Forum Discussion
Azure VPN with Cisco ASA 5545
- Feb 26, 2018
Hi Dave.
I opened a call at Microsoft and customized the powershell commands with my customer's Cisco
I ran the following powershell command:$ipsecpolicy6 = New-AzureRmIpsecPolicy -IkeEncryption AES256 -IkeIntegrity SHA1 -DhGroup DHGroup2 -IpsecEncryption AES256 -IpsecIntegrity SHA1 -PfsGroup None -SALifeTimeSeconds 3600 -SADataSizeKilobytes 102400000
$GWName1 = "xxxxxxx"
$RG1 = "xxxxx"
$LNGName6 = "xxxxx"
$Connection16 = "xxxxx"
$Location1 = "xxxxx"$vnet1gw = Get-AzureRmVirtualNetworkGateway -Name $GWName1 -ResourceGroupName $RG1
$lng6 = Get-AzureRmLocalNetworkGateway -Name $LNGName6 -ResourceGroupName $RG1New-AzureRmVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1 -VirtualNetworkGateway1 $vnet1gw -LocalNetworkGateway2 $lng6 -Location $Location1 -ConnectionType IPsec -UsePolicyBasedTrafficSelectors $True -IpsecPolicies $ipsecpolicy6 -SharedKey 'xxxxx'
These were the policies required on my customer Cisco ASA 5545 running Software Version 9.6 (2)
"saLifeTimeSeconds": 3600, (This is phase 2, or what you should configure in Crypto Map settings; In the Cisco ASA 5545, it is represented as 1:00:00)
"saDataSizeKilobytes": 102400000,
"ipsecEncryption": "AES256",
"ipsecIntegrity": "SHA1",
"ikeEncryption": "AES256",
"ikeIntegrity": "SHA1",
"dhGroup": "DH-2",
"pfsGroup": "NO PFS"Phase 1 lifetime seconds is 28800 (This is phase 1, which should be configured on the ASA under your IKEv2 policy);
Thanks to Daniel Pires from for helping me figure this out!
I holp it helps you.
Sincered,
Leonardo Fogaça de Almeida
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-3rdparty-device-config-cisco-asa
- Leonardo AlmeidaFeb 19, 2018Copper Contributor
Hi Kasun!
I followed but the doc is outdated, I was able to solve the problem when I called open at Microsoft
Thanks.
Leonardo Fogaça de Almeida
- David SackFeb 25, 2018Copper ContributorWhat was it that fixed the issue? I am having the same problem.
Thanks
Dave- Leonardo AlmeidaFeb 26, 2018Copper Contributor
Hi Dave.
I opened a call at Microsoft and customized the powershell commands with my customer's Cisco
I ran the following powershell command:$ipsecpolicy6 = New-AzureRmIpsecPolicy -IkeEncryption AES256 -IkeIntegrity SHA1 -DhGroup DHGroup2 -IpsecEncryption AES256 -IpsecIntegrity SHA1 -PfsGroup None -SALifeTimeSeconds 3600 -SADataSizeKilobytes 102400000
$GWName1 = "xxxxxxx"
$RG1 = "xxxxx"
$LNGName6 = "xxxxx"
$Connection16 = "xxxxx"
$Location1 = "xxxxx"$vnet1gw = Get-AzureRmVirtualNetworkGateway -Name $GWName1 -ResourceGroupName $RG1
$lng6 = Get-AzureRmLocalNetworkGateway -Name $LNGName6 -ResourceGroupName $RG1New-AzureRmVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1 -VirtualNetworkGateway1 $vnet1gw -LocalNetworkGateway2 $lng6 -Location $Location1 -ConnectionType IPsec -UsePolicyBasedTrafficSelectors $True -IpsecPolicies $ipsecpolicy6 -SharedKey 'xxxxx'
These were the policies required on my customer Cisco ASA 5545 running Software Version 9.6 (2)
"saLifeTimeSeconds": 3600, (This is phase 2, or what you should configure in Crypto Map settings; In the Cisco ASA 5545, it is represented as 1:00:00)
"saDataSizeKilobytes": 102400000,
"ipsecEncryption": "AES256",
"ipsecIntegrity": "SHA1",
"ikeEncryption": "AES256",
"ikeIntegrity": "SHA1",
"dhGroup": "DH-2",
"pfsGroup": "NO PFS"Phase 1 lifetime seconds is 28800 (This is phase 1, which should be configured on the ASA under your IKEv2 policy);
Thanks to Daniel Pires from for helping me figure this out!
I holp it helps you.
Sincered,
Leonardo Fogaça de Almeida