09-10-2018 07:03 AM - edited 03-12-2019 05:30 AM
I have a Azure subscription, with a virtual network where the gateway subnet is 172.26.0.0/27, and then I have a number of subnets, e.g. 172.26.1.0/24, 172.26.2.0/24, 172.26.3.0/24, ....
On the router side I have configured the network objects for 172.26.0.0/27 and 172.26.1.0/24.
The local network is 10.0.0.0/8.
This is the configuration I have used to setup the site to site connection on the router:
object network HQ-LAN crypto ipsec ikev2 ipsec-proposal AZURE-TRANSFORM-2 crypto ipsec security-association lifetime seconds 3600 crypto map CRYPTO-MAP 1 match address azure-vpn-acl crypto ca trustpool policy crypto ikev2 policy 1 crypto ikev2 enable INTERNET group-policy AzureGroupPolicy internal dynamic-access-policy-record DfltAccessPolicy sysopt connection tcpmss 1350 |
The connection seems to reach the point where a IKEv2 tunnel is setup, but then the tunnel get rejected with the following error:
3 | Sep 10 2018 | 14:39:38 | 751022 | Local:80.x.y.w:500 Remote:40.a.b.c:500 Username:40.a.b.c IKEv2 Tunnel rejected: Crypto Map Policy not found for remote traffic selector 0.0.0.0/255.255.255.255/0/65535/0 local traffic selector 0.0.0.0/255.255.255.255/0/65535/0! |
In debug, I found:
IKEv2-PROTO-2: (404): Processing IKE_AUTH message ESP: Proposal 2: AES-CBC-256 SHA96 Don't use ESN ESP: Proposal 3: 3DES SHA96 Don't use ESN ESP: Proposal 4: AES-CBC-256 SHA256 Don't use ESN ESP: Proposal 5: AES-CBC-128 SHA96 Don't use ESN ESP: Proposal 6: 3DES SHA256 Don't use ESN IKEv2-PROTO-1: (404): Failed to find a matching policy |
and also:
IKEv2-PROTO-5: (237): SM Trace-> SA: I_SPI=8D624530AA96162A R_SPI=4A613765BD92DF8F (I) MsgID = 00000004 CurState: DELETE Event: EV_FREE_SA IKEv2-PROTO-2: (237): Deleting SA IKEv2-PROTO-1: session is not there in tree IKEv2-PLAT-2: CONNECTION STATUS: DOWN... peer: 40.a.b.c:500, phase1_id: 40.a.b.c IKEv2-PLAT-2: (237): IKEv2 session deregistered from session manager. Reason: 6 IKEv2-PLAT-2: (237): session manager killed ikev2 tunnel. Reason: IKE Delete IKEv2-PLAT-2: (237): PSH cleanup IKEv2-PLAT-5: Active ike sa request deleted IKEv2-PLAT-5: Decrement count for incoming active IKEv2-PLAT-2: (404): Encrypt success status returned via ipc 1 IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer Index = 0. IPSEC Tunnel Index = 0. IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer Index = 0. IPSEC Tunnel Index = 0. IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer Index = 0. IPSEC Tunnel Index = 0. IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer Index = 0. IPSEC Tunnel Index = 0. IKEv2-PLAT-2: Received PFKEY delete SA for SPI 0xAA15ED6E error FALSE IKEv2-PLAT-2: Received PFKEY delete SA for SPI 0xFBC930C6 error FALSE IKEv2-PLAT-2: Received PFKEY delete SA for SPI 0xDA2A46C2 error FALSE IKEv2-PLAT-2: Received PFKEY delete SA for SPI 0x2EDA754D error FALSE |
Any suggestion on how to fix this?
Solved! Go to Solution.
09-11-2018 09:16 AM
I found a solution:
gateway# show crypto isa
There are no IKEv1 SAs
IKEv2 SAs:
Session-id:*****, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
********** 80.x.w.y/500 40.a.b.c/500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 28800/3135 sec
Child sa: local selector 10.0.0.0/0 - 10.255.255.255/65535
remote selector 172.26.1.0/0 - 172.26.1.255/65535
ESP spi in/out: 0x********/0x********
Reading the list of Microsoft validated VPN devices and device configuration guides in the "About VPN devices and IPsec/IKE parameters for Site-to-Site VPN Gateway connections" page, on the Cisco ASA row, next to IKEv2 I noticed an asterisk, and down below the list I read
Cisco ASA versions 8.4+ add IKEv2 support, can connect to Azure VPN gateway using custom IPsec/IKE policy with "UsePolicyBasedTrafficSelectors" option. Refer to this how-to article.
I understand from this that I had to set the UsePolicyBasedTrafficSelectors property and therefore create a custom IKE/IPSEC policy, which I did on the Azure Cloud shell with the following code:
$RG = "MyRG"
$ConnectionName = "STS-Azure-HQ"
$connection = Get-AzureRmVirtualNetworkGatewayConnection -Name $ConnectionName -ResourceGroupName $RG
$ipsecpolicy = New-AzureRmIpsecPolicy -IkeEncryption AES256 -IkeIntegrity SHA256 -DhGroup DHGroup2 -IpsecEncryption AES256 -IpsecIntegrity SHA256 -PfsGroup PFS2 -SALifeTimeSeconds 3600 -SADataSizeKilobytes 2048
Set-AzureRmVirtualNetworkGatewayConnection -VirtualNetworkGatewayConnection $connection -UsePolicyBasedTrafficSelectors $True -IpsecPolicies $ipsecpolicy
I then reconfigured the ASA router to match the IKE/IPSEC policy:
configure terminal
crypto ipsec ikev2 ipsec-proposal AZURE-TRANSFORM-2
protocol esp encryption aes-256
protocol esp integrity sha-256
exit
crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 2
prf sha256 sha
lifetime seconds 28800
exit
The prf sha256 sha was the last bit I changed, I reckon it may work also just with sha256, but I haven't tried it.
Before that I also added all the 12 Azure subnets in my ASA traffic selector, which probably helped as well.
object network AzureLabNet-Gateway
subnet 172.26.0.0 255.255.224.0
description The Azure Gateway range
exit
object network AzureLabNet-LAN-1
subnet 172.26.1.0 255.255.255.0
description The Azure AzureLabNet LAN #1 range
exit
object network AzureLabNet-LAN-2
subnet 172.26.2.0 255.255.255.0
description The Azure AzureLabNet LAN #2 range
exit
object network AzureLabNet-LAN-3
subnet 172.26.3.0 255.255.255.0
description The Azure AzureLabNet LAN #3 range
exit
object network AzureLabNet-LAN-4
subnet 172.26.4.0 255.255.255.0
description The Azure AzureLabNet LAN #4 range
exit
object network AzureLabNet-LAN-5
subnet 172.26.5.0 255.255.255.0
description The Azure AzureLabNet LAN #5 range
exit
object network AzureLabNet-LAN-6
subnet 172.26.6.0 255.255.255.0
description The Azure AzureLabNet LAN #6 range
exit
object network AzureLabNet-LAN-7
subnet 172.26.7.0 255.255.255.0
description The Azure AzureLabNet LAN #7 range
exit
object network AzureLabNet-LAN-8
subnet 172.26.8.0 255.255.255.0
description The Azure AzureLabNet LAN #8 range
exit
object network AzureLabNet-LAN-9
subnet 172.26.9.0 255.255.255.0
description The Azure AzureLabNet LAN #9 range
exit
object network AzureLabNet-LAN-10
subnet 172.26.10.0 255.255.255.0
description The Azure AzureLabNet LAN #10 range
exit
object network AzureLabNet-LAN-11
subnet 172.26.11.0 255.255.255.0
description The Azure AzureLabNet LAN #11 range
exit
object-group network AzureLabNet-network
description Azure AzureLabNet Virtual Network
network-object object AzureLabNet-LAN-1
network-object object AzureLabNet-LAN-2
network-object object AzureLabNet-LAN-3
network-object object AzureLabNet-LAN-4
network-object object AzureLabNet-LAN-5
network-object object AzureLabNet-LAN-6
network-object object AzureLabNet-LAN-7
network-object object AzureLabNet-LAN-8
network-object object AzureLabNet-LAN-9
network-object object AzureLabNet-LAN-10
network-object object AzureLabNet-LAN-11
network-object object AzureLabNet-Gateway
exit
09-11-2018 12:53 AM
09-11-2018 01:01 AM
Hi,
I think Azure used GCM 256. Try GCM 256 for your phase 2
Thanks
John
09-11-2018 09:15 AM
@johnd2310 wrote:
I think Azure used GCM 256. Try GCM 256 for your phase 2
Dear John, thanks, I did try that, but it didn't work. That was actually for Azure Stack, not for Azure, useful stuff to know :)
09-11-2018 09:16 AM
I found a solution:
gateway# show crypto isa
There are no IKEv1 SAs
IKEv2 SAs:
Session-id:*****, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
********** 80.x.w.y/500 40.a.b.c/500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 28800/3135 sec
Child sa: local selector 10.0.0.0/0 - 10.255.255.255/65535
remote selector 172.26.1.0/0 - 172.26.1.255/65535
ESP spi in/out: 0x********/0x********
Reading the list of Microsoft validated VPN devices and device configuration guides in the "About VPN devices and IPsec/IKE parameters for Site-to-Site VPN Gateway connections" page, on the Cisco ASA row, next to IKEv2 I noticed an asterisk, and down below the list I read
Cisco ASA versions 8.4+ add IKEv2 support, can connect to Azure VPN gateway using custom IPsec/IKE policy with "UsePolicyBasedTrafficSelectors" option. Refer to this how-to article.
I understand from this that I had to set the UsePolicyBasedTrafficSelectors property and therefore create a custom IKE/IPSEC policy, which I did on the Azure Cloud shell with the following code:
$RG = "MyRG"
$ConnectionName = "STS-Azure-HQ"
$connection = Get-AzureRmVirtualNetworkGatewayConnection -Name $ConnectionName -ResourceGroupName $RG
$ipsecpolicy = New-AzureRmIpsecPolicy -IkeEncryption AES256 -IkeIntegrity SHA256 -DhGroup DHGroup2 -IpsecEncryption AES256 -IpsecIntegrity SHA256 -PfsGroup PFS2 -SALifeTimeSeconds 3600 -SADataSizeKilobytes 2048
Set-AzureRmVirtualNetworkGatewayConnection -VirtualNetworkGatewayConnection $connection -UsePolicyBasedTrafficSelectors $True -IpsecPolicies $ipsecpolicy
I then reconfigured the ASA router to match the IKE/IPSEC policy:
configure terminal
crypto ipsec ikev2 ipsec-proposal AZURE-TRANSFORM-2
protocol esp encryption aes-256
protocol esp integrity sha-256
exit
crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 2
prf sha256 sha
lifetime seconds 28800
exit
The prf sha256 sha was the last bit I changed, I reckon it may work also just with sha256, but I haven't tried it.
Before that I also added all the 12 Azure subnets in my ASA traffic selector, which probably helped as well.
object network AzureLabNet-Gateway
subnet 172.26.0.0 255.255.224.0
description The Azure Gateway range
exit
object network AzureLabNet-LAN-1
subnet 172.26.1.0 255.255.255.0
description The Azure AzureLabNet LAN #1 range
exit
object network AzureLabNet-LAN-2
subnet 172.26.2.0 255.255.255.0
description The Azure AzureLabNet LAN #2 range
exit
object network AzureLabNet-LAN-3
subnet 172.26.3.0 255.255.255.0
description The Azure AzureLabNet LAN #3 range
exit
object network AzureLabNet-LAN-4
subnet 172.26.4.0 255.255.255.0
description The Azure AzureLabNet LAN #4 range
exit
object network AzureLabNet-LAN-5
subnet 172.26.5.0 255.255.255.0
description The Azure AzureLabNet LAN #5 range
exit
object network AzureLabNet-LAN-6
subnet 172.26.6.0 255.255.255.0
description The Azure AzureLabNet LAN #6 range
exit
object network AzureLabNet-LAN-7
subnet 172.26.7.0 255.255.255.0
description The Azure AzureLabNet LAN #7 range
exit
object network AzureLabNet-LAN-8
subnet 172.26.8.0 255.255.255.0
description The Azure AzureLabNet LAN #8 range
exit
object network AzureLabNet-LAN-9
subnet 172.26.9.0 255.255.255.0
description The Azure AzureLabNet LAN #9 range
exit
object network AzureLabNet-LAN-10
subnet 172.26.10.0 255.255.255.0
description The Azure AzureLabNet LAN #10 range
exit
object network AzureLabNet-LAN-11
subnet 172.26.11.0 255.255.255.0
description The Azure AzureLabNet LAN #11 range
exit
object-group network AzureLabNet-network
description Azure AzureLabNet Virtual Network
network-object object AzureLabNet-LAN-1
network-object object AzureLabNet-LAN-2
network-object object AzureLabNet-LAN-3
network-object object AzureLabNet-LAN-4
network-object object AzureLabNet-LAN-5
network-object object AzureLabNet-LAN-6
network-object object AzureLabNet-LAN-7
network-object object AzureLabNet-LAN-8
network-object object AzureLabNet-LAN-9
network-object object AzureLabNet-LAN-10
network-object object AzureLabNet-LAN-11
network-object object AzureLabNet-Gateway
exit
06-18-2019 05:56 AM
Thanks for following up and posting the solution you found, it was the answer to our matching issue!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: