I have an existing Tunnel based VPN connection between my On-Premise router's WAN1 and Azure VN and I wanted to load balance it with another Tunnel based VPN between WAN2 and Azure.
Tunnel 10 is UP-ACTIVE and Tunnel 11 is DOWN-NEGOTIATING. It never changes to UP-ACTIVE.
To debug, I ran sh crypto ipsec sa. The output is below:
What I have noticed in that output is the line "ip mtu idb Dialer1" on both tunnel outputs. Since WAN 2 IP is on Dialer 2, it should ideally be "ip mtu idb Dialer2" in the output of the interface Tunnel11. Routing between Azure IP space 10.0.0.0/24 & On-Premise 10.1.0.0/20 is also not working ever since I added the second VPN connection.
All help is appreciated, thanks.
-----------------------------------------------------------------------------
OrionRouter#sh crypto ipsec sa
interface: Tunnel10
Crypto map tag: Tunnel10-head-0, local addr 117.242.xxx.xxx
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 52.140.xxx.xxx port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 256, #pkts decrypt: 256, #pkts verify: 256
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 117.242.xxx.xxx, remote crypto endpt.: 52.140.xxx.xxx
plaintext mtu 1438, path mtu 1492, ip mtu 1492, ip mtu idb Dialer1
current outbound spi: 0x40A0AEDE(1084272350)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x6890F2BD(1754329789)
transform: esp-gcm 256 ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: ESG:4, sibling_flags FFFFFFFF80000048, crypto map: Tunnel10-head-0
sa timing: remaining key lifetime (k/sec): (4607997/2911)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x40A0AEDE(1084272350)
transform: esp-gcm 256 ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: ESG:3, sibling_flags FFFFFFFF80000048, crypto map: Tunnel10-head-0
sa timing: remaining key lifetime (k/sec): (4608000/2911)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
interface: Tunnel11
Crypto map tag: Tunnel11-head-0, local addr 103.69.xxx.xxx
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 52.140.xxx.xxx port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 103.69.xxx.xxx, remote crypto endpt.: 52.140.xxx.xxx
plaintext mtu 1492, path mtu 1492, ip mtu 1492, ip mtu idb Dialer1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
OrionRouter#
----------------------------------------------------------------------------------------------
The commands to configure both VPN connections are:
config t
!----------- Azure VPN Config ------------
crypto ikev2 proposal std-vpn-proposal
encryption aes-cbc-256
integrity sha1
group 2
exit
!-----------Create a transform-set------------
crypto ipsec transform-set std-vpn-TransformSet esp-gcm 256
mode tunnel
exit
config t
!-----------Create a policy------------
crypto ikev2 policy azure-wan1-vpn-policy
proposal std-vpn-proposal
match address local 117.242.xxx.xxx
exit
!-----------Create Pre-Shared key------------
crypto ikev2 keyring azure-wan1-vpn-keyring
peer 52.140.xxx.xxx
address 52.140.xxx.xxx
pre-shared-key secretpass
exit
exit
!---------- Create Ikev2 profile-------------
crypto ikev2 profile azure-wan1-vpn-profile
match address local 117.242.xxx.xxx
match identity remote address 52.140.xxx.xxx 255.255.255.255
authentication remote pre-share
authentication local pre-share
lifetime 3600
dpd 10 5 on-demand
keyring local azure-wan1-vpn-keyring
exit
!-----------Create an access list------------
access-list 101 permit ip 10.1.0.0 0.0.15.255 10.0.0.0 0.0.1.255
! REPLACE 52.140.xxx.xxx with Azure VPN IP address
! REPLACE 117.242.xxx.xxx with WAN Static IP address
access-list 101 permit esp host 52.140.xxx.xxx host 117.242.xxx.xxx
access-list 101 permit udp host 52.140.xxx.xxx eq isakmp host 117.242.xxx.xxx
access-list 101 permit udp host 52.140.xxx.xxx eq non500-isakmp host 117.242.xxx.xxx
crypto ipsec profile azure-wan1-vpn-IPsecProfile
set transform-set std-vpn-TransformSet
set ikev2-profile azure-wan1-vpn-profile
set security-association lifetime seconds 3600
exit
! ------------------------------------------------------------------------------
! Tunnel interface (VTI) configuration
! - Create/configure a tunnel interface
! - Configure an APIPA (169.254.x.x) address that does NOT overlap with any
! other address on this device. This is not visible from the Azure gateway.
! * REPLACE: Tunnel interface numbers and APIPA IP addresses below
! * Default tunnel interface 11 (169.254.0.1) and 12 (169.254.0.2)
int tunnel 10
ip address 169.254.0.1 255.255.255.255
tunnel mode ipsec ipv4
ip tcp adjust-mss 1350
tunnel source 117.242.xxx.xxx
tunnel destination 52.140.xxx.xxx
tunnel protection ipsec profile azure-wan1-vpn-IPsecProfile
exit
! ------------------------------------------------------------------------------
! Static routes
! - Adding the static routes to point the VNet prefixes to the IPsec tunnels
! * REPLACE: Tunnel interface number(s), default tunnel 11 and tunnel 12
ip route 10.0.0.0 255.255.254.0 Tunnel 10
exit
Second VPN commands below:
config t
!----------- Azure VPN Config ------------
crypto ikev2 proposal std-vpn-proposal
encryption aes-cbc-256
integrity sha1
group 2
exit
!-----------Create a transform-set------------
crypto ipsec transform-set std-vpn-TransformSet esp-gcm 256
mode tunnel
exit
!REPLACE: below local IP with WAN static ip
!-----------Create a policy------------
crypto ikev2 policy azure-wan2-vpn-policy
proposal std-vpn-proposal
match address local 103.69.xxx.xxx
exit
!-----------Create Pre-Shared key------------
crypto ikev2 keyring azure-wan2-vpn-keyring
peer 52.140.xxx.xxx
address 52.140.xxx.xxx
pre-shared-key secretpass
exit
exit
!---------- Create Ikev2 profile-------------
crypto ikev2 profile azure-wan2-vpn-profile
match address local 103.69.xxx.xxx
match identity remote address 52.140.xxx.xxx 255.255.255.255
authentication remote pre-share
authentication local pre-share
lifetime 3600
dpd 10 5 on-demand
keyring local azure-wan2-vpn-keyring
exit
!-----------Create an access list------------
access-list 101 permit ip 10.1.0.0 0.0.15.255 10.0.0.0 0.0.1.255
! REPLACE 52.140.xxx.xxx with Azure VPN IP address
! REPLACE 103.69.xxx.xxx with WAN Static IP address
access-list 101 permit esp host 52.140.xxx.xxx host 103.69.xxx.xxx
access-list 101 permit udp host 52.140.xxx.xxx eq isakmp host 103.69.xxx.xxx
access-list 101 permit udp host 52.140.xxx.xxx eq non500-isakmp host 103.69.xxx.xxx
crypto ipsec profile azure-wan2-vpn-IPsecProfile
set transform-set std-vpn-TransformSet
set ikev2-profile azure-wan2-vpn-profile
set security-association lifetime seconds 3600
exit
! ------------------------------------------------------------------------------
! Tunnel interface (VTI) configuration
! - Create/configure a tunnel interface
! - Configure an APIPA (169.254.x.x) address that does NOT overlap with any
! other address on this device. This is not visible from the Azure gateway.
! * REPLACE: Tunnel interface numbers and APIPA IP addresses below
! * - Increment the tunnel # and the last digit of the IP address
! * Default tunnel interface 11 (169.254.0.1) and 12 (169.254.0.2)
int tunnel 11
ip address 169.254.0.2 255.255.255.255
tunnel mode ipsec ipv4
ip tcp adjust-mss 1350
tunnel source 103.69.xxx.xxx
tunnel destination 52.140.xxx.xxx
tunnel protection ipsec profile azure-wan2-vpn-IPsecProfile
exit
! ------------------------------------------------------------------------------
! Static routes
! - Adding the static routes to point the VNet prefixes to the IPsec tunnels
! * REPLACE: Tunnel interface number(s), default tunnel 11 and tunnel 12
ip route 10.0.0.0 255.255.254.0 Tunnel 11
exit