02-11-2022 10:37 PM - edited 02-11-2022 10:46 PM
I have an existing Tunnel based VPN connection between my On-Premise router's WAN1 and Azure VN and I wanted to load balance it with another Tunnel based VPN between WAN2 and Azure.
-----------------------------------------------------------------------------
The commands to configure both VPN connections are:
02-12-2022 01:36 AM
Even if you have two different vti tunnel, the destination of each tunnel use same outlet interface "dialer ".
You need pbr to make each tunnel destination use spcific outlet interface.
02-12-2022 02:15 AM
Could you be a little more detailed.. Which attributes and properties must I change or add?
02-12-2022 03:48 AM
@varunoberoi your first tunnel is established correctly, traffic is being decrypted but not encrypted. This is likely because you've got 2 static routes over both tunnels and the return traffic is being sent back over the 2nd tunnel, which is not working, thus blackholing the traffic. You should either run a dynamic routing protocol over the tunnel interfaces or use IP SLA to track the tunnels and remove a route in the event a tunnel drops, without this you will blackhole traffic again.
As for the other tunnel (Tunnel11), the IPSec SAs have not established correctly (no inbound or outbound ESP SAs).
Does Tunnel11 work if tunnel 10 is shutdown?
Please can you run ikev2 debugs and provide the output for review.
02-12-2022 04:48 AM - edited 02-12-2022 04:54 AM
Ok, tried a bunch of things: Firstly I removed all tunnel routes to only focus on establishing stable connections first.
Tunnel 11 does not work when tunnel 10 is shutdown. the output of show crypto session yields the following:
It is using Dialer1 to establish the connection! the config of Tunnel 11 clearly mentions that source interface should be Dialer 2.
Crypto session current status
Interface: Tunnel11
Session status: DOWN
Peer: 52.140.xxx.xxx port 500
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 0, origin: crypto map
Interface: Dialer1
Profile: azure-wan1-vpn-profile
Session status: UP-IDLE
Peer: 52.140.xxx.xxx port 500
Session ID: 1053
IKEv2 SA: local 117.242.xxx.xxx/500 remote 52.140.xxx.xxx/500 Active
Session ID: 1050
IKEv2 SA: local 117.242.xxx.xxx/500 remote 52.140.xxx.xxx/500 Active
Session ID: 1054
IKEv2 SA: local 117.242.xxx.xxx/500 remote 52.140.xxx.xxx/500 Active
OrionRouter#
interface Tunnel11
ip address 169.254.0.2 255.255.255.255
ip tcp adjust-mss 1350
tunnel source Dialer2
tunnel mode ipsec ipv4
tunnel destination 52.140.xxx.xxx
tunnel protection ipsec profile azure-wan2-vpn-IPsecProfile
!
Debug crypto ikev2
OrionRouter#debug crypto ikev2
IKEv2 default debugging is on
OrionRouter#
*Feb 12 12:47:19.687: IKEv2:(SESSION ID = 28,SA ID = 6):Retransmitting packet
*Feb 12 12:47:19.687: IKEv2:(SESSION ID = 28,SA ID = 6):Sending Packet [To 52.140.xxx.xxx:500/From 103.69.xxx.xxx:500/VRF i0:f0]
Initiator SPI : EBD2171A6C23DA39 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)
*Feb 12 12:47:21.158: IKEv2:% Getting preshared key from profile keyring azure-wan2-vpn-keyring
*Feb 12 12:47:21.158: IKEv2:% Matched peer block '52.140.xxx.xxx'
*Feb 12 12:47:21.158: IKEv2:Searching Policy with fvrf 0, local address 103.69.xxx.xxx
*Feb 12 12:47:21.158: IKEv2:Found Policy 'azure-wan2-vpn-policy'
*Feb 12 12:47:21.158: IKEv2:SA is already in negotiation, hence not negotiating again
*Feb 12 12:47:51.157: IKEv2:% Getting preshared key from profile keyring azure-wan2-vpn-keyring
*Feb 12 12:47:51.157: IKEv2:% Matched peer block '52.140.xxx.xxx'
*Feb 12 12:47:51.157: IKEv2:Searching Policy with fvrf 0, local address 103.69.xxx.xxx
*Feb 12 12:47:51.157: IKEv2:Found Policy 'azure-wan2-vpn-policy'
*Feb 12 12:47:51.157: IKEv2:SA is already in negotiation, hence not negotiating again
OrionRouter#
*Feb 12 12:48:02.460: %SSH-4-SSH2_UNEXPECTED_MSG: Unexpected message type has arrived. Terminating the connection from 122.194.229.36
*Feb 12 12:48:13.977: IKEv2:Received Packet [From 112.133.xxx.xxx:500/To 117.242.xxx.xxx:500/VRF i0:f0]
Initiator SPI : DF181D4BC8C652E5 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) NOTIFY(Unknown - 16431) NOTIFY(REDIRECT_SUPPORTED)
*Feb 12 12:48:13.978: IKEv2:(SESSION ID = 1068,SA ID = 10):Verify SA init message
*Feb 12 12:48:13.978: IKEv2:(SESSION ID = 1068,SA ID = 10):Insert SA
*Feb 12 12:48:13.978: IKEv2:Searching Policy with fvrf 0, local address 117.242.xxx.xxx
*Feb 12 12:48:13.978: IKEv2:Found Policy 'azure-wan1-vpn-policy'
*Feb 12 12:48:13.978: IKEv2:(SESSION ID = 1068,SA ID = 10):Processing IKE_SA_INIT message
*Feb 12 12:48:13.989: IKEv2-ERROR:(SESSION ID = 1068,SA ID = 10):: The peer's KE payload contained the wrong DH group
*Feb 12 12:48:13.989: IKEv2:(SESSION ID = 1068,SA ID = 10):Sending invalid ke notification, peer sent group 14, local policy prefers group 2
*Feb 12 12:48:13.989: IKEv2:(SESSION ID = 1068,SA ID = 10):Sending Packet [To 112.133.xxx.xxx:500/From 117.242.xxx.xxx:500/VRF i0:f0]
Initiator SPI : DF181D4BC8C652E5 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
NOTIFY(INVALID_KE_PAYLOAD)
*Feb 12 12:48:13.989: IKEv2:(SESSION ID = 1068,SA ID = 10):Failed SA init exchange
*Feb 12 12:48:13.989: IKEv2-ERROR:(SESSION ID = 1068,SA ID = 10):Initial exchange failed: Initial exchange failed
*Feb 12 12:48:13.989: IKEv2:(SESSION ID = 1068,SA ID = 10):Abort exchange
*Feb 12 12:48:13.989: IKEv2:(SESSION ID = 1068,SA ID = 10):Deleting SA
*Feb 12 12:48:14.090: IKEv2:Received Packet [From 112.133.xxx.xxx:500/To 117.242.xxx.xxx:500/VRF i0:f0]
Initiator SPI : DF181D4BC8C652E5 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) NOTIFY(Unknown - 16431) NOTIFY(REDIRECT_SUPPORTED)
*Feb 12 12:48:14.090: IKEv2:(SESSION ID = 1069,SA ID = 10):Verify SA init message
*Feb 12 12:48:14.090: IKEv2:(SESSION ID = 1069,SA ID = 10):Insert SA
*Feb 12 12:48:14.090: IKEv2:Searching Policy with fvrf 0, local address 117.242.xxx.xxx
*Feb 12 12:48:14.090: IKEv2:Found Policy 'azure-wan1-vpn-policy'
*Feb 12 12:48:14.090: IKEv2:(SESSION ID = 1069,SA ID = 10):Processing IKE_SA_INIT message
*Feb 12 12:48:14.094: IKEv2:(SA ID = 10):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Feb 12 12:48:14.094: IKEv2:(SA ID = 10):[PKI -> IKEv2] Retrieved trustpoint(s): 'CISCO_IDEVID_SUDI0' 'CISCO_IDEVID_SUDI'
*Feb 12 12:48:14.094: IKEv2:(SA ID = 10):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Feb 12 12:48:14.094: IKEv2:(SA ID = 10):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
*Feb 12 12:48:14.094: IKEv2:(SA ID = 10):[IKEv2 -> PKI] Start PKI Session
*Feb 12 12:48:14.094: IKEv2:(SA ID = 10):[PKI -> IKEv2] Starting of PKI Session PASSED
*Feb 12 12:48:14.094: IKEv2:(SESSION ID = 1069,SA ID = 10):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 2
*Feb 12 12:48:14.094: IKEv2:(SA ID = 10):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Feb 12 12:48:14.094: IKEv2:(SESSION ID = 1069,SA ID = 10):Request queued for computation of DH key
*Feb 12 12:48:14.094: IKEv2:(SESSION ID = 1069,SA ID = 10):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 2
*Feb 12 12:48:14.094: IKEv2:(SESSION ID = 1069,SA ID = 10):Request queued for computation of DH secret
*Feb 12 12:48:14.096: IKEv2:(SA ID = 10):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Feb 12 12:48:14.096: IKEv2:(SA ID = 10):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Feb 12 12:48:14.096: IKEv2:(SA ID = 10):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Feb 12 12:48:14.096: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
*Feb 12 12:48:14.096: IKEv2:(SESSION ID = 1069,SA ID = 10):Generating IKE_SA_INIT message
*Feb 12 12:48:14.096: IKEv2:(SESSION ID = 1069,SA ID = 10):IKE Proposal: 2, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA1 SHA96 DH_GROUP_1024_MODP/Group 2
*Feb 12 12:48:14.096: IKEv2:(SA ID = 10):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Feb 12 12:48:14.096: IKEv2:(SA ID = 10):[PKI -> IKEv2] Retrieved trustpoint(s): 'CISCO_IDEVID_SUDI0' 'CISCO_IDEVID_SUDI'
*Feb 12 12:48:14.096: IKEv2:(SA ID = 10):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Feb 12 12:48:14.096: IKEv2:(SA ID = 10):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
*Feb 12 12:48:14.096: IKEv2:(SESSION ID = 1069,SA ID = 10):Sending Packet [To 112.133.xxx.xxx:500/From 117.242.xxx.xxx:500/VRF i0:f0]
Initiator SPI : DF181D4BC8C652E5 - Responder SPI : E54F8BF3B3EA41BE Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED)
*Feb 12 12:48:14.097: IKEv2:(SESSION ID = 1069,SA ID = 10):Completed SA init exchange
*Feb 12 12:48:14.097: IKEv2:(SESSION ID = 1069,SA ID = 10):Starting timer (30 sec) to wait for auth message
*Feb 12 12:48:14.199: IKEv2:(SESSION ID = 1069,SA ID = 10):Received Packet [From 112.133.xxx.xxx:500/To 117.242.xxx.xxx:500/VRF i0:f0]
Initiator SPI : DF181D4BC8C652E5 - Responder SPI : E54F8BF3B3EA41BE Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
IDi NOTIFY(INITIAL_CONTACT) IDr AUTH SA TSi TSr NOTIFY(Unknown - 16417)
*Feb 12 12:48:14.199: IKEv2:(SESSION ID = 1069,SA ID = 10):Stopping timer to wait for auth message
*Feb 12 12:48:14.199: IKEv2:(SESSION ID = 1069,SA ID = 10):Checking NAT discovery
*Feb 12 12:48:14.199: IKEv2:(SESSION ID = 1069,SA ID = 10):NAT not found
*Feb 12 12:48:14.199: IKEv2:(SESSION ID = 1069,SA ID = 10):Searching policy based on peer's identity '112.133.xxx.xxx' of type 'IPv4 address'
*Feb 12 12:48:14.199: IKEv2-ERROR:% IKEv2 profile not found
*Feb 12 12:48:14.203: IKEv2-ERROR:(SESSION ID = 1069,SA ID = 10):: Failed to locate an item in the database
*Feb 12 12:48:14.203: IKEv2:(SESSION ID = 1069,SA ID = 10):Verification of peer's authentication data FAILED
*Feb 12 12:48:14.203: IKEv2:(SESSION ID = 1069,SA ID = 10):Sending authentication failure notify
*Feb 12 12:48:14.203: IKEv2:(SESSION ID = 1069,SA ID = 10):Building packet for encryption.
Payload contents:
NOTIFY(AUTHENTICATION_FAILED)
*Feb 12 12:48:14.203: IKEv2:(SESSION ID = 1069,SA ID = 10):Sending Packet [To 112.133.xxx.xxx:500/From 117.242.xxx.xxx:500/VRF i0:f0]
Initiator SPI : DF181D4BC8C652E5 - Responder SPI : E54F8BF3B3EA41BE Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
*Feb 12 12:48:14.203: IKEv2:(SESSION ID = 1069,SA ID = 10):Auth exchange failed
*Feb 12 12:48:14.203: IKEv2-ERROR:(SESSION ID = 1069,SA ID = 10):: Auth exchange failed
*Feb 12 12:48:14.203: IKEv2:(SESSION ID = 1069,SA ID = 10):Abort exchange
*Feb 12 12:48:14.203: IKEv2:(SESSION ID = 1069,SA ID = 10):Deleting SA
*Feb 12 12:48:14.203: IKEv2:(SA ID = 10):[IKEv2 -> PKI] Close PKI Session
*Feb 12 12:48:14.203: IKEv2:(SA ID = 10):[PKI -> IKEv2] Closing of PKI Session PASSED
*Feb 12 12:48:19.181: IKEv2:Received Packet [From 52.140.xxx.xxx:500/To 117.242.xxx.xxx:500/VRF i0:f0]
Initiator SPI : 08BCDEE47D7AC7D5 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID VID VID VID
*Feb 12 12:48:19.181: IKEv2:(SESSION ID = 1070,SA ID = 10):Verify SA init message
*Feb 12 12:48:19.181: IKEv2:(SESSION ID = 1070,SA ID = 10):Insert SA
*Feb 12 12:48:19.182: IKEv2:Searching Policy with fvrf 0, local address 117.242.xxx.xxx
*Feb 12 12:48:19.182: IKEv2:Found Policy 'azure-wan1-vpn-policy'
*Feb 12 12:48:19.182: IKEv2:(SESSION ID = 1070,SA ID = 10):Processing IKE_SA_INIT message
*Feb 12 12:48:19.182: IKEv2:(SA ID = 10):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Feb 12 12:48:19.182: IKEv2:(SA ID = 10):[PKI -> IKEv2] Retrieved trustpoint(s): 'CISCO_IDEVID_SUDI0' 'CISCO_IDEVID_SUDI'
*Feb 12 12:48:19.182: IKEv2:(SA ID = 10):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Feb 12 12:48:19.182: IKEv2:(SA ID = 10):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
*Feb 12 12:48:19.182: IKEv2:(SA ID = 10):[IKEv2 -> PKI] Start PKI Session
*Feb 12 12:48:19.182: IKEv2:(SA ID = 10):[PKI -> IKEv2] Starting of PKI Session PASSED
*Feb 12 12:48:19.182: IKEv2:(SESSION ID = 1070,SA ID = 10):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 2
*Feb 12 12:48:19.182: IKEv2:(SESSION ID = 1070,SA ID = 10):Request queued for computation of DH key
*Feb 12 12:48:19.183: IKEv2:(SA ID = 10):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Feb 12 12:48:19.183: IKEv2:(SESSION ID = 1070,SA ID = 10):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 2
*Feb 12 12:48:19.184: IKEv2:(SESSION ID = 1070,SA ID = 10):Request queued for computation of DH secret
*Feb 12 12:48:19.185: IKEv2:(SA ID = 10):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Feb 12 12:48:19.185: IKEv2:(SA ID = 10):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Feb 12 12:48:19.185: IKEv2:(SA ID = 10):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Feb 12 12:48:19.185: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
*Feb 12 12:48:19.185: IKEv2:(SESSION ID = 1070,SA ID = 10):Generating IKE_SA_INIT message
*Feb 12 12:48:19.185: IKEv2:(SESSION ID = 1070,SA ID = 10):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA1 SHA96 DH_GROUP_1024_MODP/Group 2
*Feb 12 12:48:19.185: IKEv2:(SA ID = 10):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Feb 12 12:48:19.185: IKEv2:(SA ID = 10):[PKI -> IKEv2] Retrieved trustpoint(s): 'CISCO_IDEVID_SUDI0' 'CISCO_IDEVID_SUDI'
*Feb 12 12:48:19.185: IKEv2:(SA ID = 10):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Feb 12 12:48:19.185: IKEv2:(SA ID = 10):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
*Feb 12 12:48:19.185: IKEv2:(SESSION ID = 1070,SA ID = 10):Sending Packet [To 52.140.xxx.xxx:500/From 117.242.xxx.xxx:500/VRF i0:f0]
Initiator SPI : 08BCDEE47D7AC7D5 - Responder SPI : FF299FFE00986FD2 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED)
*Feb 12 12:48:19.186: IKEv2:(SESSION ID = 1070,SA ID = 10):Completed SA init exchange
*Feb 12 12:48:19.186: IKEv2:(SESSION ID = 1070,SA ID = 10):Starting timer (30 sec) to wait for auth message
*Feb 12 12:48:19.222: IKEv2:(SESSION ID = 1070,SA ID = 10):Received Packet [From 52.140.xxx.xxx:500/To 117.242.xxx.xxx:500/VRF i0:f0]
Initiator SPI : 08BCDEE47D7AC7D5 - Responder SPI : FF299FFE00986FD2 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
IDi AUTH SA TSi TSr
*Feb 12 12:48:19.222: IKEv2:(SESSION ID = 1070,SA ID = 10):Stopping timer to wait for auth message
*Feb 12 12:48:19.222: IKEv2:(SESSION ID = 1070,SA ID = 10):Checking NAT discovery
*Feb 12 12:48:19.222: IKEv2:(SESSION ID = 1070,SA ID = 10):NAT not found
*Feb 12 12:48:19.222: IKEv2:(SESSION ID = 1070,SA ID = 10):Searching policy based on peer's identity '52.140.xxx.xxx' of type 'IPv4 address'
*Feb 12 12:48:19.222: IKEv2:found matching IKEv2 profile 'azure-wan1-vpn-profile'
*Feb 12 12:48:19.222: IKEv2:% Getting preshared key from profile keyring azure-wan1-vpn-keyring
*Feb 12 12:48:19.222: IKEv2:% Matched peer block '52.140.xxx.xxx'
*Feb 12 12:48:19.222: IKEv2:Searching Policy with fvrf 0, local address 117.242.xxx.xxx
*Feb 12 12:48:19.222: IKEv2:Found Policy 'azure-wan1-vpn-policy'
*Feb 12 12:48:19.222: IKEv2:(SESSION ID = 1070,SA ID = 10):Verify peer's policy
*Feb 12 12:48:19.222: IKEv2:(SESSION ID = 1070,SA ID = 10):Peer's policy verified
*Feb 12 12:48:19.222: IKEv2:(SESSION ID = 1070,SA ID = 10):Get peer's authentication method
*Feb 12 12:48:19.222: IKEv2:(SESSION ID = 1070,SA ID = 10):Peer's authentication method is 'PSK'
*Feb 12 12:48:19.222: IKEv2:(SESSION ID = 1070,SA ID = 10):Get peer's preshared key for 52.140.xxx.xxx
*Feb 12 12:48:19.222: IKEv2:(SESSION ID = 1070,SA ID = 10):Verify peer's authentication data
*Feb 12 12:48:19.222: IKEv2:(SESSION ID = 1070,SA ID = 10):Use preshared key for id 52.140.xxx.xxx, key len 32
*Feb 12 12:48:19.222: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Feb 12 12:48:19.222: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Feb 12 12:48:19.222: IKEv2:(SESSION ID = 1070,SA ID = 10):Verification of peer's authenctication data PASSED
*Feb 12 12:48:19.222: IKEv2:(SESSION ID = 1070,SA ID = 10):Processing IKE_AUTH message
*Feb 12 12:48:19.225: IKEv2:IPSec policy validate request sent for profile azure-wan1-vpn-profile with psh index 10.
*Feb 12 12:48:19.225: IKEv2:(SESSION ID = 1070,SA ID = 10):
*Feb 12 12:48:19.227: IKEv2:(SA ID = 10):[IPsec -> IKEv2] Callback received for the validate proposal - FAILED.
*Feb 12 12:48:19.228: IKEv2-ERROR:(SESSION ID = 1070,SA ID = 10):Received Policies: : Failed to find a matching policyESP: Proposal 1: AES-GCM-256 Don't use ESN
*Feb 12 12:48:19.229:
*Feb 12 12:48:19.229: ESP: Proposal 2: AES-CBC-256 SHA96 Don't use ESN
*Feb 12 12:48:19.230:
*Feb 12 12:48:19.231: ESP: Proposal 3: 3DES SHA96 Don't use ESN
*Feb 12 12:48:19.232:
*Feb 12 12:48:19.232: ESP: Proposal 4: AES-CBC-256 SHA256 Don't use ESN
*Feb 12 12:48:19.233:
*Feb 12 12:48:19.234: ESP: Proposal 5: AES-CBC-128 SHA96 Don't use ESN
*Feb 12 12:48:19.235:
*Feb 12 12:48:19.235: ESP: Proposal 6: 3DES SHA256 Don't use ESN
*Feb 12 12:48:19.237:
*Feb 12 12:48:19.237:
*Feb 12 12:48:19.237: IKEv2-ERROR:(SESSION ID = 1070,SA ID = 10):Expected Policies: : Failed to find a matching policy
*Feb 12 12:48:19.237: IKEv2-ERROR:(SESSION ID = 1070,SA ID = 10):: Failed to find a matching policy
*Feb 12 12:48:19.237: IKEv2:(SESSION ID = 1070,SA ID = 10):Sending no proposal chosen notify
*Feb 12 12:48:19.237: IKEv2:(SESSION ID = 1070,SA ID = 10):Get my authentication method
*Feb 12 12:48:19.237: IKEv2:(SESSION ID = 1070,SA ID = 10):My authentication method is 'PSK'
*Feb 12 12:48:19.237: IKEv2:(SESSION ID = 1070,SA ID = 10):Get peer's preshared key for 52.140.xxx.xxx
*Feb 12 12:48:19.237: IKEv2:(SESSION ID = 1070,SA ID = 10):Generate my authentication data
*Feb 12 12:48:19.237: IKEv2:(SESSION ID = 1070,SA ID = 10):Use preshared key for id 117.242.xxx.xxx, key len 32
*Feb 12 12:48:19.237: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Feb 12 12:48:19.237: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Feb 12 12:48:19.237: IKEv2:(SESSION ID = 1070,SA ID = 10):Get my authentication method
*Feb 12 12:48:19.237: IKEv2:(SESSION ID = 1070,SA ID = 10):My authentication method is 'PSK'
*Feb 12 12:48:19.237: IKEv2:(SESSION ID = 1070,SA ID = 10):Generating IKE_AUTH message
*Feb 12 12:48:19.237: IKEv2:(SESSION ID = 1070,SA ID = 10):Constructing IDr payload: '117.242.xxx.xxx' of type 'IPv4 address'
*Feb 12 12:48:19.237: IKEv2:(SESSION ID = 1070,SA ID = 10):Building packet for encryption.
Payload contents:
VID IDr AUTH NOTIFY(NO_PROPOSAL_CHOSEN)
*Feb 12 12:48:19.237: IKEv2:(SESSION ID = 1070,SA ID = 10):Sending Packet [To 52.140.xxx.xxx:500/From 117.242.xxx.xxx:500/VRF i0:f0]
Initiator SPI : 08BCDEE47D7AC7D5 - Responder SPI : FF299FFE00986FD2 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
*Feb 12 12:48:19.238: IKEv2:(SA ID = 10):[IKEv2 -> PKI] Close PKI Session
*Feb 12 12:48:19.238: IKEv2:(SA ID = 10):[PKI -> IKEv2] Closing of PKI Session PASSED
*Feb 12 12:48:19.238: IKEv2:(SESSION ID = 1070,SA ID = 10):IKEV2 SA created; inserting SA into database. SA lifetime timer (3600 sec) started
*Feb 12 12:48:19.238: IKEv2:(SESSION ID = 1070,SA ID = 10):Initializing DPD, configured for 0 seconds
*Feb 12 12:48:19.238: IKEv2:IKEv2 MIB tunnel started, tunnel index 10
*Feb 12 12:48:19.238: IKEv2:(SESSION ID = 1070,SA ID = 10):Checking for duplicate IKEv2 SA
*Feb 12 12:48:19.238: IKEv2:(SESSION ID = 1070,SA ID = 10):No duplicate IKEv2 SA found
*Feb 12 12:48:19.238: IKEv2:(SESSION ID = 1070,SA ID = 10):Starting timer (8 sec) to delete negotiation context
*Feb 12 12:48:19.465: IKEv2:(SESSION ID = 28,SA ID = 6):Retransmitting packet
*Feb 12 12:48:19.465: IKEv2:(SESSION ID = 28,SA ID = 6):Sending Packet [To 52.140.xxx.xxx:500/From 103.69.xxx.xxx:500/VRF i0:f0]
Initiator SPI : EBD2171A6C23DA39 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)
*Feb 12 12:48:21.158: IKEv2:% Getting preshared key from profile keyring azure-wan2-vpn-keyring
*Feb 12 12:48:21.158: IKEv2:% Matched peer block '52.140.xxx.xxx'
*Feb 12 12:48:21.158: IKEv2:Searching Policy with fvrf 0, local address 103.69.xxx.xxx
*Feb 12 12:48:21.158: IKEv2:Found Policy 'azure-wan2-vpn-policy'
*Feb 12 12:48:21.158: IKEv2:SA is already in negotiation, hence not negotiating again
*Feb 12 12:48:24.108: IKEv2-ERROR:(SESSION ID = 28,SA ID = 6):: Maximum number of retransmissions reached
*Feb 12 12:48:24.108: IKEv2:(SESSION ID = 28,SA ID = 6):Failed SA init exchange
*Feb 12 12:48:24.108: IKEv2-ERROR:(SESSION ID = 28,SA ID = 6):Initial exchange failed: Initial exchange failed
*Feb 12 12:48:24.108: IKEv2:(SESSION ID = 28,SA ID = 6):Abort exchange
*Feb 12 12:48:24.110: IKEv2:(SESSION ID = 28,SA ID = 6):Deleting SA
02-12-2022 05:11 AM
@varunoberoi put each WAN interface in a dedicated VRF, leave the tunnel and inside networks in the global routing table.
02-12-2022 05:41 AM
Ran these commands, unsure if they are correct. But the IP addresses got removed from the Dialers as soon as I ran them.
02-12-2022 06:00 AM
@varunoberoi example
interface dialer 1
ip vrf forwarding wan1-vrf
!
interface tunnel 10
tunnel vrf wan1-vrf
!
crypto ikev2 policy azure-wan1-vpn-policy
match fvrf wan1-vrf
!
crypto ikev2 profile azure-wan1-vpn-profile
match fvrf wan1-vrf
!
ip route vrf wan1-vrf 0.0.0.0 0.0.0.0 1.1.1.2
02-12-2022 10:12 PM - edited 02-12-2022 10:12 PM
This did not work, the tunnel status stayed on DOWN or DOWN-NEGOTIATING.
02-13-2022 06:49 AM - edited 02-13-2022 09:04 AM
@varunoberoi What did you configure? What was the output of the debugs?
Regardless, having 3 default routes with the same cost is going to cause you issues, hence the suggestion to use a unique VRF per outside interface - traffic received on an interface will be returned via the same interface.
02-13-2022 12:21 PM
Ok, I solved it by defining an interface in the tunnel source instead of an IP address. So,
interface tunnel 10 tunnel source Dialer1 interface tunnel 11 tunnel source Dialer2
This solved it. Both tunnels are stable and active. Now, with some SLA tracks I will automate the routes in case one tunnel fails.
Though the problem is solved, Just for future reference and my own knowledge, I tried to configure VRF. I ran the following commands:
After Factory resetting the router for a fresh start, I only setup WAN1, and tunnel10 and added the vrf commands like you had mentioned. I didn't understand what exactly my route should be, but this is my running configuration.
OrionRouter#sh run Building configuration... Current configuration : 4087 bytes ! ! Last configuration change at 20:10:32 UTC Sun Feb 13 2022 ! version 15.5 service timestamps debug datetime msec service timestamps log datetime msec no platform punt-keepalive disable-kernel-core ! hostname OrionRouter ! boot-start-marker boot-end-marker ! ! vrf definition Mgmt-intf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! enable secret 5 $1$DC9B$al4nxHk3NUsrRpIPALvaw/ enable password orionrouter ! no aaa new-model ! ip vrf wan1-vrf rd 64512:1 ! ! ! ! ip dhcp pool LAN1 network 10.1.0.0 255.255.240.0 default-router 10.1.0.1 dns-server 8.8.8.8 10.1.0.2 ! ip dhcp pool SP0101 host 10.1.0.2 255.255.240.0 client-identifier 01f0.d4e2.e724.0b default-router 10.1.0.1 dns-server 8.8.8.8 218.248.114.193 10.1.0.2 lease infinite ! ! ! ! ! ! ! ! ! ! subscriber templating ! multilink bundle-name authenticated ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! voice-card 0/4 no watchdog ! license udi pid ISR4451-X/K9 sn FOC230303Q5 license boot level uck9 license boot level securityk9 spanning-tree extend system-id ! ! redundancy mode none ! crypto ikev2 proposal std-vpn-proposal encryption aes-cbc-256 integrity sha1 group 2 ! crypto ikev2 policy azure-wan1-vpn-policy match fvrf wan1-vrf proposal std-vpn-proposal ! crypto ikev2 keyring azure-wan1-vpn-keyring peer 52.140.xxx.xxx address 52.140.xxx.xxx pre-shared-key secretpass ! ! ! crypto ikev2 profile azure-wan1-vpn-profile match fvrf wan1-vrf match identity remote address 52.140.xxx.xxx 255.255.255.255 authentication remote pre-share authentication local pre-share keyring local azure-wan1-vpn-keyring lifetime 3600 dpd 10 5 on-demand ! ! ! vlan internal allocation policy ascending ! ip tftp source-interface GigabitEthernet0 ! ! ! ! ! ! ! crypto ipsec transform-set std-vpn-TransformSet esp-gcm 256 mode tunnel ! crypto ipsec profile azure-wan1-vpn-IPsecProfile set transform-set std-vpn-TransformSet set ikev2-profile azure-wan1-vpn-profile ! ! ! ! ! ! ! ! ! ! interface Tunnel10 ip address 169.254.0.1 255.255.255.255 ip tcp adjust-mss 1350 tunnel source Dialer1 tunnel mode ipsec ipv4 tunnel destination 52.140.xxx.xxx tunnel vrf wan1-vrf tunnel protection ipsec profile azure-wan1-vpn-IPsecProfile ! interface GigabitEthernet0/0/0 ip address 10.1.0.1 255.255.240.0 ip nat inside negotiation auto ! interface GigabitEthernet0/0/1 no ip address negotiation auto pppoe enable group global pppoe-client dial-pool-number 1 ! interface GigabitEthernet0/0/2 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/3 no ip address shutdown negotiation auto ! interface Service-Engine0/4/0 ! interface GigabitEthernet0 vrf forwarding Mgmt-intf ip address 10.1.100.1 255.255.255.0 negotiation auto ! interface Vlan1 no ip address shutdown ! interface Dialer1 ip vrf forwarding wan1-vrf ip address negotiated ip mtu 1492 ip nat outside encapsulation ppp ip tcp adjust-mss 1442 dialer pool 1 dialer-group 1 ppp authentication chap callin ppp chap hostname or1662298533_nid@ftth.bsnl.in ppp chap password 0 password ! ip nat inside source route-map wan1-nat interface Dialer1 overload ip forward-protocol nd no ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 Dialer1 ip route vrf wan1-vrf 10.0.0.0 255.255.254.0 1.1.1.2 ! ! access-list 100 permit ip 10.1.0.0 0.0.15.255 any access-list 101 permit ip 10.1.0.0 0.0.15.255 10.0.0.0 0.0.1.255 access-list 101 permit esp host 52.140.xxx.xxx host 117.242.xxx.xxx access-list 101 permit udp host 52.140.xxx.xxx eq isakmp host 117.242.xxx.xxx access-list 101 permit udp host 52.140.xxx.xxx eq non500-isakmp host 117.242.xxx.xxx ! route-map wan1-nat permit 10 match ip address 100 match interface Dialer1 ! snmp-server community cisco RO ! ! control-plane ! ! ! ! ! ! mgcp behavior rsip-range tgcp-only mgcp behavior comedia-role none mgcp behavior comedia-check-media-src disable mgcp behavior comedia-sdp-force disable ! mgcp profile default ! ! ! ! ! ! line con 0 line aux 0 line vty 0 4 password passxxx login ! ! end
The vpn connection is down: output of debug crypto knev2
OrionRouter# *Feb 13 20:19:01.171: IKEv2:% Getting preshared key from profile keyring azure-wan1-vpn-keyring *Feb 13 20:19:01.171: IKEv2:% Matched peer block '52.140.xxx.xxx' *Feb 13 20:19:01.171: IKEv2:Searching Policy with fvrf 2, local address 117.242.xxx.xxx *Feb 13 20:19:01.171: IKEv2:Found Policy 'azure-wan1-vpn-policy' *Feb 13 20:19:01.171: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 2 *Feb 13 20:19:01.171: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED *Feb 13 20:19:01.171: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH key *Feb 13 20:19:01.171: IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch *Feb 13 20:19:01.171: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_SA_INIT message *Feb 13 20:19:01.171: IKEv2:(SESSION ID = 1,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation), Num. transforms: 4 AES-CBC SHA1 SHA96 DH_GROUP_1024_MODP/Group 2 *Feb 13 20:19:01.171: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 52.140.xxx.xxx:500/From 117.242.xxx.xxx:500/VRF i2:f2] Initiator SPI : FF69010DB8A2746F - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Feb 13 20:19:01.172: IKEv2:(SESSION ID = 1,SA ID = 1):Insert SA *Feb 13 20:19:03.098: IKEv2:(SESSION ID = 1,SA ID = 1):Retransmitting packet *Feb 13 20:19:03.098: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 52.140.xxx.xxx:500/From 117.242.xxx.xxx:500/VRF i2:f2] Initiator SPI : FF69010DB8A2746F - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Feb 13 20:19:07.032: IKEv2:(SESSION ID = 1,SA ID = 1):Retransmitting packet *Feb 13 20:19:07.032: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 52.140.xxx.xxx:500/From 117.242.xxx.xxx:500/VRF i2:f2] Initiator SPI : FF69010DB8A2746F - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Feb 13 20:19:14.682: IKEv2:(SESSION ID = 1,SA ID = 1):Retransmitting packet *Feb 13 20:19:14.682: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 52.140.xxx.xxx:500/From 117.242.xxx.xxx:500/VRF i2:f2] Initiator SPI : FF69010DB8A2746F - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Feb 13 20:19:29.180: IKEv2:(SESSION ID = 1,SA ID = 1):Retransmitting packet *Feb 13 20:19:29.180: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 52.140.xxx.xxx:500/From 117.242.xxx.xxx:500/VRF i2:f2] Initiator SPI : FF69010DB8A2746F - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Feb 13 20:19:31.171: IKEv2:% Getting preshared key from profile keyring azure-wan1-vpn-keyring *Feb 13 20:19:31.171: IKEv2:% Matched peer block '52.140.xxx.xxx' *Feb 13 20:19:31.172: IKEv2:Searching Policy with fvrf 2, local address 117.242.xxx.xxx *Feb 13 20:19:31.172: IKEv2:Found Policy 'azure-wan1-vpn-policy' *Feb 13 20:19:31.172: IKEv2:SA is already in negotiation, hence not negotiating again
02-13-2022 01:01 PM - edited 02-14-2022 02:54 PM
...
02-13-2022 01:45 PM - edited 02-14-2022 03:14 PM
can I see the show ip route vrf wan1-vrf of router ?
02-12-2022 06:44 AM
friend just share the config of Dialer Interface and VTI, I will take look and reply with need command.
02-12-2022 10:11 PM
1. My entire running configuration
2. Commands I am running to configure Tunnel10 VPN - Azure-Wan1
3. Commands I want to run to configure Tunnel11 VPN - Azure Wan2
OrionRouter#sh run Building configuration... Current configuration : 5208 bytes ! ! Last configuration change at 05:56:24 UTC Sun Feb 13 2022 ! version 15.5 service timestamps debug datetime msec service timestamps log datetime msec no platform punt-keepalive disable-kernel-core ! hostname OrionRouter ! boot-start-marker boot-end-marker ! ! vrf definition Mgmt-intf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! enable secret 5 $1$nz7j$eHp886tm/7syxaMCfYh3h/ enable password orionrouter ! no aaa new-model no process cpu autoprofile hog ! ! ! ip dhcp excluded-address 10.1.0.3 10.1.0.150 ! ip dhcp pool LAN1 network 10.1.0.0 255.255.240.0 default-router 10.1.0.1 dns-server 8.8.8.8 10.1.0.2 ! ip dhcp pool SP0101 host 10.1.0.2 255.255.240.0 client-identifier 01f0.d4e2.e724.0b default-router 10.1.0.1 dns-server 8.8.8.8 10.1.0.2 lease infinite ! ! ! ! ! ! ! ! ! ! subscriber templating ! multilink bundle-name authenticated ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! voice-card 0/4 no watchdog ! license udi pid ISR4451-X/K9 sn FOC230303Q5 license boot level uck9 license boot level securityk9 spanning-tree extend system-id ! ! redundancy mode none ! crypto ikev2 proposal std-vpn-proposal encryption aes-cbc-256 integrity sha1 group 2 ! crypto ikev2 policy azure-wan1-vpn-policy match address local 117.242.xxx.xxx proposal std-vpn-proposal ! crypto ikev2 keyring azure-wan1-vpn-keyring peer 52.140.xxx.xxx address 52.140.xxx.xxx pre-shared-key secretpass ! ! ! crypto ikev2 profile azure-wan1-vpn-profile match address local 117.242.xxx.xxx match identity remote address 52.140.xxx.xxx 255.255.255.255 authentication remote pre-share authentication local pre-share keyring local azure-wan1-vpn-keyring lifetime 3600 dpd 10 5 on-demand ! ! ! vlan internal allocation policy ascending no cdp run ! ip tftp source-interface GigabitEthernet0 ! ! ! ! ! ! ! crypto ipsec transform-set std-vpn-TransformSet esp-gcm 256 mode tunnel ! crypto ipsec profile azure-wan1-vpn-IPsecProfile set transform-set std-vpn-TransformSet set ikev2-profile azure-wan1-vpn-profile ! ! ! ! ! ! ! ! ! ! interface Tunnel10 ip address 169.254.0.1 255.255.255.255 ip tcp adjust-mss 1350 tunnel source 117.242.xxx.xxx tunnel mode ipsec ipv4 tunnel destination 52.140.xxx.xxx tunnel protection ipsec profile azure-wan1-vpn-IPsecProfile ! interface GigabitEthernet0/0/0 ip address 10.1.0.1 255.255.240.0 ip nat inside negotiation auto ! interface GigabitEthernet0/0/1 no ip address negotiation auto pppoe enable group global pppoe-client dial-pool-number 1 ! interface GigabitEthernet0/0/2 no ip address negotiation auto pppoe enable group global pppoe-client dial-pool-number 2 ! interface GigabitEthernet0/0/3 no ip address negotiation auto pppoe enable group global pppoe-client dial-pool-number 3 ! interface Service-Engine0/4/0 ! interface GigabitEthernet0 vrf forwarding Mgmt-intf ip address 10.1.100.1 255.255.255.0 negotiation auto no cdp enable ! interface Vlan1 no ip address shutdown ! interface Dialer1 ip address negotiated ip mtu 1492 ip nat outside encapsulation ppp ip tcp adjust-mss 1442 dialer pool 1 dialer-group 1 ppp authentication chap callin ppp chap hostname or16xxxxx3_nid@ftth.bsnl.in ppp chap password 0 password no cdp enable ! interface Dialer2 ip address negotiated ip mtu 1492 ip nat outside encapsulation ppp ip tcp adjust-mss 1442 dialer pool 2 dialer-group 2 ppp authentication pap callin ppp pap sent-username 98xxxx62 password 0 7xxx2 no cdp enable ! interface Dialer3 ip address negotiated ip mtu 1492 ip nat outside encapsulation ppp ip tcp adjust-mss 1442 dialer pool 3 dialer-group 3 ppp authentication pap callin ppp pap sent-username xxxxx password 0 3424xxxx no cdp enable ! ip nat inside source route-map wan1-nat interface Dialer1 overload ip nat inside source route-map wan2-nat interface Dialer2 overload ip nat inside source route-map wan3-nat interface Dialer3 overload ip nat inside source static tcp 10.1.0.2 3000 117.242.xxx.xxx 3000 extendable ip nat inside source static tcp 10.1.0.2 4000 117.242.xxx.xxx 4000 extendable ip forward-protocol nd no ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 Dialer1 ip route 0.0.0.0 0.0.0.0 Dialer2 ip route 0.0.0.0 0.0.0.0 Dialer3 ip route 10.0.0.0 255.255.254.0 Tunnel10 ! ! access-list 100 permit ip 10.1.0.0 0.0.15.255 any access-list 101 permit ip 10.1.0.0 0.0.15.255 10.0.0.0 0.0.1.255 access-list 101 permit esp host 52.140.xxx.xxx host 117.242.xxx.xxx access-list 101 permit udp host 52.140.xxx.xxx eq isakmp host 117.242.xxx.xxx access-list 101 permit udp host 52.140.xxx.xxx eq non500-isakmp host 117.242.xxx.xxx ! route-map wan2-nat permit 10 match ip address 100 match interface Dialer2 ! route-map wan3-nat permit 10 match ip address 100 match interface Dialer3 ! route-map wan1-nat permit 10 match ip address 100 match interface Dialer1 ! snmp-server community cisco RO ! ! control-plane ! ! ! ! ! ! mgcp behavior rsip-range tgcp-only mgcp behavior comedia-role none mgcp behavior comedia-check-media-src disable mgcp behavior comedia-sdp-force disable ! mgcp profile default ! ! ! ! ! ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 password xxxxxxx login ! ! end
! ---------------------------------------------------------------------------- ! Azure VPN Setup (Assumes parallel settings done at Azure Portal ! Securityk9 license must be configured on the router ! ---------------------------------------------------------------------------- config t !----------- Azure VPN Config ------------ crypto ikev2 proposal std-vpn-proposal encryption aes-cbc-256 integrity sha1 group 2 exit !-----------Create a transform-set------------ crypto ipsec transform-set std-vpn-TransformSet esp-gcm 256 mode tunnel exit exit ! ---------------------------------------------------------------------------- ! Azure VPN Setup (Assumes parallel settings done at Azure Portal ! Securityk9 license must be configured on the router ! ---------------------------------------------------------------------------- config t !-----------Create a policy------------ crypto ikev2 policy azure-wan1-vpn-policy proposal std-vpn-proposal match address local 117.242.xxx.xxx exit !-----------Create Pre-Shared key------------ crypto ikev2 keyring azure-wan1-vpn-keyring peer 52.140.xxx.xxx address 52.140.xxx.xxx pre-shared-key secretpass exit exit !---------- Create Ikev2 profile------------- crypto ikev2 profile azure-wan1-vpn-profile match address local 117.242.xxx.xxx match identity remote address 52.140.xxx.xxx 255.255.255.255 authentication remote pre-share authentication local pre-share lifetime 3600 dpd 10 5 on-demand keyring local azure-wan1-vpn-keyring exit !-----------Create an access list------------ access-list 101 permit ip 10.1.0.0 0.0.15.255 10.0.0.0 0.0.1.255 ! REPLACE 52.140.xxx.xxx with Azure VPN IP address ! REPLACE 117.242.xxx.xxx with WAN Static IP address access-list 101 permit esp host 52.140.xxx.xxx host 117.242.xxx.xxx access-list 101 permit udp host 52.140.xxx.xxx eq isakmp host 117.242.xxx.xxx access-list 101 permit udp host 52.140.xxx.xxx eq non500-isakmp host 117.242.xxx.xxx crypto ipsec profile azure-wan1-vpn-IPsecProfile set transform-set std-vpn-TransformSet set ikev2-profile azure-wan1-vpn-profile set security-association lifetime seconds 3600 exit ! ------------------------------------------------------------------------------ ! Tunnel interface (VTI) configuration ! - Create/configure a tunnel interface ! - Configure an APIPA (169.254.x.x) address that does NOT overlap with any ! other address on this device. This is not visible from the Azure gateway. ! * REPLACE: Tunnel interface numbers and APIPA IP addresses below ! * Default tunnel interface 11 (169.254.0.1) and 12 (169.254.0.2) int tunnel 10 ip address 169.254.0.1 255.255.255.255 tunnel mode ipsec ipv4 ip tcp adjust-mss 1350 tunnel source 117.242.xxx.xxx tunnel destination 52.140.xxx.xxx tunnel protection ipsec profile azure-wan1-vpn-IPsecProfile exit ! ------------------------------------------------------------------------------ ! Static routes ! - Adding the static routes to point the VNet prefixes to the IPsec tunnels ! * REPLACE: Tunnel interface number(s), default tunnel 11 and tunnel 12 ip route 10.0.0.0 255.255.254.0 Tunnel 10 exit
! ---------------------------------------------------------------------------- ! Azure VPN Setup (Assumes parallel settings done at Azure Portal ! Securityk9 license must be configured on the router ! ---------------------------------------------------------------------------- config t !REPLACE: below local IP with WAN static ip !-----------Create a policy------------ crypto ikev2 policy azure-wan2-vpn-policy proposal std-vpn-proposal match address local 103.69.xxx.xxx exit !-----------Create Pre-Shared key------------ crypto ikev2 keyring azure-wan2-vpn-keyring peer 52.140.xxx.xxx address 52.140.xxx.xxx pre-shared-key secretpass exit exit !---------- Create Ikev2 profile------------- crypto ikev2 profile azure-wan2-vpn-profile match address local 103.69.xxx.xxx match identity remote address 52.140.xxx.xxx 255.255.255.255 authentication remote pre-share authentication local pre-share lifetime 3600 dpd 10 5 on-demand keyring local azure-wan2-vpn-keyring exit crypto ipsec profile azure-wan2-vpn-IPsecProfile set transform-set std-vpn-TransformSet set ikev2-profile azure-wan2-vpn-profile set security-association lifetime seconds 3600 exit ! ------------------------------------------------------------------------------ ! Tunnel interface (VTI) configuration ! - Create/configure a tunnel interface ! - Configure an APIPA (169.254.x.x) address that does NOT overlap with any ! other address on this device. This is not visible from the Azure gateway. ! * REPLACE: Tunnel interface numbers and APIPA IP addresses below ! * - Increment the tunnel # and the last digit of the IP address ! * Default tunnel interface 11 (169.254.0.1) and 12 (169.254.0.2) int tunnel 11 ip address 169.254.0.2 255.255.255.255 tunnel mode ipsec ipv4 ip tcp adjust-mss 1350 tunnel source 103.69.xxx.xxx tunnel destination 52.140.xxx.xxx tunnel protection ipsec profile azure-wan2-vpn-IPsecProfile exit exit
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide