This is killing me.
I've gotten the ikev2 working, but the tunnel interface won't come up and I can't pass
It could be my ignorance of routing in general. BGP Errors show no route to remote IP. IKEv2 shows up, IPSec shows nothing. Azure shows connected...
Hopefully all Relevant configuration.
interface Tunnel1
nameif VPN-AZURE-USCEN1
ip address 10.255.255.1 255.255.255.254
tunnel source interface outside
tunnel destination AZURE_PUB_IP
tunnel mode ipsec ipv4
tunnel protection ipsec profile AZURE_PROFILE
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network azure_uscen1
subnet 172.29.0.0 255.255.255.0
object network obj_tun1_subnet
subnet 10.255.255.0 255.255.255.0
access-list Azure-USCEN-ACL extended permit ip object obj_tun1_subnet object azure_uscen1
nat (inside,outside) source static obj_any obj_any destination static azure_uscen1 azure_uscen1 no-proxy-arp route-lookup
router bgp 65500
bgp log-neighbor-changes
bgp graceful-restart
bgp router-id 10.255.255.1
address-family ipv4 unicast
neighbor 172.29.0.254 remote-as 65515
neighbor 172.29.0.254 ebgp-multihop 255
neighbor 172.29.0.254 activate
network 10.255.255.0 mask 255.255.255.0
no auto-summary
no synchronization
exit-address-family
route VPN-AZURE-USCEN1 172.29.0.254 255.255.255.255 AZURE_PUB_IP 1
crypto ipsec ikev2 ipsec-proposal AZURE_PROP>
protocol esp encryption aes-256>
protocol esp integrity sha-256
crypto ipsec profile AZURE_PROFILE
set security-association lifetime seconds 3600
crypto map outside_map 100 match address Azure-USCEN-ACL
crypto map outside_map 100 set peer AZURE_PUB_IP
crypto map outside_map 100 set ikev2 ipsec-proposal AZURE_PROP
crypto map outside_map 100 set security-association lifetime seconds 3600
crypto map outside_map 100 set nat-t-disable
crypto map outside_map 100 set ikev2 pre-shared-key *****
crypto map outside_map interface outside
crypto ikev2 policy 100>
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 28800
crypto ikev2 enable outside
group-policy AzureGroupPolicy internal
group-policy AzureGroupPolicy attributes
vpn-tunnel-protocol ikev2
tunnel-group AZURE_PUB_IP type ipsec-l2l
tunnel-group AZURE_PUB_IP general-attributes
default-group-policy AzureGroupPolicy
tunnel-group AZURE_PUB_IP ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
no tunnel-group-map enable peer-ip
tunnel-group-map default-group AZURE_PUB_IP
ip address 10.255.255.1 255.255.255.254
tunnel source interface outside
tunnel destination AZURE_PUB_IP
tunnel mode ipsec ipv4
tunnel protection ipsec profile AZURE_PROFILE
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network azure_uscen1
subnet 172.29.0.0 255.255.255.0
object network obj_tun1_subnet
subnet 10.255.255.0 255.255.255.0
access-list Azure-USCEN-ACL extended permit ip object obj_tun1_subnet object azure_uscen1
nat (inside,outside) source static obj_any obj_any destination static azure_uscen1 azure_uscen1 no-proxy-arp route-lookup
router bgp 65500
bgp log-neighbor-changes
bgp graceful-restart
bgp router-id 10.255.255.1
address-family ipv4 unicast
neighbor 172.29.0.254 remote-as 65515
neighbor 172.29.0.254 ebgp-multihop 255
neighbor 172.29.0.254 activate
network 10.255.255.0 mask 255.255.255.0
no auto-summary
no synchronization
exit-address-family
route VPN-AZURE-USCEN1 172.29.0.254 255.255.255.255 AZURE_PUB_IP 1
crypto ipsec ikev2 ipsec-proposal AZURE_PROP
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto ipsec profile AZURE_PROFILE
set security-association lifetime seconds 3600
crypto map outside_map 100 match address Azure-USCEN-ACL
crypto map outside_map 100 set peer AZURE_PUB_IP
crypto map outside_map 100 set ikev2 ipsec-proposal AZURE_PROP
crypto map outside_map 100 set security-association lifetime seconds 3600
crypto map outside_map 100 set nat-t-disable
crypto map outside_map 100 set ikev2 pre-shared-key *****
crypto map outside_map interface outside
crypto ikev2 policy 100
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 28800
crypto ikev2 enable outside
group-policy AzureGroupPolicy internal
group-policy AzureGroupPolicy attributes
vpn-tunnel-protocol ikev2
tunnel-group AZURE_PUB_IP type ipsec-l2l
tunnel-group AZURE_PUB_IP general-attributes
default-group-policy AzureGroupPolicy
tunnel-group AZURE_PUB_IP ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
no tunnel-group-map enable peer-ip
tunnel-group-map default-group AZURE_PUB_IP
No comments:
Post a Comment