Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
596
Views
0
Helpful
0
Replies

Conectar un cisco 2921 IOS 154-3.M1 contra Microsoft AZURE

pedroaceve
Level 1
Level 1

‎04-16-2019 12:28 PM - last edited on ‎10-15-2019 03:00 PM by Community Manager

Hello Cisco Team,
I have a issue when I try to connect a VPN to Microsoft AZURE with an ISR 2921 IOS :(C2900-UNIVERSALK9-M),
Version 15.4(3)M1 .
the problem is the below, when I put on the tunnel interface the line "tunnel protection ipsec profile" the protocol going tourn down and i'm not sure if whats is the problem. below shown the configuration:


There is the IKE configuration
---------------------------
crypto ikev2 proposal azure-proposal
encryption aes-cbc-256 aes-cbc-128 3des
integrity sha1
group 2
!
crypto ikev2 policy azure-policy
proposal azure-proposal
!
crypto ikev2 keyring azure-keyring
peer 40.71.251.184
address 40.71.251.184
pre-shared-key PFv3trEKx9YpvErntzXatXXoLdZ+1e6L
!
!
!
crypto ikev2 profile azure-profile
match address local interface GigabitEthernet0/0
match identity remote address 40.71.251.184 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local azure-keyring
!
!

!
crypto ipsec transform-set azure-ipsec-proposal-set esp-aes 256 esp-sha-hmac
mode tunnel

-------------------------------IPsec Configuration
crypto ipsec profile azure-vti
set transform-set azure-ipsec-proposal-set
set ikev2-profile azure-profile

---------------------------- Other VPN and WORK FINE
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp key Th3$8aR4r3^lL7g0&cwS#z8!r*csTl!Nb^jeY& address 74.203.194.130 no-xauth
crypto isakmp key Th3_F0rc3_!s5tR0ng#D2rkhoR1z0n5&^kD3 address 67.148.183.186 no-xauth
crypto isakmp identity hostname
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 60
!
!
crypto ipsec transform-set 3DES esp-3des
mode transport

crypto ipsec df-bit clear
no crypto ipsec nat-transparency udp-encapsulation
!
!
!
!
crypto map dsl-cm local-address GigabitEthernet0/0
crypto map dsl-cm 60 ipsec-isakmp
set peer 74.203.194.130
set transform-set 3DES
match address 172
crypto map dsl-cm 70 ipsec-isakmp
set peer 67.148.183.186
set transform-set 3DES
match address 175
!
crypto map dslbu-cm local-address GigabitEthernet0/0

 

interface Tunnel20
description Tunnel to AZURE
bandwidth 8000
ip address 169.254.0.1 255.255.255.255
ip tcp adjust-mss 1350
tunnel source 200.47.10.89
tunnel mode ipsec ipv4
tunnel destination 40.71.251.184
tunnel protection ipsec profile azure-vti
end

access-list 101 permit ip 10.111.0.0 0.0.1.255 10.1.0.0 0.0.1.255
access-list 101 permit esp host 40.71.251.184 host 200.47.10.89
access-list 101 permit udp host 40.71.251.184 eq isakmp host 200.47.10.89
access-list 101 permit udp host 40.71.251.184 eq non500-isakmp host 200.47.10.89


-----------------------------
The output command:
CASACENTRAL-1#sh cryp ses bri
Status: A- Active, U - Up, D - Down, I - Idle, S - Standby, N - Negotiating
K - No IKE
ivrf = (none)
Peer I/F Username Group/Phase1_id Uptime Status
67.148.183.186 Gi0/0 67.148.183.186 14:18:13 UA
40.71.251.184 Tu20 00:00:00 DN ----------------------> TO AZURE
CASACENTRAL-1#

 

CASACENTRAL-1#sh int tunn 20
Tunnel20 is up, line protocol is down
Hardware is Tunnel
Description: Tunnel to AZURE
Internet address is 169.254.0.1/32
MTU 17940 bytes, BW 8000 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel linestate evaluation down - linestate mode reg down
Tunnel source 200.47.10.89, destination 40.71.251.184
Tunnel protocol/transport IPSEC/IP
Tunnel TTL 255
Tunnel transport MTU 1400 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "azure-vti")

 

When I delete the "tunnel protection ipsec profile azure-vti" and "tunnel mode ipsec ipv4" line the Tunel UP:

 

CASACENTRAL-1(config-if)#no tunnel protection ipsec profile azure-vti
CASACENTRAL-1(config-if)#no tunnel mode ipsec ipv4

CASACENTRAL-1(config-if)#do sh int tunn20
Tunnel20 is up, line protocol is up
Hardware is Tunnel
Description: Tunnel to AZURE
Internet address is 169.254.0.1/32
MTU 17916 bytes, BW 8000 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel linestate evaluation up
Tunnel source 200.47.10.89, destination 40.71.251.184
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1376 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)

-----
but this way not there is tunneling and VPN

Thanks for the help can you give me.

Regards,
Pedro Acevedo.

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents