cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7288
Views
1
Helpful
7
Replies

VPN ASA (VTI) To Azure (Route-Based)

Peter Long
Level 1
Level 1

Hi,

 

I'm not using BGP this is just a simple connection to Azure using VTI (I'm running version 9.9.2(36))

 

Debugs are showing nothing so Im missing something fundamental?

 

-=-=-=-=-=Config-=-=-=-=-

#IKE v2 Proposal
!
crypto ipsec ikev2 ipsec-proposal AZURE-PROPOSAL
protocol esp encryption aes-256
protocol esp integrity sha-256
!


#IPsec Proposal
!
crypto ipsec profile AZURE-PROFILE
set ikev2 ipsec-proposal AZURE-PROPOSAL
!

#VTI Interface
!
Interface Tunnel1
no shutdown
nameif AZURE-VTI01
ip address 169.254.225.1 255.255.255.252
tunnel destination 40.115.49.202
tunnel source interface outside
tunnel protection ipsec profile AZURE-PROFILE
tunnel mode ipsec ipv4
!

#Group Policy
!
group-policy AZURE-GROUP-POLICY internal
group-policy AZURE-GROUP-POLICY attributes
vpn-tunnel-protocol ikev2
!

#Tunnel-Group
tunnel-group 40.115.49.202 type ipsec-l2l
tunnel-group 40.115.49.202 general-attributes
default-group-policy AZURE-GROUP-POLICY
tunnel-group 40.115.49.202 ipsec-attributes
peer-id-validate nocheck
ikev2 local-authentication pre-shared-key supersecretpassword
ikev2 remote-authentication pre-shared-key supersecretpassword
isakmp keepalive threshold 10 retry 2


#Route
route AZURE-VTI01 10.0.0.0 255.255.255.0 169.254.225.2 1

 

#Additional

!
sysopt connection tcpmss 1350
sysopt connection preserve-vpn-flows
!

-=-=-=-=-=-=-=-=-=-=-=-=

 

As said, nothing in debugs, 

 

Petes-HomeASA# show int tunnel 1
Interface Tunnel1 "AZURE-VTI01", is down, line protocol is down
Hardware is Virtual Tunnel MAC address N/A, MTU 1500
IP address 169.254.225.1, subnet mask 255.255.255.252
Tunnel Interface Information:
Source interface: outside IP address: 123.123.58.194
Destination IP address: 40.115.49.202
Mode: ipsec ipv4 IPsec profile: AZURE-PROFILE
Petes-HomeASA#

 

Anyone?

 

 

 

1 Accepted Solution

Accepted Solutions
7 Replies 7

Hi,
Do you have an IKEv2 Policy defined and "crypto ikev2 enable outside" configured? I don't see these commands in the output above
HTH

Yes I do (sorry)

 

!

crypto ikev2 policy 1
encryption aes-256
integrity sha384
group 24
prf sha384
lifetime seconds 86400

!
crypto ikev2 policy 2
encryption aes-256
integrity sha384
group 24
prf sha384
lifetime seconds 28800

!
crypto ikev2 policy 3
encryption aes-256
integrity sha
group 24
prf sha256
lifetime seconds 7200

!
crypto ikev2 policy 4
encryption aes-256
integrity sha256
group 2
prf sha
lifetime seconds 28800
!
crypto ikev2 enable outside
crypto ikev2 notify invalid-selectors

!

 

Thanks for the follow up

Peter Long
Level 1
Level 1

looks like its ikev2 proposals

 

double checking.........

This configuration looks ok to me. Is there anything generated in the debugs on either end?

I got a "no matching IKEv2" I added some its started working, i then (to check) rebooted, added the config again its not coming up, its IKEv2 Proposals thats the problem.

 

:)

Yeah Cracked it!!

 

I'll post back the solution as soon as I get is documented!

 

 

As Promised, here is how I did it

 

 

Microsoft Azure ‘Route Based’ VPN to Cisco ASA

 

Thanks to All

 

Pete