SOLVED

Azure VPN with Cisco ASA 5545

Copper Contributor

Hello everyone!

 

I hope you can help, I have a partner just setup the VPN on the Azure portal to the Cisco ASA 5545, he have used the script template provide by Microsoft to configure the VPN from Azure to our office.

 

Unavailable

However when I close the tunnel an error message is displayed on the azure side.

The connection cannot establish due to security policy (IPsec/IKE) policy mismatch

 

On the side of the Cisco ASA firewall displays the following message.

IKEv2 Tunnel rejected: Crypto Map Policy not found for the remote traffic selector 0.0.0.0/255.255.255.255

 

Any assistance would be great.

 

Sincerely,

 

Leonardo Fogaça de Almeida

 

 

5 Replies

Hi Kasun!

 

I followed but the doc is outdated, I was able to solve the problem when I called open at Microsoft

 

Thanks.

 

Leonardo Fogaça de Almeida

What was it that fixed the issue? I am having the same problem.

Thanks
Dave
best response confirmed by Leonardo Almeida (Copper Contributor)
Solution

Hi Dave.

 

I opened a call at Microsoft and customized the powershell commands with my customer's Cisco
I ran the following powershell command:

 

$ipsecpolicy6 = New-AzureRmIpsecPolicy -IkeEncryption AES256 -IkeIntegrity SHA1 -DhGroup DHGroup2 -IpsecEncryption AES256 -IpsecIntegrity SHA1 -PfsGroup None -SALifeTimeSeconds 3600 -SADataSizeKilobytes 102400000

$GWName1 = "xxxxxxx"
$RG1 = "xxxxx"
$LNGName6 = "xxxxx"
$Connection16 = "xxxxx"
$Location1 = "xxxxx"

$vnet1gw = Get-AzureRmVirtualNetworkGateway -Name $GWName1 -ResourceGroupName $RG1
$lng6 = Get-AzureRmLocalNetworkGateway -Name $LNGName6 -ResourceGroupName $RG1

New-AzureRmVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1 -VirtualNetworkGateway1 $vnet1gw -LocalNetworkGateway2 $lng6 -Location $Location1 -ConnectionType IPsec -UsePolicyBasedTrafficSelectors $True -IpsecPolicies $ipsecpolicy6 -SharedKey 'xxxxx'

 

These were the policies required on my customer Cisco ASA 5545 running Software Version 9.6 (2)

 

"saLifeTimeSeconds": 3600,   (This is phase 2, or what you should configure in Crypto Map settings; In the Cisco ASA 5545, it is represented as 1:00:00)     

"saDataSizeKilobytes": 102400000,   
"ipsecEncryption": "AES256",       
 "ipsecIntegrity": "SHA1",    
 "ikeEncryption": "AES256",  
 "ikeIntegrity": "SHA1",     
 "dhGroup": "DH-2",     
 "pfsGroup": "NO PFS" 

Phase 1 lifetime seconds is 28800 (This is phase 1, which should be configured on the ASA under your IKEv2 policy); 

Thanks to Daniel Pires from  for helping me figure this out!

I holp it helps you.

 

Sincered,

 

Leonardo Fogaça de Almeida 

 

I forgot,

 

This was the article i used for reference.

 

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-ipsecikepolicy-rm-powershell

 

Sincered,

 

Leonardo Fogaça de Almeida

1 best response

Accepted Solutions
best response confirmed by Leonardo Almeida (Copper Contributor)
Solution

Hi Dave.

 

I opened a call at Microsoft and customized the powershell commands with my customer's Cisco
I ran the following powershell command:

 

$ipsecpolicy6 = New-AzureRmIpsecPolicy -IkeEncryption AES256 -IkeIntegrity SHA1 -DhGroup DHGroup2 -IpsecEncryption AES256 -IpsecIntegrity SHA1 -PfsGroup None -SALifeTimeSeconds 3600 -SADataSizeKilobytes 102400000

$GWName1 = "xxxxxxx"
$RG1 = "xxxxx"
$LNGName6 = "xxxxx"
$Connection16 = "xxxxx"
$Location1 = "xxxxx"

$vnet1gw = Get-AzureRmVirtualNetworkGateway -Name $GWName1 -ResourceGroupName $RG1
$lng6 = Get-AzureRmLocalNetworkGateway -Name $LNGName6 -ResourceGroupName $RG1

New-AzureRmVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1 -VirtualNetworkGateway1 $vnet1gw -LocalNetworkGateway2 $lng6 -Location $Location1 -ConnectionType IPsec -UsePolicyBasedTrafficSelectors $True -IpsecPolicies $ipsecpolicy6 -SharedKey 'xxxxx'

 

These were the policies required on my customer Cisco ASA 5545 running Software Version 9.6 (2)

 

"saLifeTimeSeconds": 3600,   (This is phase 2, or what you should configure in Crypto Map settings; In the Cisco ASA 5545, it is represented as 1:00:00)     

"saDataSizeKilobytes": 102400000,   
"ipsecEncryption": "AES256",       
 "ipsecIntegrity": "SHA1",    
 "ikeEncryption": "AES256",  
 "ikeIntegrity": "SHA1",     
 "dhGroup": "DH-2",     
 "pfsGroup": "NO PFS" 

Phase 1 lifetime seconds is 28800 (This is phase 1, which should be configured on the ASA under your IKEv2 policy); 

Thanks to Daniel Pires from  for helping me figure this out!

I holp it helps you.

 

Sincered,

 

Leonardo Fogaça de Almeida 

 

View solution in original post