Saturday, April 4, 2020

Cisco ISR 4331 Not Honoring Tunnel IPsec Profile?

Hi all, I have a strange problem that I'm hoping to get some input on.

I have a bunch of Azure subscriptions, and a bunch of different pieces of equipment making tunnels to them from different physical locations. Over the last month I've been upgrading all tunnels from the default Azure IKEv2/IPsec configuration to meet a particular security standard. I do this with a custom Azure IPsec Policy.

The default:

IPsecEncryption: AES256

IPsecIntegrity: SHA256

IkeEncryption: AES256

IkeIntegrity: SHA96

DhGroup: DHGroup2

PfsGroup: None

My new policy:

IPsecEncryption: AES256

IPsecIntegrity: SHA256

IkeEncryption: AES256

IkeIntegrity: ECP256 (this is how Azure refers to group 19)

DhGroup: ECP256 (group 19)

PfsGroup: ECP256 (group 19)

So far, I have completed this upgrade successfully with about 10 tunnels, mostly with Cisco ASAs, but also some Ubiquiti EdgeRouters, and one Ubiquiti USG. It's been easy and smooth.

Now, I'm trying to configure the same thing with a Cisco ISR 4331. The problem I'm running into, is that the ISR doesn't seem to be honoring my new "Tunnel protection ipsec profile."

I have configured the below on my ISR, and then I put the custom IPsec policy in place on the Azure side. The tunnel drops. If I remove the custom IPsec policy from Azure, but LEAVE THE CONFIGURATION ON THE ISR, the tunnel establishes... uses the old default settings. How is this possible?

-----------------------------------------------------

interface TunnelXX

description VPN Tunnel to Microsoft Azure Subscription 1

ip address <IP> <Subnet Mask?

ip tcp adjust-mss 1350

tunnel source <My external Interface>

tunnel mode ipsec ipv4

tunnel destination <My Azure gateway>

tunnel protection ipsec profile IPsecProfileName

crypto ipsec profile IPsecProfileName

set transform-set MyTransformSet

set pfs group19

set ikev2-profile MyIkeV2Profile

crypto ipsec transform-set MyTransformSet esp-aes 256 esp-sha256-hmac

mode tunnel

crypto ikev2 profile MyIkeV2Profile

match identity remote address <Remote Address><RemoteMask>

authentication remote pre-share

authentication local pre-share

keyring local MyKeyRing

crypto ikev2 keyring MyKeyRing

peer <MyPeerIPAddy>

address <MyPeerIPAddy>

pre-shared-key <MyPresharedKey>

crypto ikev2 proposal MyIkeV2Proposal

encryption aes-cbc-256

integrity sha256

group 19

crypto ikev2 policy MyIkeV2Policy

proposal MyIkeV2Proposal

-------------------------------------------------

If I run "show crypto ikev2 sa" and "show crypto ipsec sa" I see the tunnel established with the old crypto settings. How is this possible when I have configured my new IPsec profile with "tunnel protection ipsec profile MynewStuff" ??? Is the ISR allowed to ignore that if something is wrong? I'm very confused. Am I missing a step here? I have tried clearing the SAs after reapplying the custom ipsec profile in Azure, but the tunnel just wont establish until I remove it, and allow it to use the defaults, which the ISR should see as a mismatch.

I'm in IOS XE 16.09.05. Very grateful for any help or insight you might have. Thanks.



No comments:

Post a Comment