03-28-2022 03:41 PM
Hello Community,
I am having the following message when I try to stablish session with MS Azure.
5 Mar 28 2022 17:24:49 750001 Local:xx.xx.xx.xx:500 Remote:yy.yy.yy.yy:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 172.23.225.1-172.23.225.1 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 172.25.21.12-172.25.21.12 Protocol: 0 Port Range: 0-65535
The Site to site is stablished, but I can’t reach the other side
According to Azure Administrator, he says that everything is fine from his site, my concern is this line Username:Unknown IKEv2 Received request to establish an IPsec tunnel
any thought?
03-28-2022 04:11 PM
IKEv2 need PFS to work Do you config PFS?
03-28-2022 05:26 PM
Thank you for your reply.
No I haven't configured PFS on ikev2, honestly I am not sure what is the correct parameter to do this.
Can you advise?
03-28-2022 05:31 PM - edited 03-28-2022 05:34 PM
check in this doc. how you can config the PFS.
03-29-2022 07:07 AM
You aren't required to configure PFS (it is optional), however PRF is required (if there was some confusion).
03-29-2022 07:23 AM - edited 03-29-2022 07:29 AM
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-3rdparty-device-config-cisco-asa
Yes it optional and I check PRF Indeed Yes it also Need.
please find the above example of config between Azure and ASA.
And Also As Mr.Rob suggest please check PRF and add it under the policy IF NEED.
03-29-2022 07:40 AM
Hello,
I have configured the PRF like this
crypto ikev2 policy 20
encryption aes-256 aes-192 aes
integrity sha512 sha384 sha256 sha
group 14 2
prf sha512 sha384 sha256 sha
lifetime seconds 86400
and now I can see this on the status (see attachement) I can't see the local and remote networks in the VPN.
03-29-2022 07:47 AM
@Scott12 so by configuring PRF that error has gone?
The output looks like you've configured a route based VPN. Is that what you have configured?
That output provided indicates you are Tx/Rx packets, is it not working?
What is the output of "show crypto ipsec sa"?
03-29-2022 08:05 AM
Hi,
This is the result of show crypto ipsec sa.
interface: NAME-xx.xx.xx.xx
Crypto map tag: __vti-crypto-map-6-0-1, seq num: 65280, local addr: xx.xx.xx.xx
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer: yy.yy.yy.yy
And this is the configuration that I applied,
crypto ikev2 policy 20
encryption aes-256 aes-192 aes
integrity sha512 sha384 sha256 sha
group 14 2
prf sha512 sha384 sha256 sha
lifetime seconds 86400
!
!
crypto ipsec ikev2 ipsec-proposal Azure-Ipsec-NAME-yy.yy.yy.yy
protocol esp encryption aes-256
protocol esp integrity sha-256
!
!
crypto ipsec profile Azure-Ipsec-PROF-NAME-yy.yy.yy.yy
set ikev2 ipsec-proposal Azure-Ipsec-NAME-yy.yy.yy.yy
!
crypto ipsec security-association pmtu-aging infinite
!
group-policy yy.yy.yy.yy internal
group-policy yy.yy.yy.yy attributes
vpn-tunnel-protocol ikev2
tunnel-group yy.yy.yy.yy type ipsec-l2l
tunnel-group yy.yy.yy.yy general-attributes
default-group-policy yy.yy.yy.yy
tunnel-group yy.yy.yy.yy ipsec-attributes
ikev2 remote-authentication pre-shared-key PSK-KEY
ikev2 local-authentication pre-shared-key PSK-KEY
no tunnel-group-map enable peer-ip
tunnel-group-map default-group yy.yy.yy.yy
!
!
####### crypto ikev2 enable Internet
!
!
sysopt connection tcpmss 1350
sysopt connection preserve-vpn-flows
!
interface Tunnel1
nameif vti-NAME-yy.yy.yy.yy
ip address 172.21.12.1 255.255.255.252
tunnel source interface Internet
tunnel destination yy.yy.yy.yy
tunnel mode ipsec ipv4
tunnel protection ipsec profile Azure-Ipsec-NAME-yy.yy.yy.yy
no shutdown
!
!
####### BGP ROUTER SETUP
!
router bgp 65510
bgp log-neighbor-changes
bgp graceful-restart
bgp router-id 172.21.10.1
address-family ipv4 unicast
! NOTE: THE LOCAL NETWORKS TO BE ADDED STATICALLY TO THIS BGP ROUTER NEED TO GO HERE BELOW:
network 172.21.12.0
network LNG_BGPIP mask 255.255.255.252
network 172.21.3.0
network LNG_BGPIP mask 255.255.255.252
! NOTE: You can add more local on-premises network ranges statically here as well, using the "network" command just like above.
!etc...
!
no auto-summary
no synchronization
exit-address-family
#pkts encaps: 96, #pkts encrypt: 96, #pkts digest: 96
#pkts decaps: 159, #pkts decrypt: 159, #pkts verify: 159
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 96, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: xx.xx.xx.xx/500, remote crypto endpt.: yy.yy.yy.yy/500
path mtu 1500, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 643D3394
current inbound spi : 87323255
inbound esp sas:
spi: 0x87323255 (2268213845)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 14, IKEv2, VTI, }
slot: 0, conn_id: 80717, crypto-map: __vti-crypto-map-6-0-1
sa timing: remaining key lifetime (kB/sec): (4055017/26550)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFD
outbound esp sas:
spi: 0x643D3394 (1681732500)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 14, IKEv2, VTI, }
slot: 0, conn_id: 80717, crypto-map: __vti-crypto-map-6-0-1
sa timing: remaining key lifetime (kB/sec): (4008910/26550)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
03-29-2022 08:16 AM
#pkts encaps: 96, #pkts encrypt: 96, #pkts digest: 96
#pkts decaps: 159, #pkts decrypt: 159, #pkts verify: 159
So the VPN is now established and clearly packets are being sent and received, what is the issue? Are you testing from a network that you've not advertised over the VPN via BGP?
03-29-2022 08:29 AM - edited 03-29-2022 08:30 AM
I advertised the networks, but I can't reach the remote networks.
This is the networks advertised,
router bgp 65510
bgp log-neighbor-changes
bgp graceful-restart
bgp router-id 172.21.10.1
address-family ipv4 unicast
network 172.21.3.0
network 172.21.3.0 mask 255.255.255.0
network 172.21.10.0
network 172.21.10.0 mask 255.255.254.0
network 172.23.225.0
network 172.23.225.0 mask 255.255.255.0
no auto-summary
no synchronization
exit-address-family
If I execute a tracert the packet still on the gateway of the interface vlan and then I receive timeout. so I go the monitoring on ASA and I can see this event.
750001 Local:xx.xx.xx.xx:500 Remote:yy.yy.yy.yy:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 172.23.225.1-172.23.225.1 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 172.25.21.12-172.25.21.12 Protocol: 0 Port Range: 0-65535
03-29-2022 08:48 AM
what is the egress interface the traceroute is being sent from, is that in the peers routing table for the VPN?
It's always advisable to test from behind the firewall and confirm connectivity through the firewall, not from it.
03-29-2022 08:54 AM
Microsoft Azure supports route-based, policy-based, or "route-based" with simulated policy-based traffic selectors.
OK
route-base use selector as 0.0.0.0 and policy-selelctor use ACL match line,
here the error show us that the selector is policy-base even if you config VTI "route-based"...!!!
So check with Azure which mode they config I think they use Router-based with simulated policy-based traffic selectors not use Route-Based.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide