Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1679
Views
5
Helpful
15
Replies

Duplicating an existing VPN btw Azure VN and On-Premise fails

varunoberoi
Level 1
Level 1

‎02-11-2022 10:37 PM - edited ‎02-11-2022 10:46 PM

I have an existing Tunnel based VPN connection between my On-Premise router's WAN1 and Azure VN and I wanted to load balance it with another Tunnel based VPN between WAN2 and Azure.

 

Tunnel 10 is UP-ACTIVE and Tunnel 11 is DOWN-NEGOTIATING. It never changes to UP-ACTIVE.
 
To debug, I ran sh crypto ipsec sa. The output is below:
 
What I have noticed in that output is the line "ip mtu idb Dialer1" on both tunnel outputs. Since WAN 2 IP is on Dialer 2, it should ideally be "ip mtu idb Dialer2" in the output of the interface Tunnel11. Routing between Azure IP space 10.0.0.0/24 & On-Premise 10.1.0.0/20 is also not working ever since I added the second VPN connection.
 
All help is appreciated, thanks.

 

-----------------------------------------------------------------------------

OrionRouter#sh crypto ipsec sa

 

interface: Tunnel10
    Crypto map tag: Tunnel10-head-0, local addr 117.242.xxx.xxx

 

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 52.140.xxx.xxx port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 256, #pkts decrypt: 256, #pkts verify: 256
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

 

     local crypto endpt.: 117.242.xxx.xxx, remote crypto endpt.: 52.140.xxx.xxx
     plaintext mtu 1438, path mtu 1492, ip mtu 1492, ip mtu idb Dialer1
     current outbound spi: 0x40A0AEDE(1084272350)
     PFS (Y/N): N, DH group: none

 

     inbound esp sas:
      spi: 0x6890F2BD(1754329789)
        transform: esp-gcm 256 ,
        in use settings ={Tunnel, }
        conn id: 2004, flow_id: ESG:4, sibling_flags FFFFFFFF80000048, crypto map: Tunnel10-head-0
        sa timing: remaining key lifetime (k/sec): (4607997/2911)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

 

     inbound ah sas:

 

     inbound pcp sas:

 

     outbound esp sas:
      spi: 0x40A0AEDE(1084272350)
        transform: esp-gcm 256 ,
        in use settings ={Tunnel, }
        conn id: 2003, flow_id: ESG:3, sibling_flags FFFFFFFF80000048, crypto map: Tunnel10-head-0
        sa timing: remaining key lifetime (k/sec): (4608000/2911)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

 

     outbound ah sas:

 

     outbound pcp sas:

 

interface: Tunnel11
    Crypto map tag: Tunnel11-head-0, local addr 103.69.xxx.xxx

 

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 52.140.xxx.xxx port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

 

     local crypto endpt.: 103.69.xxx.xxx, remote crypto endpt.: 52.140.xxx.xxx
     plaintext mtu 1492, path mtu 1492, ip mtu 1492, ip mtu idb Dialer1
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

 

     inbound esp sas:

 

     inbound ah sas:

 

     inbound pcp sas:

 

     outbound esp sas:

 

     outbound ah sas:

 

     outbound pcp sas:
OrionRouter#
----------------------------------------------------------------------------------------------

 

The commands to configure both VPN connections are:

 

 

config t

!----------- Azure VPN Config ------------
crypto ikev2 proposal std-vpn-proposal
encryption aes-cbc-256
integrity sha1
group 2
exit

!-----------Create a transform-set------------
crypto ipsec transform-set std-vpn-TransformSet esp-gcm 256
mode tunnel
exit

config t

!-----------Create a policy------------
crypto ikev2 policy azure-wan1-vpn-policy
proposal std-vpn-proposal
match address local 117.242.xxx.xxx
exit

!-----------Create Pre-Shared key------------
crypto ikev2 keyring azure-wan1-vpn-keyring
peer 52.140.xxx.xxx
address 52.140.xxx.xxx
pre-shared-key secretpass
exit
exit

!---------- Create Ikev2 profile-------------
crypto ikev2 profile azure-wan1-vpn-profile
match address local 117.242.xxx.xxx
match identity remote address 52.140.xxx.xxx 255.255.255.255
authentication remote pre-share
authentication local pre-share
lifetime 3600
dpd 10 5 on-demand
keyring local azure-wan1-vpn-keyring
exit

!-----------Create an access list------------
access-list 101 permit ip 10.1.0.0 0.0.15.255 10.0.0.0 0.0.1.255
! REPLACE 52.140.xxx.xxx with Azure VPN IP address
! REPLACE 117.242.xxx.xxx with WAN Static IP address
access-list 101 permit esp host 52.140.xxx.xxx host 117.242.xxx.xxx
access-list 101 permit udp host 52.140.xxx.xxx eq isakmp host 117.242.xxx.xxx
access-list 101 permit udp host 52.140.xxx.xxx eq non500-isakmp host 117.242.xxx.xxx

crypto ipsec profile azure-wan1-vpn-IPsecProfile
set transform-set  std-vpn-TransformSet
set ikev2-profile  azure-wan1-vpn-profile
set security-association lifetime seconds 3600
exit

! ------------------------------------------------------------------------------
! Tunnel interface (VTI) configuration
! - Create/configure a tunnel interface
! - Configure an APIPA (169.254.x.x) address that does NOT overlap with any
!   other address on this device. This is not visible from the Azure gateway.
! * REPLACE: Tunnel interface numbers and APIPA IP addresses below
! * Default tunnel interface 11 (169.254.0.1) and 12 (169.254.0.2)

int tunnel 10
ip address 169.254.0.1 255.255.255.255
tunnel mode ipsec ipv4
ip tcp adjust-mss 1350
tunnel source 117.242.xxx.xxx
tunnel destination 52.140.xxx.xxx
tunnel protection ipsec profile azure-wan1-vpn-IPsecProfile
exit

! ------------------------------------------------------------------------------
! Static routes
! - Adding the static routes to point the VNet prefixes to the IPsec tunnels
! * REPLACE: Tunnel interface number(s), default tunnel 11 and tunnel 12

ip route 10.0.0.0 255.255.254.0 Tunnel 10
exit
 
 
 
 
Second VPN commands below:
 
config t

!----------- Azure VPN Config ------------
crypto ikev2 proposal std-vpn-proposal
encryption aes-cbc-256
integrity sha1
group 2
exit

!-----------Create a transform-set------------
crypto ipsec transform-set std-vpn-TransformSet esp-gcm 256
mode tunnel
exit

!REPLACE: below local IP with WAN static ip
!-----------Create a policy------------
crypto ikev2 policy azure-wan2-vpn-policy
proposal std-vpn-proposal
match address local 103.69.xxx.xxx
exit

!-----------Create Pre-Shared key------------
crypto ikev2 keyring azure-wan2-vpn-keyring
peer 52.140.xxx.xxx
address 52.140.xxx.xxx
pre-shared-key secretpass
exit
exit

!---------- Create Ikev2 profile-------------
crypto ikev2 profile azure-wan2-vpn-profile
match address local 103.69.xxx.xxx
match identity remote address 52.140.xxx.xxx 255.255.255.255
authentication remote pre-share
authentication local pre-share
lifetime 3600
dpd 10 5 on-demand
keyring local azure-wan2-vpn-keyring
exit

!-----------Create an access list------------
access-list 101 permit ip 10.1.0.0 0.0.15.255 10.0.0.0 0.0.1.255
! REPLACE 52.140.xxx.xxx with Azure VPN IP address
! REPLACE 103.69.xxx.xxx with WAN Static IP address
access-list 101 permit esp host 52.140.xxx.xxx host 103.69.xxx.xxx
access-list 101 permit udp host 52.140.xxx.xxx eq isakmp host 103.69.xxx.xxx
access-list 101 permit udp host 52.140.xxx.xxx eq non500-isakmp host 103.69.xxx.xxx

crypto ipsec profile azure-wan2-vpn-IPsecProfile
set transform-set  std-vpn-TransformSet
set ikev2-profile  azure-wan2-vpn-profile
set security-association lifetime seconds 3600
exit

! ------------------------------------------------------------------------------
! Tunnel interface (VTI) configuration
! - Create/configure a tunnel interface
! - Configure an APIPA (169.254.x.x) address that does NOT overlap with any
!   other address on this device. This is not visible from the Azure gateway.
! * REPLACE: Tunnel interface numbers and APIPA IP addresses below
! *  - Increment the tunnel # and the last digit of the IP address
! * Default tunnel interface 11 (169.254.0.1) and 12 (169.254.0.2)

int tunnel 11
ip address 169.254.0.2 255.255.255.255
tunnel mode ipsec ipv4
ip tcp adjust-mss 1350
tunnel source 103.69.xxx.xxx
tunnel destination 52.140.xxx.xxx
tunnel protection ipsec profile azure-wan2-vpn-IPsecProfile
exit

! ------------------------------------------------------------------------------
! Static routes
! - Adding the static routes to point the VNet prefixes to the IPsec tunnels
! * REPLACE: Tunnel interface number(s), default tunnel 11 and tunnel 12

ip route 10.0.0.0 255.255.254.0 Tunnel 11
exit
Labels:
15 Replies 15

MHM Cisco World
VIP
VIP

‎02-15-2022 03:07 PM

in g0/x
pppoe-client 
!
in dialer 1 
ip vrf RED 
!
tunnel 1
tunnel vrf RED 
tunnel source dialer 1 
tunnel destination WAN-IP-OtherPeer
!
crypto IKEv2 policy
match fvrf RED

above config the Only Front Door have VRF NOT Tunnel.
ip route LAN"other Side" tunnel 1
!
ip route vrf RED 0.0.0.0/0 dialer 1 

please try above config and If you can reply.
good luck friend.



0 Helpful
Customers Also Viewed These Support Documents