DES SHA1 SHA96 DH_GROUP_1024_MODP/Group 2
Proposal 6: 3DES SHA256 SHA256 DH_GROUP_1024_MODP/Group 2
Policy 10 does not match any of the above.

Update policy 10 as follows:
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 2
prf sha256
lifetime seconds 28800

Its also worth noting that if you use any standard VpnGw SKU on Azsure (anything but the basic SKU) custom IPSEC profiles can be setup which allow for pretty much any combination.

Ankur Thukral · ‎02-14-2019

How did you configure NAT bypass? Did you include VTI interface in that?