Hi, I just finished building site-to-site VPN tunnel between Cisco Firepower FTD controlled by FMC to Microsoft Azure cloud. Relatively easy, but has multiple confusion points. Basically primary confusing point is the fact that for Azure side you are not directly configuring some Phase 1 parameters. Some of phase 1 parameters simply not possible to configure and you have to just follow Microsoft recommendations. Some other phase 1 parameters are presented in format which network person not immediately catch without special attention. 

By the way - during my work I also hit issue explained in following article - "Azure VPN with IKEv2 & INITIATOR role" https://community.cisco.com/t5/vpn/azure-vpn-with-ikev2-amp-initiator-role/m-p/3194432#M118371

Since that article doesn't have resolution listed I will point it to this article. 

So, back to confusion points:

1. Primary. When on Azure you configuring Virtual Network Subnet and Virtual Network Gateway Subnet Azure VPN automatically adds these two subsets to encrypted domain. So, entire subnet is added no matter if you only wants to include just few hosts. So, on premise side configuration you should add entire subnet as your remote subnet even if for local you can proceed with multiple /32 host records. 

2. Phase 1 timer is always 28,800 sec. No option to change it on Azure side.

3. It must be IKEv2 - no option to change this. 

4. Other parameters can be changed I believe.

 - For example DH group for phase 1 is group 2 by default, but can be changed with DhGroup parameter.

- Phase 1 Encryption I believe AES-256 by default with SHA-1 Integrity, but they can be tuned by IkeEncryption and IkeIntegrity variables. 

- SALifeTimeSeconds value is timer for phase 2 Ipsec. 

- Don't forget PolicyBasedTrafficSelectors     :True

 

One more thing - Azure gateway not accepting ping, so DPD has to be off. On Cisco side it is configured as disabled keepalive. 

Good luck to everyone. 

 

 

 

 

 

 

Hi, we are trying to setup a Site-to-Site VPN between Azure VPN Gateway & a Cisco Firepower TD.
Although Cisco Firepower isn’t listed as a validated VPN device in the devices list I can’t imagine that it won’t work with Azure.

We asked our partner to setup the VPN, but without success.

 

I’m a total Firewall/Networking & Firepower noob but I verified the following settings based on the Cisco sample config

At first sight the IPsec/IKE parameters seem to correspond between the onprem FW & Azure VPN Gateway.

 

In the Cisco sample config they use the AES-GCM-NULL-SHA policy instead of the SHA256_AES256_DH24 policy.
Also the ISAKMP keepalive is enabled while in the sample config it says it should be turned off because not supported by Azure.

Can this be an issue?

 

Can anyone put me in the right direction to troubleshoot this?

Thanks!

 

Azure Policy

  "UsePolicyBasedTrafficSelectors": true,

  "IpsecPolicies": [

    {

      "SALifeTimeSeconds": 3600,

      "SADataSizeKilobytes": 1024000000,

      "IpsecEncryption": "AES256",

      "IpsecIntegrity": "SHA256",

      "IkeEncryption": "AES256",

      "IkeIntegrity": "SHA256",

      "DhGroup": "DHGroup24",

      "PfsGroup": "PFS24"

    }

I believe your problem is extra zero is SADataSizeKilobytes value. It should be five zero while you have 6.
General respond would be following:

1. Cisco FTD is working fine with Azure. So, don't worry about this.

2. Trick is to match everything correctly because Azure side has some parameters fixed which you cannot change. So, just do things carefully.

First I will map parameters which you can configure on Azure side (you list them)

Azure SALifeTimeSeconds = 3600 = Cisco FMC > Devices >VPN>Site-to-Site>Select VPN>IPsec "Lifetime Duration"

Azure SADataSizeKilobytes = 102400000 = Cisco FMC > Devices >VPN>Site-to-Site>Select VPN>IPsec "Lifetime Size"

Azure IpsecEncryption = AES256 = Cisco FMC > Objects Management > IKEv2 IPsec Proposal > Select proposal > ESP Encryption "AES-256" in selected area

Azure IpsecIntegrity = SHA256 = Cisco FMC > Objects Management > IKEv2 IPsec Proposal > Select proposal > ESP Hash "SHA-256" in selected area

Azure IkeEncryption = AES256 = Cisco FMC > Objects Management > IKEv2 Policy > Select Policy > Encryption Algorithm "AES-256" is selected area

Azure IkeIntegrity = SHS256 = Cisco FMC > Objects Management > IKEv2 Policy > Select Policy > Integrity Algorithm "SHA-256" in selected area. Also PRF Algorithm "SHA-256" in selected

Azure DhGroup = DHGroup24 = Cisco FMC > Objects Management > IKEv2 Policy > Select Policy > Diffie-Hellman Group "24" in selected Group"

Azure PfsGroup = PFS24 = Cisco FMC > Devices >VPN>Site-to-Site>Select VPN> IPsec > Check "Enable Perfect Forward Secrecy" and select 24



Azure Virtual Network Subnets = you see here your Azure subnet and Gateway Subnet. Azure include both automatically in VPN = Cisco FMC > Devices >VPN>Site-to-Site>Select VPN> Projected Networks for Node A=Azure Subnets (full subnet MUST be here, not just /32 hosts you want to use on Azure side. Azure side always insert full subnet and also gateway subnet in tunnel).

Azure Local Network Gateway = Address space (hosts or networks on premise location listed here) = Cisco FMC > Devices >VPN>Site-to-Site>Select VPN> Projected Networks for Node B=" hosts or networks on premise location"



Now Parameters which are fixed on Azure side, so I will only list the way Cisco need to be configured.

Cisco FMC > Objects Management > IKEv2 Policy > Select Policy > Lifetime = 28800

Cisco FMC > Objects Management > IKEv2 Policy > Select Policy > Priority = 1 (I don't think it is important, but this is my settings)

Cisco FMC > Devices >VPN>Site-to-Site>Select VPN > Only IKEv2 selected

Cisco FMC > Devices >VPN>Site-to-Site>Select VPN > IPsec > Crypto Map Type = Static

Cisco FMC > Devices >VPN>Site-to-Site>Select VPN > IPsec > IKEv2 Mode = Tunnel

Cisco FMC > Devices >VPN>Site-to-Site>Select VPN > IPsec > Enable Security Association Strength Enforcement = Not Checked

Cisco FMC > Devices >VPN>Site-to-Site>Select VPN > IPsec > Enable Reverse Route Injection = Checked

Cisco FMC > Devices >VPN>Site-to-Site>Select VPN > Advanced > IKE Keepalive = Disabled



Good luck.

Thanks for this detailed and helpful explanation!
You made my day!! VPN is up and running!

Changed:
-DataSizeKilobytes: removed the extra zero
-IKEv2 Policy Priority = 1
-IKE Keepalive = Disabled

Hi,

I have built the S2S VPN between Cisco FTD 2110 and Azure VNG as per this post, and it did really smooth provided if we had set ikve and ipsec phases correctly. This S2S VPN is created for our development team to have access of non-prod servers and have their work done.

Now i need one more help, since i already have a Remote VPN running since most employees nowadays working from home.

Is there a way wherein, if our system engineer creates a number of user accounts in the non-prod AD server and development team can access these non-prod servers by putting the credentials as they do for connecting remote VPN connection via ANYCONNECT client, so soon as they put the credentials of the non-prod environment the clients detects this and redirects to the non-prod server network. 

So is it possible to use the remote vpn anyconnect client to access the site to site vpn tunnel ?

Hope you guys understood..

Needless to say, I'm having an issue connecting a clients Firepower Threat Defense to our Azure Virtual Network Gateway.

 

Any help would be appreciated.