Hi all,
My customer and I have been attempting to create a Route Based VPN to Azure from a Cisco ASA. A few other people around the internet have been able to achieve this but documentation is sparse.
We've been able to establish the tunnel without issue, but we're unable to bring BGP up. The Azure BGP PeerID is unreachable from the ASA and the BGP neighbourship remains down. When we use static routing over these tunnels Azure is reachable.
The use of BGP is so that eventually we can establish multiple tunnels with failover - static routing with a primary and secondary tunnel (even with routing weights added) caused asymmetric routing, as Azure tried to return traffic over either tunnel. The configuration below focuses on one tunnel.
We're deploying the tunnel with powershell as follows:
$gatewayName = "HQVPN"
$connectionNamePrime = "vpnssPrime"
$localNetworkGatewayPrime = "ISPPrimary"
$localNetwork1 = "169.254.11.1/32"
$localNetworkGatewayPrimeIP = "x.x.x.x"
$remoteBgpPeerPrimeIP = "169.254.11.1"
$localASN = "65010"
$remoteASN = "65050"
$sharedKey = "OurSharedKey"
$ipsecpolicy = New-AzureRmIpsecPolicy `
-IkeEncryption AES256 `
-IkeIntegrity SHA384 `
-DhGroup DHGroup24 `
-IpsecEncryption AES256 `
-IpsecIntegrity SHA256 `
-PfsGroup PFS24 `
-SALifeTimeSeconds 86400 `
-SADataSizeKilobytes 49152
foreach ($subscription in $subscriptions) {
$subscriptionName = $subscription.Name
$resourceGroup = $subscription.ResourceGroup
$location = $subscription.Location
$environment = $subscription.Environment
Select-AzureRmSubscription -SubscriptionName $subscriptionName
$vnetGateway = Get-AzureRmVirtualNetworkGateway -Name $gatewayName -ResourceGroupName $resourceGroup
$vnetGateway.EnableBgp = $true
$vnetGateway | Set-AzureRmVirtualNetworkGateway -Asn $localASN
New-AzureRmLocalNetworkGateway -Name $localNetworkGatewayPrime `
-ResourceGroupName $resourceGroup `
-Location $location `
-GatewayIpAddress $localNetworkGatewayPrimeIP `
-Asn $remoteASN `
-PeerWeight $routingWeightPrime `
-BgpPeeringAddress $remoteBgpPeerPrimeIP `
-AddressPrefix $localNetwork1
$localGatewayPrime = Get-AzureRmLocalNetworkGateway -Name $localNetworkGatewayPrime -ResourceGroupName $resourceGroup
New-AzureRmVirtualNetworkGatewayConnection `
-Name $connectionNamePrime `
-ResourceGroupName $resourceGroup `
-VirtualNetworkGateway1 $vnetGateway `
-LocalNetworkGateway2 $localGatewayPrime `
-RoutingWeight $routingWeightPrime `
-Location $location `
-ConnectionType IPsec `
-IpsecPolicies $ipsecpolicy `
-SharedKey $sharedKey `
-EnableBgp $true `
-UsePolicyBasedTrafficSelectors $falseThe Cisco configuration is as follows:
! crypto ikev2 policy 1 encryption aes-256 integrity sha384 group 24 prf sha384 sha256 sha lifetime seconds 86400 ! crypto ipsec ikev2 ipsec-proposal AES256-AZ protocol esp encryption aes-256 protocol esp integrity sha-256 ! ! group-policy AzureS2S internal group-policy AzureS2S attributes vpn-idle-timeout none vpn-session-timeout none vpn-tunnel-protocol ikev2 ! tunnel-group x.x.x.x type ipsec-l2l tunnel-group x.x.x.x general-attributes default-group-policy AzureS2S tunnel-group x.x.x.x ipsec-attributes isakmp keepalive threshold 60 retry 5 ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** ! ! interface Tunnel11 nameif VPN-AZURE ip address 169.254.11.1 255.255.255.0 tunnel source interface OUTSIDE tunnel destination x.x.x.x tunnel mode ipsec ipv4 tunnel protection ipsec profile AZR-PROF ! ! route VPN-AZURE 10.5.255.254 255.255.255.255 x.x.x.x ! ! router bgp 65050 bgp log-neighbor-changes address-family ipv4 unicast neighbor 10.5.255.254 remote-as 65010 neighbor 10.5.255.254 ebgp-multihop 255 neighbor 10.5.255.254 activate network 192.168.1.0 mask 255.255.255.224 network 192.168.2.0 mask 255.255.255.224 network 192.168.3.0 mask 255.255.255.224 network 192.168.4.0 mask 255.255.255.240 no auto-summary no synchronization exit-address-family !
Thanks,
SJ