Hello guys,
I had to configure a tunnel with Azure to Cisco ASA. The easiest way is to do it static subnet to subnet but our requirement is to do a routed vpn ikev2.
This is a new feature and was introduced for Ikev1 2 years ago and Ikev2 last year at the time of the writing this blog post.
I had to do alot of small changes to make it work as reference
This is an example of the configuration
crypto ikev2 policy 60 encryption aes-256 integrity sha256 group 2 prf sha256 lifetime seconds 3600 group-policy 1.1.1.1 internal group-policy 1.1.1.1 attributes vpn-tunnel-protocol ikev2 tunnel-group 1.1.1.1 type ipsec-l2l tunnel-group 1.1.1.1 general-attributes default-group-policy 13.95.68.150 tunnel-group 13.95.68.150 ipsec-attributes peer-id-validate nocheck isakmp keepalive threshold 10 retry 2 ikev2 remote-authentication pre-shared-key **** ikev2 local-authentication pre-shared-key **** crypto ipsec ikev2 ipsec-proposal Azure-Ipsec-PROP protocol esp encryption aes-256 protocol esp integrity sha-256 crypto ipsec profile Azure-Ipsec-PROF set ikev2 ipsec-proposal Azure-Ipsec-PROP interface Tunnel1 nameif AZURE-VTI01 ip address 169.254.220.1 255.255.255.252 tunnel source interface outside tunnel destination 1.1.1.1 tunnel mode ipsec ipv4 tunnel protection ipsec profile Azure-Ipsec-PROF route AZURE-VTI01 172.16.0.0 255.255.255.0 169.254.220.2 1 object-group network SUBNET_AZURE network-object 172.16.0.0 255.255.255.0 access-list AZURE-VTI01_ACL extended permit tcp object-group SUBNET_AZURE object INTERNAL_SUBNET eq https access-group AZURE-VTI01_ACL in interface AZURE-VTI01 nat (inside,any) 1 source static INTERNAL_SUBNET INTERNAL_SUBNET_NAT destination static SUBNET_AZURE SUBNET_AZURE crypto ipsec security-association pmtu-aging infinite crypto ipsec df-bit clear-df outside crypto ipsec inner-routing-lookup crypto ipsec security-association pmtu-aging infinite sysopt connection tcpmss 1300 sysopt connection preserve-vpn-flows
The statement to the nat on any interface is because you cannot point to the AZURE-VTI01 interface on nat statement as it’s a virtual interface
The IP on the tunnel interface is random and somehow it works on Azure but if you choose an IP from the AZURE_SUBNET for the VTI it will not work. So i had to use an IP from the 169.254.x.x subnet.
After that how do you check and validate each part
ciscoasa#sh crypto ikev2 sa detail Session-id:9, Status:UP-ACTIVE, IKE count:1, CHILD count:1 Tunnel-id Local Remote Status Role 491061861 2.2.2.2/500 1.1.1.1/500 READY INITIATOR Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:2, Auth sign: PSK, Auth verify: PSK Life/Active Time: 3600/3343 sec Session-id: 9 Status Description: Negotiation done Local spi: Remote spi: Local id: 1.1.1.1 Remote id: 2.2.2.2 Local req mess id: 4 Remote req mess id: 1655 Local next mess id: 4 Remote next mess id: 1655 Local req queued: 4 Remote req queued: 1655 Local window: 1 Remote window: 1 DPD configured for 10 seconds, retry 2 NAT-T is not detected IKEv2 Fragmentation Configured MTU: 576 bytes, Overhead: 28 bytes, Effective MTU: 548 bytes ciscoasa#sh crypto ipsec sa peer 1.1.1.1 peer address: 1.1.1.1 Crypto map tag: __vti-crypto-map-8-0-1, seq num: 65280, local addr: 2.2.2.2 local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer: 1.1.1.1 #pkts encaps: 27, #pkts encrypt: 2724, #pkts digest: 27 #pkts decaps: 10, #pkts decrypt: 10362, #pkts verify: 10 ciscoasa#show route S 172.16.0.0 255.255.255.0 [1/0] via 169.254.220.2, AZURE-VTI01 ciscoasa#cap cap interface AZURE-VTI01 real-time match ip any any ciscoasa#no cap cap ciscoasa# show nat ciscoasa# show xlate ciscoasa# show access-list AZURE-VTI01_ACL
These things are not straight forward and not documented in a good way but i hope in future Microsoft will improve on that
and thats all, keep it as an example, i hope it helps 🙂
Leave a comment