Quantcast
Channel: Azure Networking (DNS, Traffic Manager, VPN, VNET) forum
Viewing all articles
Browse latest Browse all 6513

Cannot Get Azure Site to Site VPN Connected using Cisco 881

$
0
0

I am having problems getting a site to site VPN setup using the Microsoft script.

My config is as follows:

version 15.2
!
crypto ikev2 proposal azure-proposal 
 encryption aes-cbc-256 aes-cbc-128 3des
 integrity sha1
 group 2
!
crypto ikev2 policy azure-policy 
 proposal azure-proposal
!
crypto ikev2 keyring azure-keyring
 peer 137.135.246.42
  address 137.135.246.42
  pre-shared-key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
crypto ikev2 profile azure-profile
 match address local interface Loopback2
 match identity remote address 137.135.246.42 255.255.255.255 
 authentication remote pre-share
 authentication local pre-share
 keyring local azure-keyring
!
crypto isakmp policy 5
 authentication pre-share
 group 2
crypto isakmp key xxxxxxxxxxxxxxxxxxx address 0.0.0.0        
crypto isakmp invalid-spi-recovery
crypto isakmp nat keepalive 20
!
!
crypto ipsec transform-set dmvpnset esp-3des esp-sha-hmac 
crypto ipsec transform-set azure-ipsec-proposal-set esp-aes 256 esp-sha-hmac 
!
!
crypto ipsec profile dmvpnprof
 set transform-set dmvpnset 
!
crypto ipsec profile vti
 set transform-set azure-ipsec-proposal-set 
 set ikev2-profile azure-profile
!
interface Loopback0
 ip address x.y.z.211 255.255.255.255 secondary
 ip address x.y.z.212 255.255.255.255 secondary
 ip address x.y.z.213 255.255.255.255 secondary
 ip address x.y.z.214 255.255.255.255 secondary
 ip address x.y.z.215 255.255.255.255 secondary
 ip address x.y.z.216 255.255.255.255 secondary
 ip address x.y.z.217 255.255.255.255 secondary
 ip address x.y.z.218 255.255.255.255 secondary
 ip address x.y.z.219 255.255.255.255 secondary
 ip address x.y.z.220 255.255.255.255 secondary
 ip address x.y.z.209 255.255.255.255
 ip mtu 1492
 ip tcp adjust-mss 1452
!
interface Loopback1
 ip address 172.30.2.1 255.255.255.0
 ip mtu 1416
 ip nat inside
 ip virtual-reassembly in
!
interface Loopback2
 description Source for Azure Tunnel
 ip address x.y.z.221 255.255.255.255
 ip mtu 1492
 ip tcp adjust-mss 1452
!
interface Loopback3
 description Source for DMVPN Tunnel
 ip address x.y.z.222 255.255.255.255
 ip mtu 1492
 ip tcp adjust-mss 1452
!
interface Tunnel0
 description DMVPN
 bandwidth 1000
 ip address 172.16.0.2 255.255.255.0
 no ip redirects
 ip mtu 1388
 ip nhrp authentication xxxxxxxxxxxxxx
 ip nhrp map multicast dynamic
 ip nhrp map 172.16.0.1 w.x.y.z
 ip nhrp map multicast w.x.y.z
 ip nhrp network-id 99
 ip nhrp holdtime 300
 ip nhrp nhs 172.16.0.1
 ip ospf network broadcast
 ip ospf priority 0
 delay 1000
 tunnel source Loopback3
 tunnel mode gre multipoint
 tunnel key 666
 tunnel protection ipsec profile dmvpnprof
!
interface Tunnel1
 ip address 169.254.0.1 255.255.255.0
 ip tcp adjust-mss 1350
 tunnel source Loopback2
 tunnel mode ipsec ipv4
 tunnel destination 137.135.246.42
 tunnel protection ipsec profile vti
!
interface FastEthernet0
 xxxxxxxxxxxxxxxxxxxxxxxxxxx
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 description PPPOE 
 no ip address
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
 no cdp enable
!
interface Vlan1
 no ip address
!
interface Vlan10
 xxxxxxxxxxxxxxxxxxxxxxxxx
!
interface Vlan11
 xxxxxxxxxxxxxxxxxxxxxxxxx
!
interface Vlan12
 xxxxxxxxxxxxxxxxxxxxxxxxx
!
interface Dialer0
 ip unnumbered Loopback0
 ip access-group InternetIn in
 ip mtu 1492
 ip nat outside
 ip inspect InternetIn2Out out
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 ppp authentication chap callin
 ppp chap hostname xxxxxxxxxxxxxxxxxx
 ppp chap password 7 xxxxxxxxxxxxxxxx
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list NAT interface Loopback0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.10.0.0 255.255.0.0 Tunnel1
!
ip access-list extended InternetIn
 remark Traffic allowed to enter the router from the Internet
 remark DMVPN
 permit udp any host x.y.z.222 eq isakmp
 permit esp any host x.y.z.222
 permit gre any host x.y.z.222
 remark Azure IPSEC 
 permit udp any host x.y.z.221 eq isakmp
 permit udp any host x.y.z.221 eq non500-isakmp
 permit udp any host x.y.z.221 eq 1701
 permit esp any host x.y.z.221
 permit gre any host x.y.z.221
 deny   ip any any log
!

The output of debug crypto ipsec and debug crypto ikev2 is as follows:

r0#debug crypto ipsec
Crypto IPSEC debugging is on
r0#debug crypto ikev2 
IKEv2 default debugging is on
r0#term mon 
r0#conf t 
Enter configuration commands, one per line.  End with CNTL/Z.
r0-scedu(config)#  int tun 1
r0-scedu(config-if)#    shut
r0-scedu(config-if)#    no shut
r0-scedu(config-if)#  exit
r0-scedu(config)#exit 
May 26 18:35:13.060: IPSEC(key_engine): got a queue event with 1 KMI message(s)
May 26 18:35:13.060: IPSEC(crypto_ipsec_kmi_process_message): Invalid KMI msg id: 2
May 26 18:35:13.060: IPSEC(key_engine): failed to process KMI message 2
May 26 18:35:13.084: IPSEC: Expand action denied, discard or forward packet.
May 26 18:35:13.084: IPSEC: Expand action denied, discard or forward packet.
May 26 18:35:13.084: IPSEC: Expand action denied, discard or forward packet.
May 26 18:35:13.084: IPSEC: Expand action denied, discard or forward packet.
May 26 18:35:13.088: IPSEC: Expand action denied, discard or forward packet.
May 26 18:35:13.088: IPSEC: Expand action denied, discard or forward packet.
May 26 18:35:13.088: IPSEC: Expand action denied, discard or forward packet.
May 26 18:35:13.088: IPSEC: Expand action denied, discard or forward packet.
May 26 18:35:13.088: insert of map into mapdb AVL failed, map + ace pair already exists on the mapdb
May 26 18:35:13.088: IPSEC(recalculate_mtu): reset sadb_root 88CC197C mtu to 1500
May 26 18:35:13.088: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= x.y.z.221:500, remote= 137.135.246.42:500,
    local_proxy= 0.0.0.0/0.0.0.0/256/0,
    remote_proxy= 0.0.0.0/0.0.0.0/256/0,
    protocol= ESP, transform= esp-aes 256 esp-sha-hmac  (Tunnel), 
    lifedur= 3600s and 4608000kb, 
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
May 26 18:35:13.088: IPSEC(recalculate_mtu): reset sadb_root 88CC197C mtu to 1492
May 26 18:35:13.088: IPSEC(adjust_mtu): adjusting ident ip mtu from 1500 to 1492,
  (identity) local= x.y.z.221:0, remote= 137.135.246.42:0,
    local_proxy= 0.0.0.0/0.0.0.0/256/0,
    remote_proxy= 0.0.0.0/0.0.0.0/256/0
May 26 18:35:13.088: IPSEC(adjust_mtu): adjusting path mtu from 1500 to 1492,
  (identity) local= x.y.z.221:0, remote= 137.135.246.42:0,
    local_proxy= 0.0.0.0/0.0.0.0/256/0,
    remote_proxy= 0.0.0.0/0.0.0.0/256/0
May 26 18:35:13.092: IPSEC: Expand action denied, discard or forward packet.
May 26 18:35:13.092: IPSEC: Expand action denied, discard or forward packet.
May 26 18:35:13.092: IPSEC: Expand action denied, discard or forward packet.
May 26 18:35:13.092: IPSEC: Expand action denied, discard or forward packet.
May 26 18:35:13.092: IKEv2:% Getting preshared key from profile keyring azure-keyring
May 26 18:35:13.092: IKEv2:% Matched peer block '137.135.246.42'
May 26 18:35:13.092: IKEv2:Searching Policy with fvrf 0, local address x.y.z.221
May 26 18:35:13.092: IKEv2:Found Policy 'azure-policy'
May 26 18:35:13.092: IKEv2:SA is already in negotiation, hence not negotiating again
May 26 18:35:26.465: IKEv2:(SA ID = 1):Retransmitting packet 

May 26 18:35:26.465: IKEv2:(SA ID = 1):Sending Packet [To 137.135.246.42:500/From x.y.z.221:500/VRF i0:f0] 
Initiator SPI : 684E76D76792ACC4 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST 
Payload contents: 
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) 
May 26 18:35:31.225: IKEv2:(SA ID = 1):Maximum number of retransmissions reached

May 26 18:35:31.225: IKEv2:(SA ID = 1):
May 26 18:35:31.225: IKEv2:(SA ID = 1):Failed SA init exchange
May 26 18:35:31.225: IKEv2:(SA ID = 1):Initial exchange failed

May 26 18:35:31.225: IKEv2:(SA ID = 1):Initial exchange failed
May 26 18:35:31.225: IKEv2:(SA ID = 1):Abort exchange
May 26 18:35:31.225: IKEv2:(SA ID = 1):Deleting SA
May 26 18:35:43.089: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= x.y.z.221:0, remote= 137.135.246.42:0,
    local_proxy= 0.0.0.0/0.0.0.0/256/0,
    remote_proxy= 0.0.0.0/0.0.0.0/256/0
May 26 18:35:43.089: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= x.y.z.221:500, remote= 137.135.246.42:500,
    local_proxy= 0.0.0.0/0.0.0.0/256/0,
    remote_proxy= 0.0.0.0/0.0.0.0/256/0,
    protocol= ESP, transform= esp-aes 256 esp-sha-hmac  (Tunnel), 
    lifedur= 3600s and 4608000kb, 
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
May 26 18:35:43.089: IKEv2:% Getting preshared key from profile keyring azure-keyring
May 26 18:35:43.089: IKEv2:% Matched peer block '137.135.246.42'
May 26 18:35:43.089: IKEv2:Searching Policy with fvrf 0, local address x.y.z.221
May 26 18:35:43.089: IKEv2:Found Policy 'azure-policy'
May 26 18:35:43.089: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 2
May 26 18:35:43.089: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
May 26 18:35:43.089: IKEv2:(SA ID = 1):Request queued for computation of DH key
May 26 18:35:43.089: IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch
May 26 18:35:43.089: IKEv2:(SA ID = 1):Generating IKE_SA_INIT message
May 26 18:35:43.089: IKEv2:(SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation), 
Num. transforms: 6
   AES-CBC   AES-CBC   3DES   SHA1   SHA96   DH_GROUP_1024_MODP/Group 2 

May 26 18:35:43.093: IKEv2:(SA ID = 1):Sending Packet [To 137.135.246.42:500/From x.y.z.221:500/VRF i0:f0] 
Initiator SPI : C27AE69DBED79DC8 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST 
Payload contents: 
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) 

May 26 18:35:43.093: IKEv2:(SA ID = 1):Insert SA
May 26 18:35:44.909: IKEv2:(SA ID = 1):Retransmitting packet 

May 26 18:35:44.909: IKEv2:(SA ID = 1):Sending Packet [To 137.135.246.42:500/From x.y.z.221:500/VRF i0:f0] 
Initiator SPI : C27AE69DBED79DC8 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST 
Payload contents: 
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) 

May 26 18:35:48.697: IKEv2:(SA ID = 1):Retransmitting packet 

May 26 18:35:48.697: IKEv2:(SA ID = 1):Sending Packet [To 137.135.246.42:500/From x.y.z.221:500/VRF i0:f0] 
Initiator SPI : C27AE69DBED79DC8 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST 
Payload contents: 
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) 

May 26 18:35:55.969: IKEv2:(SA ID = 1):Retransmitting packet 

May 26 18:35:55.969: IKEv2:(SA ID = 1):Sending Packet [To 137.135.246.42:500/From x.y.z.221:500/VRF i0:f0] 
Initiator SPI : C27AE69DBED79DC8 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST 
Payload contents: 
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) 

May 26 18:36:11.702: IKEv2:(SA ID = 1):Retransmitting packet 

May 26 18:36:11.702: IKEv2:(SA ID = 1):Sending Packet [To 137.135.246.42:500/From x.y.z.221:500/VRF i0:f0] 
Initiator SPI : C27AE69DBED79DC8 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST 
Payload contents: 
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) 

May 26 18:36:13.090: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= x.y.z.221:0, remote= 137.135.246.42:0,
    local_proxy= 0.0.0.0/0.0.0.0/256/0,
    remote_proxy= 0.0.0.0/0.0.0.0/256/0
May 26 18:36:26.262: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= x.y.z.221:500, remote= 137.135.246.42:500,
    local_proxy= 0.0.0.0/0.0.0.0/256/0,
    remote_proxy= 0.0.0.0/0.0.0.0/256/0,
    protocol= ESP, transform= esp-aes 256 esp-sha-hmac  (Tunnel), 
    lifedur= 3600s and 4608000kb, 
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
May 26 18:36:26.266: IKEv2:% Getting preshared key from profile keyring azure-keyring
May 26 18:36:26.266: IKEv2:% Matched peer block '137.135.246.42'
May 26 18:36:26.266: IKEv2:Searching Policy with fvrf 0, local address x.y.z.221
May 26 18:36:26.266: IKEv2:Found Policy 'azure-policy'
May 26 18:36:26.266: IKEv2:SA is already in negotiation, hence not negotiating again
r0-scedu#
May 26 18:36:27.914: %SYS-5-CONFIG_I: Configured from console by Ross.Mason on vty0 (10.66.0.33)
May 26 18:36:43.103: IKEv2:(SA ID = 1):Retransmitting packet 

May 26 18:36:43.103: IKEv2:(SA ID = 1):Sending Packet [To 137.135.246.42:500/From x.y.z.221:500/VRF i0:f0] 
Initiator SPI : C27AE69DBED79DC8 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST 
Payload contents: 
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) 

May 26 18:36:45.611: IPSEC(key_engine): got a queue event with 1 KMI message(s)


We do have a Dynamic Multi Point VPN running on the device but I have removed the config for this and the Azure Tunnel still won't connect.

Can someone help with the debug and give me some pointers?





Viewing all articles
Browse latest Browse all 6513

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>