Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1258
Views
5
Helpful
13
Replies

Flex VPN with Azure

Go to solution
angelito_mas
Level 1
Level 1

‎03-22-2022 04:42 AM

Hello,

i am configuring an CSR1000v on an Azure Infrastracture to enable it as Hub Server VPN.

I' ve almost done the configuration but when i do a telnet on its Public IP (on the 500 and 4500 ports) the server is not reachable.

I have already opened the ports on the Security Panel of the Azure Portal.

 

iotodvpn#sh ip socket
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 --listen-- 172.28.0.1 500 0 0 2001011 0
17(v6) --listen-- --any-- 500 0 0 2020011 0
17 --listen-- 172.28.0.1 4500 0 0 2001011 0
17(v6) --listen-- --any-- 4500 0 0 2020011 0

 

Can you help me?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions
13 Replies 13

Go to solution
Rob Ingram
VIP
VIP

‎03-22-2022 04:50 AM

@angelito_mas the FlexVPN hub would be listening on UDP, when you are connecting are you using UDP? If you've opened the ports and you can at least ping, connect a spoke for testing and enable IKEv2 debugs (if you are having an issue).

0 Helpful

Go to solution
angelito_mas
Level 1
Level 1
In response to Rob Ingram

‎03-22-2022 04:55 AM

@Rob Ingram i can ping but i cannot connect a spoke.

When I test the connectivity with a telnet on the port from the command prompy of my pc, it says that the host is not responding.

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to angelito_mas

‎03-22-2022 05:09 AM

@angelito_mas natively windows is going to telnet to TCP, not UDP. You'd have to use a tool to query using UDP

https://docs.microsoft.com/en-US/troubleshoot/windows-server/networking/portqry-command-line-port-scanner-v2

 

Regardless if you have a spoke, turn on debugs on the hub, if debug is generated that will confirm whether you've got connectivity....if it fails, then it's a configuration issue, but at least you've confirmed the ports are open.

Go to solution
angelito_mas
Level 1
Level 1

‎03-22-2022 05:32 AM

@Rob Ingram 

thank you! i did not know this tool..

Now, I would to enable the local authentication just for testing the tunnel. How can I do? 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to angelito_mas

‎03-22-2022 05:36 AM

@angelito_mas You mean authentication of a Site-to-Site VPN using Pre-shared-key/certificates? or are you setting up a Remote Access VPN and want to authenticate to the hub using a local username/password?

0 Helpful

Go to solution
angelito_mas
Level 1
Level 1
In response to Rob Ingram

‎03-22-2022 05:39 AM

@Rob Ingram At the moment I need to authenticate to the hub using a local username/password.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to angelito_mas

‎03-22-2022 05:40 AM

@angelito_mas ok, refer to this Cisco guide for Remote Access VPN using local username/password.

https://www.cisco.com/c/en/us/support/docs/security/flexvpn/200555-FlexVPN-AnyConnect-IKEv2-Remote-Access.html

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎03-22-2022 06:34 AM

can you share the config here ?

0 Helpful

Go to solution
angelito_mas
Level 1
Level 1

‎03-22-2022 07:34 AM - edited ‎03-22-2022 07:36 AM

@Rob Ingram @MHM Cisco World this is the config, can you check it it is everything ok?

!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local none
!
!
!!
!
crypto ikev2 name-mangler VPN
email username
!
!
crypto ikev2 authorization policy VPN
pool TestPool
dhcp giaddr 172.28.0.1
netmask 255.255.252.0
route set interface
route set remote ipv4 172.26.255.0 255.255.255.0
route accept any distance 70
!
!
!
crypto ikev2 keyring Flex_key
peer alleantia
identity email domain ***
pre-shared-key ****
!
!
!
crypto ikev2 profile VPN_I2PF
match fvrf any
match identity remote email domain ******
identity local key-id *PUBLIC_IP*
authentication remote pre-share
authentication local pre-share
keyring local Flex_key
dpd 29 2 on-demand
aaa authorization group psk list VPN VPN
virtual-template 2
!
!
!
!
!
crypto logging ikev2
!
!
!
!
!
!
crypto isakmp key cisco123 address 0.0.0.0
!
!
!
crypto ipsec profile VPN_IPS_PF
set ikev2-profile VPN_I2PF
!
!
!
!
!
!
!
!
!
!
interface Loopback0
description FlexTunnel interface
ip address 172.28.0.1 255.255.252.0
ip mtu 1400
ip nat inside
!
interface Loopback1
ip address 172.26.255.1 255.255.255.0
ip mtu 1400
!
interface VirtualPortGroup0
vrf forwarding GS
ip address 192.168.35.101 255.255.255.0
ip nat inside
no mop enabled
no mop sysid
!
interface GigabitEthernet1
ip address dhcp
ip nat outside
negotiation auto
no mop enabled
no mop sysid
!
interface Virtual-Template2 type tunnel
ip unnumbered Loopback0
ip mtu 1358
ip nat inside
ip tcp adjust-mss 1318
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel path-mtu-discovery
tunnel protection ipsec profile VPN_IPS_PF
!
iox
ip local pool TestPool 172.28.0.2 172.28.3.254
ip forward-protocol nd
ip tcp window-size 8192
ip http server
ip http secure-server
!
ip nat inside source list 101 interface GigabitEthernet1 overload
ip nat inside source list GS_NAT_ACL interface GigabitEthernet1 vrf GS overload
ip route 0.0.0.0 0.0.0.0 172.16.0.1
ip route vrf GS 0.0.0.0 0.0.0.0 GigabitEthernet1 172.16.0.1 global
ip ssh rsa keypair-name ssh-key
ip ssh version 2
ip ssh server algorithm publickey ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 ssh-rsa x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384 x509v3-ecdsa-sha2-nistp521
ip scp server enable
!
ip access-list standard GS_NAT_ACL
10 permit 192.168.35.0 0.0.0.255
!
!
ip access-list extended 101
10 permit ip 172.28.0.0 0.0.3.255 any
!

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to angelito_mas

‎03-22-2022 08:29 AM

@angelito_mas I thought you wanted to authenticate users with a username and password? You've defined the authentication method (local and remote) as PSK.

You've also reference a method list called VPN under the ikev2 profile that does not exist.

0 Helpful

Go to solution
angelito_mas
Level 1
Level 1
In response to Rob Ingram

‎03-22-2022 08:45 AM

@Rob Ingram I need to connect the spoke to the hub using an email address as username and a pre-shared key as password.

 

Previously I' ve added the AAA configuration because i should use a radius server.

At the moment I would like to check the connectivity between the hub and the spoke.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to angelito_mas

‎03-22-2022 09:30 AM

show ip interface brief 
can you share it ?

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎03-22-2022 12:47 PM - edited ‎03-22-2022 12:48 PM

interface Virtual-Template2 type tunnel
ip unnumbered Loopback0
ip mtu 1358
ip nat inside
ip tcp adjust-mss 1318
tunnel source GigabitEthernet1<-wrong 
tunnel mode ipsec ipv4
tunnel destination dynamic<-wrong 
tunnel path-mtu-discovery
tunnel protection ipsec profile VPN_IPS_PF

the Spoke-Hub tunnel is dynamic build. 
in Spoke you config the source and destination which is the Lo of Hub virtual-templateX
in Hub the virtual-template is generate VCI for each spoke depend on config "IPSec profile".
so here why you config this source/destination ?

0 Helpful
Customers Also Viewed These Support Documents