Forum Discussion
Azure VPN with Cisco ASA 5545
Hello everyone!
I hope you can help, I have a partner just setup the VPN on the Azure portal to the Cisco ASA 5545, he have used the script template provide by Microsoft to configure the VPN from Azure to our office.
However when I close the tunnel an error message is displayed on the azure side.
The connection cannot establish due to security policy (IPsec/IKE) policy mismatch
On the side of the Cisco ASA firewall displays the following message.
IKEv2 Tunnel rejected: Crypto Map Policy not found for the remote traffic selector 0.0.0.0/255.255.255.255
Any assistance would be great.
Sincerely,
Leonardo Fogaça de Almeida
Hi Dave.
I opened a call at Microsoft and customized the powershell commands with my customer's Cisco
I ran the following powershell command:$ipsecpolicy6 = New-AzureRmIpsecPolicy -IkeEncryption AES256 -IkeIntegrity SHA1 -DhGroup DHGroup2 -IpsecEncryption AES256 -IpsecIntegrity SHA1 -PfsGroup None -SALifeTimeSeconds 3600 -SADataSizeKilobytes 102400000
$GWName1 = "xxxxxxx"
$RG1 = "xxxxx"
$LNGName6 = "xxxxx"
$Connection16 = "xxxxx"
$Location1 = "xxxxx"$vnet1gw = Get-AzureRmVirtualNetworkGateway -Name $GWName1 -ResourceGroupName $RG1
$lng6 = Get-AzureRmLocalNetworkGateway -Name $LNGName6 -ResourceGroupName $RG1New-AzureRmVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1 -VirtualNetworkGateway1 $vnet1gw -LocalNetworkGateway2 $lng6 -Location $Location1 -ConnectionType IPsec -UsePolicyBasedTrafficSelectors $True -IpsecPolicies $ipsecpolicy6 -SharedKey 'xxxxx'
These were the policies required on my customer Cisco ASA 5545 running Software Version 9.6 (2)
"saLifeTimeSeconds": 3600, (This is phase 2, or what you should configure in Crypto Map settings; In the Cisco ASA 5545, it is represented as 1:00:00)
"saDataSizeKilobytes": 102400000,
"ipsecEncryption": "AES256",
"ipsecIntegrity": "SHA1",
"ikeEncryption": "AES256",
"ikeIntegrity": "SHA1",
"dhGroup": "DH-2",
"pfsGroup": "NO PFS"Phase 1 lifetime seconds is 28800 (This is phase 1, which should be configured on the ASA under your IKEv2 policy);
Thanks to Daniel Pires from for helping me figure this out!
I holp it helps you.
Sincered,
Leonardo Fogaça de Almeida
5 Replies
- following is a doc for creating VPN with CISCO
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-3rdparty-device-config-cisco-asaHi Kasun!
I followed but the doc is outdated, I was able to solve the problem when I called open at Microsoft
Thanks.
Leonardo Fogaça de Almeida
- What was it that fixed the issue? I am having the same problem.
Thanks
Dave
