Solved: ASA5516 9.8(2) site to site connection with Azure IKEv2 (no BGP) fails

aledeniz · ‎09-10-2018

I have a Azure subscription, with a virtual network where the gateway subnet is 172.26.0.0/27, and then I have a number of subnets, e.g. 172.26.1.0/24, 172.26.2.0/24, 172.26.3.0/24, ....

On the router side I have configured the network objects for 172.26.0.0/27 and 172.26.1.0/24.

The local network is 10.0.0.0/8.

This is the configuration I have used to setup the site to site connection on the router:

object network HQ-LAN
subnet 10.0.0.0 255.0.0.0
description The HQ LAN
object network AzureLabNet-LAN
subnet 172.26.1.0 255.255.255.0
description The Azure AzureLabNet LAN range
object network AzureLabNet-Gateway
subnet 172.26.0.0 255.255.255.224
object-group network AzureLabNet-network
description Azure AzureLabNet Virtual Network
network-object object AzureLabNet-LAN
network-object object AzureLabNet-Gateway
object-group network HQ-network
description HQ on-premises Network
network-object object HQ-LAN

access-list azure-vpn-acl extended permit ip object-group HQ-network object-group AzureLabNet-network log notifications
nat (LAN,INTERNET) source static HQ-network HQ-network destination static AzureLabNet-network AzureLabNet-network no-proxy-arp route-lookup

crypto ipsec ikev2 ipsec-proposal AZURE-TRANSFORM-2
protocol esp encryption aes-256
protocol esp integrity sha-256

crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 102400000
crypto ipsec security-association pmtu-aging infinite
crypto ipsec inner-routing-lookup

crypto map CRYPTO-MAP 1 match address azure-vpn-acl
crypto map CRYPTO-MAP 1 set peer 40.a.b.c
crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal AZURE-TRANSFORM-2
crypto map CRYPTO-MAP 1 set ikev2 pre-shared-key ********
crypto map CRYPTO-MAP 1 set security-association lifetime seconds 3600
crypto map CRYPTO-MAP 1 set nat-t-disable
crypto map CRYPTO-MAP interface INTERNET

crypto ca trustpool policy

crypto ikev2 policy 1
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 28800

crypto ikev2 enable INTERNET

group-policy AzureGroupPolicy internal
group-policy AzureGroupPolicy attributes
vpn-tunnel-protocol ikev2

dynamic-access-policy-record DfltAccessPolicy
tunnel-group 40.a.b.c type ipsec-l2l
tunnel-group 40.a.b.c general-attributes
default-group-policy AzureGroupPolicy
tunnel-group 40.a.b.c ipsec-attributes
ikev2 remote-authentication pre-shared-key ********
ikev2 local-authentication pre-shared-key ********
no tunnel-group-map enable peer-ip
tunnel-group-map default-group 40.a.b.c

sysopt connection tcpmss 1350
sysopt connection preserve-vpn-flows

The connection seems to reach the point where a IKEv2 tunnel is setup, but then the tunnel get rejected with the following error:

3

Sep 10 2018

14:39:38

751022

Local:80.x.y.w:500 Remote:40.a.b.c:500 Username:40.a.b.c IKEv2 Tunnel rejected: Crypto Map Policy not found for remote traffic selector 0.0.0.0/255.255.255.255/0/65535/0 local traffic selector 0.0.0.0/255.255.255.255/0/65535/0!

In debug, I found:

IKEv2-PROTO-2: (404): Processing IKE_AUTH message
IKEv2-PLAT-2: (404): Crypto Map: No proxy match on map CRYPTO-MAP seq 1
IKEv2-PROTO-1: (404): Failed to find a matching policy
IKEv2-PROTO-1: (404): Received Policies:
ESP: Proposal 1: AES-GCM-256 Don't use ESN

ESP: Proposal 2: AES-CBC-256 SHA96 Don't use ESN

ESP: Proposal 3: 3DES SHA96 Don't use ESN

ESP: Proposal 4: AES-CBC-256 SHA256 Don't use ESN

ESP: Proposal 5: AES-CBC-128 SHA96 Don't use ESN

ESP: Proposal 6: 3DES SHA256 Don't use ESN

IKEv2-PROTO-1: (404): Failed to find a matching policy
IKEv2-PROTO-1: (404): Expected Policies:
IKEv2-PROTO-5: (404): Failed to verify the proposed policies
IKEv2-PROTO-1: (404): Failed to find a matching policy
IKEv2-PROTO-1: (404):

and also:

IKEv2-PROTO-5: (237): SM Trace-> SA: I_SPI=8D624530AA96162A R_SPI=4A613765BD92DF8F (I) MsgID = 00000004 CurState: DELETE Event: EV_FREE_SA
IKEv2-PROTO-2: (237): Deleting SA
IKEv2-PROTO-1: session is not there in tree
IKEv2-PLAT-2:
CONNECTION STATUS: DOWN... peer: 40.a.b.c:500, phase1_id: 40.a.b.c
IKEv2-PLAT-2: (237): IKEv2 session deregistered from session manager. Reason: 6
IKEv2-PLAT-2: (237): session manager killed ikev2 tunnel. Reason: IKE Delete
IKEv2-PLAT-2: (237): PSH cleanup
IKEv2-PLAT-5: Active ike sa request deleted
IKEv2-PLAT-5: Decrement count for incoming active
IKEv2-PLAT-2: (404): Encrypt success status returned via ipc 1
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IKEv2-PLAT-2: Received PFKEY delete SA for SPI 0xAA15ED6E error FALSE
IKEv2-PLAT-2: Received PFKEY delete SA for SPI 0xFBC930C6 error FALSE
IKEv2-PLAT-2: Received PFKEY delete SA for SPI 0xDA2A46C2 error FALSE
IKEv2-PLAT-2: Received PFKEY delete SA for SPI 0x2EDA754D error FALSE

Any suggestion on how to fix this?

aledeniz · ‎09-11-2018

I found a solution:

gateway# show crypto isa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:*****, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local                                               Remote                                                  Status         Role
********** 80.x.w.y/500                                   40.a.b.c/500                                         READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:2, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 28800/3135 sec
Child sa: local selector  10.0.0.0/0 - 10.255.255.255/65535
          remote selector 172.26.1.0/0 - 172.26.1.255/65535
          ESP spi in/out: 0x********/0x********

Reading the list of Microsoft validated VPN devices and device configuration guides in the "About VPN devices and IPsec/IKE parameters for Site-to-Site VPN Gateway connections" page, on the Cisco ASA row, next to IKEv2 I noticed an asterisk, and down below the list I read

Cisco ASA versions 8.4+ add IKEv2 support, can connect to Azure VPN gateway using custom IPsec/IKE policy with "UsePolicyBasedTrafficSelectors" option. Refer to this how-to article.

I understand from this that I had to set the UsePolicyBasedTrafficSelectors property and therefore create a custom IKE/IPSEC policy, which I did on the Azure Cloud shell with the following code:

$RG          = "MyRG"
$ConnectionName = "STS-Azure-HQ"

$connection  = Get-AzureRmVirtualNetworkGatewayConnection -Name $ConnectionName -ResourceGroupName $RG

$ipsecpolicy = New-AzureRmIpsecPolicy -IkeEncryption AES256 -IkeIntegrity SHA256 -DhGroup DHGroup2 -IpsecEncryption AES256 -IpsecIntegrity SHA256 -PfsGroup PFS2 -SALifeTimeSeconds 3600 -SADataSizeKilobytes 2048

Set-AzureRmVirtualNetworkGatewayConnection -VirtualNetworkGatewayConnection $connection -UsePolicyBasedTrafficSelectors $True -IpsecPolicies $ipsecpolicy

I then reconfigured the ASA router to match the IKE/IPSEC policy:

configure terminal
crypto ipsec ikev2 ipsec-proposal AZURE-TRANSFORM-2
 protocol esp encryption aes-256
 protocol esp integrity sha-256
 exit
crypto ikev2 policy 1
 encryption aes-256
 integrity sha256
 group 2
 prf sha256 sha
 lifetime seconds 28800
 exit

The prf sha256 sha was the last bit I changed, I reckon it may work also just with sha256, but I haven't tried it.

Before that I also added all the 12 Azure subnets in my ASA traffic selector, which probably helped as well.

object network AzureLabNet-Gateway
 subnet 172.26.0.0 255.255.224.0
 description The Azure Gateway range
 exit
object network AzureLabNet-LAN-1
 subnet 172.26.1.0 255.255.255.0
 description The Azure AzureLabNet LAN #1 range
 exit
object network AzureLabNet-LAN-2
 subnet 172.26.2.0 255.255.255.0
 description The Azure AzureLabNet LAN #2 range
 exit
object network AzureLabNet-LAN-3
 subnet 172.26.3.0 255.255.255.0
 description The Azure AzureLabNet LAN #3 range
 exit
object network AzureLabNet-LAN-4
 subnet 172.26.4.0 255.255.255.0
 description The Azure AzureLabNet LAN #4 range
 exit
object network AzureLabNet-LAN-5
 subnet 172.26.5.0 255.255.255.0
 description The Azure AzureLabNet LAN #5 range
 exit
object network AzureLabNet-LAN-6
 subnet 172.26.6.0 255.255.255.0
 description The Azure AzureLabNet LAN #6 range
 exit
object network AzureLabNet-LAN-7
 subnet 172.26.7.0 255.255.255.0
 description The Azure AzureLabNet LAN #7 range
 exit
object network AzureLabNet-LAN-8
 subnet 172.26.8.0 255.255.255.0
 description The Azure AzureLabNet LAN #8 range
 exit
object network AzureLabNet-LAN-9
 subnet 172.26.9.0 255.255.255.0
 description The Azure AzureLabNet LAN #9 range
 exit
object network AzureLabNet-LAN-10
 subnet 172.26.10.0 255.255.255.0
 description The Azure AzureLabNet LAN #10 range
 exit
object network AzureLabNet-LAN-11
 subnet 172.26.11.0 255.255.255.0
 description The Azure AzureLabNet LAN #11 range
 exit
object-group network AzureLabNet-network
 description Azure AzureLabNet Virtual Network
 network-object object AzureLabNet-LAN-1
 network-object object AzureLabNet-LAN-2
 network-object object AzureLabNet-LAN-3
 network-object object AzureLabNet-LAN-4
 network-object object AzureLabNet-LAN-5
 network-object object AzureLabNet-LAN-6
 network-object object AzureLabNet-LAN-7
 network-object object AzureLabNet-LAN-8
 network-object object AzureLabNet-LAN-9
 network-object object AzureLabNet-LAN-10
 network-object object AzureLabNet-LAN-11
 network-object object AzureLabNet-Gateway
exit

View solution in original post

aledeniz · ‎09-11-2018

Update about the Azure side:
The address space on the virtual network is 172.26.0.0/16, the gateway subnet is 172.26.0.0/27, and the subnets are 172.26.1.0/24, 172.26.2.0/24, 172.26.3.0/24, 172.26.4.0/24, 172.26.5.0/24, 172.26.6.0/24, 172.26.7.0/24, 172.26.8.0/24, 172.26.9.0/24, 172.26.10.0/24, 172.26.11.0/24.
At the moment I have only one VM up on 172.26.1.0/24 which I am using to test the VPN (and another whole lot of VMs spread across the other subnets).

johnd2310 · ‎09-11-2018

Hi,

I think Azure used GCM 256. Try GCM 256 for your phase 2

https://docs.microsoft.com/en-us/azure/azure-stack/azure-stack-vpn-gateway-settings#ipsecike-parameters

Thanks

John

**Please rate posts you find helpful**

aledeniz · ‎09-11-2018

@johnd2310 wrote:

I think Azure used GCM 256. Try GCM 256 for your phase 2

https://docs.microsoft.com/en-us/azure/azure-stack/azure-stack-vpn-gateway-settings#ipsecike-parameters

Dear John, thanks, I did try that, but it didn't work. That was actually for Azure Stack, not for Azure, useful stuff to know :)

aledeniz · ‎09-11-2018