Feb 14 2018 07:21 AM
Hello everyone!
I hope you can help, I have a partner just setup the VPN on the Azure portal to the Cisco ASA 5545, he have used the script template provide by Microsoft to configure the VPN from Azure to our office.
However when I close the tunnel an error message is displayed on the azure side.
The connection cannot establish due to security policy (IPsec/IKE) policy mismatch
On the side of the Cisco ASA firewall displays the following message.
IKEv2 Tunnel rejected: Crypto Map Policy not found for the remote traffic selector 0.0.0.0/255.255.255.255
Any assistance would be great.
Sincerely,
Leonardo Fogaça de Almeida
Feb 17 2018 08:30 AM
Feb 19 2018 04:32 AM
Hi Kasun!
I followed but the doc is outdated, I was able to solve the problem when I called open at Microsoft
Thanks.
Leonardo Fogaça de Almeida
Feb 25 2018 11:10 AM
Feb 26 2018 05:20 AM
SolutionHi Dave.
I opened a call at Microsoft and customized the powershell commands with my customer's Cisco
I ran the following powershell command:
$ipsecpolicy6 = New-AzureRmIpsecPolicy -IkeEncryption AES256 -IkeIntegrity SHA1 -DhGroup DHGroup2 -IpsecEncryption AES256 -IpsecIntegrity SHA1 -PfsGroup None -SALifeTimeSeconds 3600 -SADataSizeKilobytes 102400000
$GWName1 = "xxxxxxx"
$RG1 = "xxxxx"
$LNGName6 = "xxxxx"
$Connection16 = "xxxxx"
$Location1 = "xxxxx"
$vnet1gw = Get-AzureRmVirtualNetworkGateway -Name $GWName1 -ResourceGroupName $RG1
$lng6 = Get-AzureRmLocalNetworkGateway -Name $LNGName6 -ResourceGroupName $RG1
New-AzureRmVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1 -VirtualNetworkGateway1 $vnet1gw -LocalNetworkGateway2 $lng6 -Location $Location1 -ConnectionType IPsec -UsePolicyBasedTrafficSelectors $True -IpsecPolicies $ipsecpolicy6 -SharedKey 'xxxxx'
These were the policies required on my customer Cisco ASA 5545 running Software Version 9.6 (2)
"saLifeTimeSeconds": 3600, (This is phase 2, or what you should configure in Crypto Map settings; In the Cisco ASA 5545, it is represented as 1:00:00)
"saDataSizeKilobytes": 102400000,
"ipsecEncryption": "AES256",
"ipsecIntegrity": "SHA1",
"ikeEncryption": "AES256",
"ikeIntegrity": "SHA1",
"dhGroup": "DH-2",
"pfsGroup": "NO PFS"
Phase 1 lifetime seconds is 28800 (This is phase 1, which should be configured on the ASA under your IKEv2 policy);
Thanks to Daniel Pires from for helping me figure this out!
I holp it helps you.
Sincered,
Leonardo Fogaça de Almeida
Feb 26 2018 05:25 AM
I forgot,
This was the article i used for reference.
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-ipsecikepolicy-rm-powershell
Sincered,
Leonardo Fogaça de Almeida
Feb 26 2018 05:20 AM
SolutionHi Dave.
I opened a call at Microsoft and customized the powershell commands with my customer's Cisco
I ran the following powershell command:
$ipsecpolicy6 = New-AzureRmIpsecPolicy -IkeEncryption AES256 -IkeIntegrity SHA1 -DhGroup DHGroup2 -IpsecEncryption AES256 -IpsecIntegrity SHA1 -PfsGroup None -SALifeTimeSeconds 3600 -SADataSizeKilobytes 102400000
$GWName1 = "xxxxxxx"
$RG1 = "xxxxx"
$LNGName6 = "xxxxx"
$Connection16 = "xxxxx"
$Location1 = "xxxxx"
$vnet1gw = Get-AzureRmVirtualNetworkGateway -Name $GWName1 -ResourceGroupName $RG1
$lng6 = Get-AzureRmLocalNetworkGateway -Name $LNGName6 -ResourceGroupName $RG1
New-AzureRmVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1 -VirtualNetworkGateway1 $vnet1gw -LocalNetworkGateway2 $lng6 -Location $Location1 -ConnectionType IPsec -UsePolicyBasedTrafficSelectors $True -IpsecPolicies $ipsecpolicy6 -SharedKey 'xxxxx'
These were the policies required on my customer Cisco ASA 5545 running Software Version 9.6 (2)
"saLifeTimeSeconds": 3600, (This is phase 2, or what you should configure in Crypto Map settings; In the Cisco ASA 5545, it is represented as 1:00:00)
"saDataSizeKilobytes": 102400000,
"ipsecEncryption": "AES256",
"ipsecIntegrity": "SHA1",
"ikeEncryption": "AES256",
"ikeIntegrity": "SHA1",
"dhGroup": "DH-2",
"pfsGroup": "NO PFS"
Phase 1 lifetime seconds is 28800 (This is phase 1, which should be configured on the ASA under your IKEv2 policy);
Thanks to Daniel Pires from for helping me figure this out!
I holp it helps you.
Sincered,
Leonardo Fogaça de Almeida