cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
37719
Views
16
Helpful
24
Replies

Azure S2S VPN with Firepower FMC / FTD

Brandon James
Level 1
Level 1

I have a Firepower 2110 being managed by Firepower Management Center (FMC), both in firmware version 6.2.2. I've spent the last couple of days trying to configure a  S2S VPN with an Azure "Virtual Network Gateway"to no success. 

 

The available documentation from Microsoft provides support for only the ASA software and I have been unable to translate those instructions to a working tunnel with my FTD device via FMC.

 

The VPN Log provides the following message:

 

Local: A.A.A.A:500 Remote:B.B.B.B:500 Username:B.B.B.B IKEv2 Tunnel rejected: Crypto Map Policy not found for remote traffic selector 10.100.0.0/10.100.255.255/0/65535/0 local traffic selector 10.1.1.0/10.1.1.255/0/65535/0!

Message ID: 751022

 

In the VPN configuration for Node A (Local) I have network 10.1.1.0/24 listed as protected. Node B (Azure) I have 10.100.0.0/16 protected.

 

In Azure I have 10.1.1.0/24 listed as the "Address space". There isn't much more available for configuration. I did use PowerShell to create the Connection and included the "UsePolicyBasedTrafficSelectors $True" option as advised by the Microsoft documentation to allow for policy based option with IKEv2 

 

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps 

 

Does anyone know of or have had a successful Site 2 Site VPN configuration between an FTD device and the Azure cloud?

 

Thanks,

Brandon

 

 

1 Accepted Solution

Accepted Solutions

Brandon James
Level 1
Level 1

I now have the VPN connection established. I didn't validate the actual address associated with one of the network objects I was using on the FTD side. 

 

I can confirm that it is possible to use an FTD device (managed by FMC) to establish an IPSec S2S VPN with Azure using IKEv2. The non-obvious step is to configure your Azure "Connection"in Powershell, ensuring to include the "UsePolicyBasedTrafficSelectors $True" option. Also, when you manually configure your "Connection"you have to define your IPSec policy as it defaults with no policy. 

 

Mohammed, thank you for your willingness to assist.

 

Brandon

View solution in original post

24 Replies 24

Can you share the config generated by Azure for ASA? I recall it was based
on VTI and if so I don't think it will work in FTD because so far FTD uses
crypto-maps

! Sample ASA configuration for connecting to Azure VPN gateway
!
! Tested hardware: ASA 5505
! Tested version: ASA version 9.2(4)
!
! Replace the following place holders with your actual values:
! - Interface names - default are "outside" and "inside"
! - <Azure_Gateway_Public_IP>
! - <OnPrem_Device_Public_IP>
! - <Pre_Shared_Key>
! - <VNetName>*
! - <LNGName>* ==> LocalNetworkGateway - the Azure resource that represents the
! on-premises network, specifies network prefixes, device public IP, BGP info, etc.
! - <PrivateIPAddress> ==> Replace it with a private IP address if applicable
! - <Netmask> ==> Replace it with appropriate netmasks
! - <Nexthop> ==> Replace it with the actual nexthop IP address
!
! (*) Must be unique names in the device configuration
!
! ==> Interface & route configurations
!
! > <OnPrem_Device_Public_IP> address on the outside interface or vlan
! > <PrivateIPAddress> on the inside interface or vlan; e.g., 10.51.0.1/24
! > Route to connect to <Azure_Gateway_Public_IP> address
!
! > Example:
!
! interface Ethernet0/0
! switchport access vlan 2
! exit
!
! interface vlan 1
! nameif inside
! security-level 100
! ip address <PrivateIPAddress> <Netmask>
! exit
!
! interface vlan 2
! nameif outside
! security-level 0
! ip address <OnPrem_Device_Public_IP> <Netmask>
! exit
!
! route outside 0.0.0.0 0.0.0.0 <NextHop IP> 1
!
! ==> Access lists
!
! > Most firewall devices deny all traffic by default. Create access lists to
! (1) Allow S2S VPN tunnels between the ASA and the Azure gateway public IP address
! (2) Construct traffic selectors as part of IPsec policy or proposal
!
access-list outside_access_in extended permit ip host <Azure_Gateway_Public_IP> host <OnPrem_Device_Public_IP>
!
! > Object group that consists of all VNet prefixes (e.g., 10.11.0.0/16 &
! 10.12.0.0/16)
!
object-group network Azure-<VNetName>
description Azure virtual network <VNetName> prefixes
network-object 10.11.0.0 255.255.0.0
network-object 10.12.0.0 255.255.0.0
exit
!
! > Object group that corresponding to the <LNGName> prefixes.
! E.g., 10.51.0.0/16 and 10.52.0.0/16. Note that LNG = "local network gateway".
! In Azure network resource, a local network gateway defines the on-premises
! network properties (address prefixes, VPN device IP, BGP ASN, etc.)
!
object-group network <LNGName>
description On-Premises network <LNGName> prefixes
network-object 10.51.0.0 255.255.0.0
network-object 10.52.0.0 255.255.0.0
exit
!
! > Specify the access-list between the Azure VNet and your on-premises network.
! This access list defines the IPsec SA traffic selectors.
!
access-list Azure-<VNetName>-acl extended permit ip object-group <LNGName> object-group Azure-<VNetName>
!
! > No NAT required between the on-premises network and Azure VNet
!
nat (inside,outside) source static <LNGName> <LNGName> destination static Azure-<VNetName> Azure-<VNetName>
!
! ==> IKEv2 configuration
!
! > General IKEv2 configuration - enable IKEv2 for VPN
!
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2
exit
!
crypto isakmp identity address
crypto ikev2 enable outside
!
! > Define IKEv2 Phase 1/Main Mode policy
! - Make sure the policy number is not used
! - integrity and prf must be the same
! - DH group 14 and above require ASA version 9.x.
!
crypto ikev2 policy 1
encryption aes-256
integrity sha384
prf sha384
group 24
lifetime seconds 86400
exit
!
! > Set connection type and pre-shared key
!
tunnel-group <Azure_Gateway_Public_IP> type ipsec-l2l
tunnel-group <Azure_Gateway_Public_IP> ipsec-attributes
ikev2 remote-authentication pre-shared-key <Pre_Shared_Key>
ikev2 local-authentication pre-shared-key <Pre_Shared_Key>
exit
!
! ==> IPsec configuration
!
! > IKEv2 Phase 2/Quick Mode proposal
! - AES-GCM and SHA-2 requires ASA version 9.x on newer ASA models. ASA
! 5505, 5510, 5520, 5540, 5550, 5580 are not supported.
! - ESP integrity must be null if AES-GCM is configured as ESP encryption
!
crypto ipsec ikev2 ipsec-proposal AES-256
protocol esp encryption aes-256
protocol esp integrity sha-1
exit
!
! > Set access list & traffic selectors, PFS, IPsec protposal, SA lifetime
! - This sample uses "Azure-<VNetName>-map" as the crypto map name
! - ASA supports only one crypto map per interface, if you already have
! an existing crypto map assigned to your outside interface, you must use
! the same crypto map name, but with a different sequence number for
! this policy
! - "match address" policy uses the access-list "Azure-<VNetName>-acl" defined
! previously
! - "ipsec-proposal" uses the proposal "AES-256" defined previously
! - PFS groups 14 and beyond requires ASA version 9.x.
!
crypto map Azure-<VNetName>-map 1 match address Azure-<VNetName>-acl
crypto map Azure-<VNetName>-map 1 set pfs group24
crypto map Azure-<VNetName>-map 1 set peer <Azure_Gateway_Public_IP>
crypto map Azure-<VNetName>-map 1 set ikev2 ipsec-proposal AES-256
crypto map Azure-<VNetName>-map 1 set security-association lifetime seconds 7200
crypto map Azure-<VNetName>-map interface outside
!
! ==> Set TCP MSS to 1350
!
sysopt connection tcpmss 1350
!

 

 

Found at:  https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-3rdparty-device-config-cisco-asa

 

On FTD cli go to system support diag and share the output of debug crypto
ikev2

I get the following debug info:

 

Message #90 : IKEv2-PROTO-1: decrypt queued
Message #91 : IKEv2-PROTO-1: Asynchronous request queued
Message #92 : IKEv2-PROTO-1:
Message #93 : IKEv2-PROTO-1: (2867): Failed to find a matching policy
Message #94 : IKEv2-PROTO-1: (2867): Received Policies:
Message #95 : ESP:
Message #96 : Proposal 1:
Message #97 : AES-CBC
Message #98 : -256
Message #99 : SHA256
Message #100 : Don't use ESN
Message #101 :
Message #102 :
Message #103 : IKEv2-PROTO-1: (2867): Failed to find a matching policy
Message #104 : IKEv2-PROTO-1: (2867): Expected Policies:
Message #105 : IKEv2-PROTO-1: (2867): Failed to find a matching policy
Message #106 : IKEv2-PROTO-1: (2867):
Message #107 : IKEv2-PROTO-1: session is not there in tree
Message #108 : IKEv2-PROTO-1: (2867): Detected unsupported failover version
Message #109 : IKEv2-PROTO-1: (2867):

 

 

I have the "IKEv2 Policy" and "IKEv2 IPSec Proposal" set to accept all proposal options on the FTD side. 

 

On the Azure side I have defined the following:

 

$ipsecpolicy = New-AzureRmIpsecPolicy -IkeEncryption AES256 -IkeIntegrity SHA384 -DhGroup DHGroup24 -IpsecEncryption AES256 -IpsecIntegrity SHA256 -PfsGroup None -SALifeTimeSeconds 14400 -SADataSizeKilobytes 102400000

 

 

 

Brandon James
Level 1
Level 1

I now have the VPN connection established. I didn't validate the actual address associated with one of the network objects I was using on the FTD side. 

 

I can confirm that it is possible to use an FTD device (managed by FMC) to establish an IPSec S2S VPN with Azure using IKEv2. The non-obvious step is to configure your Azure "Connection"in Powershell, ensuring to include the "UsePolicyBasedTrafficSelectors $True" option. Also, when you manually configure your "Connection"you have to define your IPSec policy as it defaults with no policy. 

 

Mohammed, thank you for your willingness to assist.

 

Brandon

Hi Brandon,   I hope you are fine.   I read your topic about VPN between FTD and AZURE and I would like your help with that if possible. Can you please send me the configuration that you did on the FTD site? I mean regarding the IKEv2 Policy and IKEv2 Ipsec Proposal   I really appreciate any help on that   Best regards, Henrique Reis

 

Could you share the config fra Azure and the FMC/FTD ?
Having the same trouble with the connection.

Just wanted to confirm for any body else running into Azure S2S issues, this worked for our enviroment as well. After many hours of troubleshooting, found this thread, ran this command and within a couple minutes we was connected. Thanks for your help!

Can anyone share some info about the config on both sides ?

I have a FTD 2310 Appliance and have the Azure to Cisco VPN tunnel up and passing traffic. In order to get this up and running I had to do the following on the FTD.

1. Create the Interface. I used a previously configured interface for the outside which is fine to do.

2. Create the Network Objects for the Internal networks that you want to use on your VPN. You may have these created already and only have to add them to the policies. You can also create a network group which will act as a container for several network objects. You will also create a network object of the remote network.

3. Create an Extended Access List. 

4. Create the IKev2 Policy and IpSec Proposal

5. Create a NAT policy

6. Create the Device: VPN Tunnel

 

If your policies match on both sides you should gain connectivity. You will want to use the PS Scripts suggested by Microsoft to configure the Azure side.

Here is a more specific list of tasks. If you follow these and just input your own interfaces you it should work. This is run on a FTD 2130 running 6.2

 

Steps to Creating a VPN Tunnel between FTD 2130 and Azure

  1. Interface
    1. You need to either create a new external interface or use an existing one.
  2. Object: Create objects for your VPN
    1. Under Network click Add Network. You will create an object to represent the Azure networks and a group to represent the on prem networks
    2. Create an Access List
      1. Click the Extended Access List and Add an Extended Access List.
      2. The access list will contain an Allow action from each on prem network to the Azure network. In our case we are allowing any protocols.
  • Click Save
  1. Create a VPN IKEv2 and IPsec Proposal
    1. IKEv2 Policy: This policy must match the other side.
      1. Priority: 2
      2. Lifetime: 3600
      3. Integrity Algorithms: SHA256
      4. Encryption Algorithms: AES-256
      5. PRF Algorithms: SHA256
      6. Diffie-Hellman Group: 24
    2. IKEv2 Ipsec Proposal
      1. ESP Hash: SHA-256
      2. ESP Encryption: AES-256
    3. Policy: Click on the Policy Tab. You will either create a new policy or modify an existing policy. In our case we will modify the policy.
      1. Click Add Rule: Create an Inside and an Outside rule
        1. Inside Rule into the VPN Category
          1. Zones:
            1. Source: {Outside Interface}
            2. Destination: Any
          2. Networks:
            1. Source Networks: Azure Networks
            2. Destination: On Prem networks
          3. Inspection
            1. Intrusion Policy: {Your Policy Name}
            2. File Policy: {Your Policy Name}
          4. Outside Rule in the VPN Category
            1. Zones:
              1. Source: Any
              2. Destination: {Outside Interface}
            2. Networks:
              1. Source: On Prem Networks
              2. Destination: Azure Networks
            3. Inspection
              1. Intrusion Policy: {Your Policy Name}
              2. File Policy: {Your Policy Name}
            4. Save

 

 

  1. NAT: Click on the Device Tab and navigate to NAT
    1. You will either create a new policy or edit an existing policy. In our case we will edit an existing policy.
      1. Add Rule: This will be a Static policy
        1. Interface Objects
          1. Source: {Internal Interface}
          2. Destination: {External Interface}
        2. Translation:
          1. Original Packets
            1. Original Source: On prem networks
            2. Original Destination: Azure networks
          2. Translated Packets
            1. Translated Source: On prem networks
            2. Translated Destination: Azure networks
          3. Save
        3. Device: Click on the VPN tab and select Site-to-Site
          1. Click Add VPN: I am creating a Point to Point connection
            1. Endpoints
              1. Node A
                1. Device: Select the FTD Appliance
                2. Interface: {Outside Interface}
                3. Ip Address: This should auto generate the IP of your outside interface
                4. Connection Type: Bidirectional
                5. Protected Networks: On prem networks
              2. Node B
                1. Device: Select Extranet
                2. Device Name: You can name this according to your naming scheme
                3. IP Address: This is the public IP of your Azure site. This was created when you created the Azure side of the Tunnel.
                4. Protected Networks: Azure networks
              3. IKE: We use IKEv2
                1. Policy: Select the policy you created earlier for IKEv2
                2. Authentication: Pre-shared Manual Key
                  1. Use the same key you created for the Azure side of the VPN.
  • Ipsec
    1. Transform Sets
      1. Select the Ipsec proposal you created earlier
      2. Enable Reverse Route Injection
      3. Enable Perfect Forward Secrecy
        1. Modulus Group 24
        2. Lifetime Duration 3600
  • Lifetime Size: 102400000

 

  1. Save

 

  1. Deploy: When you have completed the previous steps you can deploy the new policies. This will take around 20-30 min.
  2. To check the tunnel on the FTD you can log into the device and use the following CLI commands to verify the sessions
    1. Show crypto ipsec sa
    2. Show crypto ikev2 sa
      1. This should show you all the on prem networks that you specified in the policy as child objects in the policy.

Great thanks.

Do you also have the Azure part, because i think it is that part that is causing me the most trouble?

 

I followed the document attached and used PowerShell to configure the Azure side. I had to install the Azure PS modules on my desktop but once they were installed I ran this. Line by line.

 

Connect-AzureRmAccount
Set-AzureRmContext -SubscriptionID "{Your Subscription}"
$ipsec = New-AzureRmIpsecPolicy –IkeEncryption AES256 -IkeIntegrity SHA256 –DhGroup DHGroup24 –IpsecEncryption AES256 –IpsecIntegrity SHA256 –PfsGroup PFS24 –SALifeTimeSeconds 3600 –SADataSizeKilobytes 1024000000
$vng = Get-AzureRmVirtualNetworkGateway –Name {Your Gateway} -ResourceGroupName {Your Resource}
$lng = Get-AzureRmLocalNetworkGateway –Name {Your Local Network Gateway} -ResourceGroupName {Your Resource}
New-AzureRmVirtualNetworkGatewayConnection -Name {Your Gateway Connector -ResourceGroupName {Your Resource} -VirtualNetworkGateway1 $vng -LocalNetworkGateway2 $lng -Location WestUS2 -ConnectionType IPsec -IpsecPolicies $ipsec -UsePolicyBasedTrafficSelectors $True -SharedKey '{Your Shared Key}'

After configuring the Azure side I downloaded the configuration for a Cisco ASA policy based configuration and made sure the configuration matched on both sides. Here is my output.

 

 

 

/Data/CONNECTION_NAME = {Your Connector Name}
/Data/VNG_NAME = {Your Subscription Number}
/Data/LNG_NAME = AZR-WUS2-FPLOCALGW
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

! [2] Public IP address of the Azure VPN gateway
! Active-Standby VPN gateway (single public IP address)
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/Data/VNG_GATEWAYIP = {Public IP Assigned by Azure}
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

! Active-Active VPN gateway (A/A mode if more than one public IP is listed below)
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

/Data/VNG_GATEWAYIPS/IpAddress/IP = {Public IP Assigned by Azure}
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

! [3] Public IP address of the on-premises VPN device
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/Data/LNG_GATEWAYIP = {Public IP of your on prem Firewall}
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

! [4] VNet address prefixes: a list of all VNet address prefixes in different formats
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

/Data/VnetSubnets/Subnet/SP_NetworkIpRange = 10.9.0.0
SP_NetworkSubnetMask = 255.255.0.0
SP_NetworkWildcardBits = 0.0.255.255
SP_NetworkCIDR = 10.9.0.0/16
SP_TunnelName = SP_TunnelName
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

! [5] On-premises address prefixes: a list of all on-premises address prefixes defined in LNG
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

/Data/OnPremiseSubnets/Subnet/SP_NetworkIpRange = 10.2.0.0
SP_NetworkSubnetMask = 255.255.0.0
SP_NetworkWildcardBits = 0.0.255.255
SP_NetworkCIDR = 10.2.0.0/16
SP_TunnelName = SP_TunnelName

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

! [6] Phase 1/Main Mode:
! IKE encryption algorithm
! IKE hashing algorithm
! IKE Diffie-Hellman group
! IKE SA lifetime (seconds)
! IKE SA data size (Kilobytes)
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/Data/IKE_ENCRYPTION_1 = aes-256
/Data/IKE_INTEGRITY_1 = sha256
/Data/IKE_DHGROUP_1 = 24
/Data/IKE_SALIFETIME_1 = 3600
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

! [7] Phase 2/Quick Mode:
! IPsec encryption algorithm
! IPsec hashing algorithm
! PFS Group (Perfect Forward Secrecy)
! IPsec SA (QMSA) lifetime (seconds)
! IPsec SA (QMSA) lifetime (kilobytes)
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/Data/IPsec_ENCRYPTION_1 = aes-256
/Data/IPsec_INTEGRITY_1 = sha-256
/Data/IPsec_PFSGROUP_1 = group24
/Data/IPsec_SALIFETIME = 3600
/Data/IPsec_KB_SALIFETIME =
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

! [8] Connection pre-shared key
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/Data/CONNECTION_PSK = {Your shared key}
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

! [9] BGP parameters - Azure VPN gateway
! Enable BGP
! BGP ASN for Azure VPN gateway
! BGP speaker IP address for the Azure VPN gateway
! BGP peer IP address(es)
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/Data/CONNECTION_BGP_ENABLED = False
/Data/VNG_ASN = VNG_ASN
/Data/VNG_BGPIP = VNG_BGPIP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

! [10] BGP parameters - on-premises network / LNG
! BGP ASN for the on-premises network
! BGP speaker IP address for the on-premises network
!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/Data/LNG_ASN = LNG_ASN
/Data/LNG_BGPIP = LNG_BGPIP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

 

The big gotcha on my end was that Azure was looking for a PFS group and I had not configured that on the FTD. My sessions would initiate then drop. Once I made sure that both sides of the tunnel matches exactly everything started working. This is pretty typical for VPN tunnels.

 

I hope this helps.