Hi all, I have a strange problem that I'm hoping to get some input on.
I have a bunch of Azure subscriptions, and a bunch of different pieces of equipment making tunnels to them from different physical locations. Over the last month I've been upgrading all tunnels from the default Azure IKEv2/IPsec configuration to meet a particular security standard. I do this with a custom Azure IPsec Policy.
The default:
IPsecEncryption: AES256
IPsecIntegrity: SHA256
IkeEncryption: AES256
IkeIntegrity: SHA96
DhGroup: DHGroup2
PfsGroup: None
My new policy:
IPsecEncryption: AES256
IPsecIntegrity: SHA256
IkeEncryption: AES256
IkeIntegrity: ECP256 (this is how Azure refers to group 19)
DhGroup: ECP256 (group 19)
PfsGroup: ECP256 (group 19)
So far, I have completed this upgrade successfully with about 10 tunnels, mostly with Cisco ASAs, but also some Ubiquiti EdgeRouters, and one Ubiquiti USG. It's been easy and smooth.
Now, I'm trying to configure the same thing with a Cisco ISR 4331. The problem I'm running into, is that the ISR doesn't seem to be honoring my new "Tunnel protection ipsec profile."
I have configured the below on my ISR, and then I put the custom IPsec policy in place on the Azure side. The tunnel drops. If I remove the custom IPsec policy from Azure, but LEAVE THE CONFIGURATION ON THE ISR, the tunnel establishes... uses the old default settings. How is this possible?
-----------------------------------------------------
interface TunnelXX
description VPN Tunnel to Microsoft Azure Subscription 1
ip address <IP> <Subnet Mask?
ip tcp adjust-mss 1350
tunnel source <My external Interface>
tunnel mode ipsec ipv4
tunnel destination <My Azure gateway>
tunnel protection ipsec profile IPsecProfileName
crypto ipsec profile IPsecProfileName
set transform-set MyTransformSet
set pfs group19
set ikev2-profile MyIkeV2Profile
crypto ipsec transform-set MyTransformSet esp-aes 256 esp-sha256-hmac
mode tunnel
crypto ikev2 profile MyIkeV2Profile
match identity remote address <Remote Address><RemoteMask>
authentication remote pre-share
authentication local pre-share
keyring local MyKeyRing
crypto ikev2 keyring MyKeyRing
peer <MyPeerIPAddy>
address <MyPeerIPAddy>
pre-shared-key <MyPresharedKey>
crypto ikev2 proposal MyIkeV2Proposal
encryption aes-cbc-256
integrity sha256
group 19
crypto ikev2 policy MyIkeV2Policy
proposal MyIkeV2Proposal
-------------------------------------------------
If I run "show crypto ikev2 sa" and "show crypto ipsec sa" I see the tunnel established with the old crypto settings. How is this possible when I have configured my new IPsec profile with "tunnel protection ipsec profile MynewStuff" ??? Is the ISR allowed to ignore that if something is wrong? I'm very confused. Am I missing a step here? I have tried clearing the SAs after reapplying the custom ipsec profile in Azure, but the tunnel just wont establish until I remove it, and allow it to use the defaults, which the ISR should see as a mismatch.
I'm in IOS XE 16.09.05. Very grateful for any help or insight you might have. Thanks.
No comments:
Post a Comment