Solved: VPN ASA (VTI) To Azure (Route-Based)

Peter Long · ‎02-13-2019

Hi,

I'm not using BGP this is just a simple connection to Azure using VTI (I'm running version 9.9.2(36))

Debugs are showing nothing so Im missing something fundamental?

-=-=-=-=-=Config-=-=-=-=-

#IKE v2 Proposal
!
crypto ipsec ikev2 ipsec-proposal AZURE-PROPOSAL
protocol esp encryption aes-256
protocol esp integrity sha-256
!

#IPsec Proposal
!
crypto ipsec profile AZURE-PROFILE
set ikev2 ipsec-proposal AZURE-PROPOSAL
!

#VTI Interface
!
Interface Tunnel1
no shutdown
nameif AZURE-VTI01
ip address 169.254.225.1 255.255.255.252
tunnel destination 40.115.49.202
tunnel source interface outside
tunnel protection ipsec profile AZURE-PROFILE
tunnel mode ipsec ipv4
!

#Group Policy
!
group-policy AZURE-GROUP-POLICY internal
group-policy AZURE-GROUP-POLICY attributes
vpn-tunnel-protocol ikev2
!

#Tunnel-Group
tunnel-group 40.115.49.202 type ipsec-l2l
tunnel-group 40.115.49.202 general-attributes
default-group-policy AZURE-GROUP-POLICY
tunnel-group 40.115.49.202 ipsec-attributes
peer-id-validate nocheck
ikev2 local-authentication pre-shared-key supersecretpassword
ikev2 remote-authentication pre-shared-key supersecretpassword
isakmp keepalive threshold 10 retry 2

#Route
route AZURE-VTI01 10.0.0.0 255.255.255.0 169.254.225.2 1

#Additional

!
sysopt connection tcpmss 1350
sysopt connection preserve-vpn-flows
!

-=-=-=-=-=-=-=-=-=-=-=-=

As said, nothing in debugs,

Petes-HomeASA# show int tunnel 1
Interface Tunnel1 "AZURE-VTI01", is down, line protocol is down
Hardware is Virtual Tunnel MAC address N/A, MTU 1500
IP address 169.254.225.1, subnet mask 255.255.255.252
Tunnel Interface Information:
Source interface: outside IP address: 123.123.58.194
Destination IP address: 40.115.49.202
Mode: ipsec ipv4 IPsec profile: AZURE-PROFILE
Petes-HomeASA#

Anyone?

Peter Long · ‎02-14-2019

As Promised, here is how I did it

Microsoft Azure ‘Route Based’ VPN to Cisco ASA

Thanks to All

Pete

View solution in original post

Rob Ingram · ‎02-13-2019

Hi,
Do you have an IKEv2 Policy defined and "crypto ikev2 enable outside" configured? I don't see these commands in the output above
HTH

Peter Long · ‎02-13-2019

Yes I do (sorry)

!

crypto ikev2 policy 1
encryption aes-256
integrity sha384
group 24
prf sha384
lifetime seconds 86400

!
crypto ikev2 policy 2
encryption aes-256
integrity sha384
group 24
prf sha384
lifetime seconds 28800

!
crypto ikev2 policy 3
encryption aes-256
integrity sha
group 24
prf sha256
lifetime seconds 7200

!
crypto ikev2 policy 4
encryption aes-256
integrity sha256
group 2
prf sha
lifetime seconds 28800
!
crypto ikev2 enable outside
crypto ikev2 notify invalid-selectors

!

Thanks for the follow up

Peter Long · ‎02-13-2019

looks like its ikev2 proposals

double checking.........

Rob Ingram · ‎02-13-2019

This configuration looks ok to me. Is there anything generated in the debugs on either end?

Peter Long · ‎02-13-2019

I got a "no matching IKEv2" I added some its started working, i then (to check) rebooted, added the config again its not coming up, its IKEv2 Proposals thats the problem.

:)

Peter Long · ‎02-13-2019

Yeah Cracked it!!

I'll post back the solution as soon as I get is documented!

Peter Long · ‎02-14-2019

As Promised, here is how I did it

Microsoft Azure ‘Route Based’ VPN to Cisco ASA

Thanks to All

Pete