I am having problems getting a site to site VPN setup using the Microsoft script.
My config is as follows:
version 15.2 ! crypto ikev2 proposal azure-proposal encryption aes-cbc-256 aes-cbc-128 3des integrity sha1 group 2 ! crypto ikev2 policy azure-policy proposal azure-proposal ! crypto ikev2 keyring azure-keyring peer 137.135.246.42 address 137.135.246.42 pre-shared-key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ! crypto ikev2 profile azure-profile match address local interface Loopback2 match identity remote address 137.135.246.42 255.255.255.255 authentication remote pre-share authentication local pre-share keyring local azure-keyring ! crypto isakmp policy 5 authentication pre-share group 2 crypto isakmp key xxxxxxxxxxxxxxxxxxx address 0.0.0.0 crypto isakmp invalid-spi-recovery crypto isakmp nat keepalive 20 ! ! crypto ipsec transform-set dmvpnset esp-3des esp-sha-hmac crypto ipsec transform-set azure-ipsec-proposal-set esp-aes 256 esp-sha-hmac ! ! crypto ipsec profile dmvpnprof set transform-set dmvpnset ! crypto ipsec profile vti set transform-set azure-ipsec-proposal-set set ikev2-profile azure-profile ! interface Loopback0 ip address x.y.z.211 255.255.255.255 secondary ip address x.y.z.212 255.255.255.255 secondary ip address x.y.z.213 255.255.255.255 secondary ip address x.y.z.214 255.255.255.255 secondary ip address x.y.z.215 255.255.255.255 secondary ip address x.y.z.216 255.255.255.255 secondary ip address x.y.z.217 255.255.255.255 secondary ip address x.y.z.218 255.255.255.255 secondary ip address x.y.z.219 255.255.255.255 secondary ip address x.y.z.220 255.255.255.255 secondary ip address x.y.z.209 255.255.255.255 ip mtu 1492 ip tcp adjust-mss 1452 ! interface Loopback1 ip address 172.30.2.1 255.255.255.0 ip mtu 1416 ip nat inside ip virtual-reassembly in ! interface Loopback2 description Source for Azure Tunnel ip address x.y.z.221 255.255.255.255 ip mtu 1492 ip tcp adjust-mss 1452 ! interface Loopback3 description Source for DMVPN Tunnel ip address x.y.z.222 255.255.255.255 ip mtu 1492 ip tcp adjust-mss 1452 ! interface Tunnel0 description DMVPN bandwidth 1000 ip address 172.16.0.2 255.255.255.0 no ip redirects ip mtu 1388 ip nhrp authentication xxxxxxxxxxxxxx ip nhrp map multicast dynamic ip nhrp map 172.16.0.1 w.x.y.z ip nhrp map multicast w.x.y.z ip nhrp network-id 99 ip nhrp holdtime 300 ip nhrp nhs 172.16.0.1 ip ospf network broadcast ip ospf priority 0 delay 1000 tunnel source Loopback3 tunnel mode gre multipoint tunnel key 666 tunnel protection ipsec profile dmvpnprof ! interface Tunnel1 ip address 169.254.0.1 255.255.255.0 ip tcp adjust-mss 1350 tunnel source Loopback2 tunnel mode ipsec ipv4 tunnel destination 137.135.246.42 tunnel protection ipsec profile vti ! interface FastEthernet0 xxxxxxxxxxxxxxxxxxxxxxxxxxx no ip address ! interface FastEthernet1 no ip address ! interface FastEthernet2 no ip address ! interface FastEthernet3 no ip address ! interface FastEthernet4 description PPPOE no ip address duplex auto speed auto pppoe enable group global pppoe-client dial-pool-number 1 no cdp enable ! interface Vlan1 no ip address ! interface Vlan10 xxxxxxxxxxxxxxxxxxxxxxxxx ! interface Vlan11 xxxxxxxxxxxxxxxxxxxxxxxxx ! interface Vlan12 xxxxxxxxxxxxxxxxxxxxxxxxx ! interface Dialer0 ip unnumbered Loopback0 ip access-group InternetIn in ip mtu 1492 ip nat outside ip inspect InternetIn2Out out ip virtual-reassembly in encapsulation ppp ip tcp adjust-mss 1452 dialer pool 1 ppp authentication chap callin ppp chap hostname xxxxxxxxxxxxxxxxxx ppp chap password 7 xxxxxxxxxxxxxxxx ! ip forward-protocol nd no ip http server no ip http secure-server ! ! ip nat inside source list NAT interface Loopback0 overload ip route 0.0.0.0 0.0.0.0 Dialer0 ip route 10.10.0.0 255.255.0.0 Tunnel1 ! ip access-list extended InternetIn remark Traffic allowed to enter the router from the Internet remark DMVPN permit udp any host x.y.z.222 eq isakmp permit esp any host x.y.z.222 permit gre any host x.y.z.222 remark Azure IPSEC permit udp any host x.y.z.221 eq isakmp permit udp any host x.y.z.221 eq non500-isakmp permit udp any host x.y.z.221 eq 1701 permit esp any host x.y.z.221 permit gre any host x.y.z.221 deny ip any any log !
The output of debug crypto ipsec and debug crypto ikev2 is as follows:
r0#debug crypto ipsec Crypto IPSEC debugging is on r0#debug crypto ikev2 IKEv2 default debugging is on r0#term mon r0#conf t Enter configuration commands, one per line. End with CNTL/Z. r0-scedu(config)# int tun 1 r0-scedu(config-if)# shut r0-scedu(config-if)# no shut r0-scedu(config-if)# exit r0-scedu(config)#exit May 26 18:35:13.060: IPSEC(key_engine): got a queue event with 1 KMI message(s) May 26 18:35:13.060: IPSEC(crypto_ipsec_kmi_process_message): Invalid KMI msg id: 2 May 26 18:35:13.060: IPSEC(key_engine): failed to process KMI message 2 May 26 18:35:13.084: IPSEC: Expand action denied, discard or forward packet. May 26 18:35:13.084: IPSEC: Expand action denied, discard or forward packet. May 26 18:35:13.084: IPSEC: Expand action denied, discard or forward packet. May 26 18:35:13.084: IPSEC: Expand action denied, discard or forward packet. May 26 18:35:13.088: IPSEC: Expand action denied, discard or forward packet. May 26 18:35:13.088: IPSEC: Expand action denied, discard or forward packet. May 26 18:35:13.088: IPSEC: Expand action denied, discard or forward packet. May 26 18:35:13.088: IPSEC: Expand action denied, discard or forward packet. May 26 18:35:13.088: insert of map into mapdb AVL failed, map + ace pair already exists on the mapdb May 26 18:35:13.088: IPSEC(recalculate_mtu): reset sadb_root 88CC197C mtu to 1500 May 26 18:35:13.088: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= x.y.z.221:500, remote= 137.135.246.42:500, local_proxy= 0.0.0.0/0.0.0.0/256/0, remote_proxy= 0.0.0.0/0.0.0.0/256/0, protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Tunnel), lifedur= 3600s and 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0 May 26 18:35:13.088: IPSEC(recalculate_mtu): reset sadb_root 88CC197C mtu to 1492 May 26 18:35:13.088: IPSEC(adjust_mtu): adjusting ident ip mtu from 1500 to 1492, (identity) local= x.y.z.221:0, remote= 137.135.246.42:0, local_proxy= 0.0.0.0/0.0.0.0/256/0, remote_proxy= 0.0.0.0/0.0.0.0/256/0 May 26 18:35:13.088: IPSEC(adjust_mtu): adjusting path mtu from 1500 to 1492, (identity) local= x.y.z.221:0, remote= 137.135.246.42:0, local_proxy= 0.0.0.0/0.0.0.0/256/0, remote_proxy= 0.0.0.0/0.0.0.0/256/0 May 26 18:35:13.092: IPSEC: Expand action denied, discard or forward packet. May 26 18:35:13.092: IPSEC: Expand action denied, discard or forward packet. May 26 18:35:13.092: IPSEC: Expand action denied, discard or forward packet. May 26 18:35:13.092: IPSEC: Expand action denied, discard or forward packet. May 26 18:35:13.092: IKEv2:% Getting preshared key from profile keyring azure-keyring May 26 18:35:13.092: IKEv2:% Matched peer block '137.135.246.42' May 26 18:35:13.092: IKEv2:Searching Policy with fvrf 0, local address x.y.z.221 May 26 18:35:13.092: IKEv2:Found Policy 'azure-policy' May 26 18:35:13.092: IKEv2:SA is already in negotiation, hence not negotiating again May 26 18:35:26.465: IKEv2:(SA ID = 1):Retransmitting packet May 26 18:35:26.465: IKEv2:(SA ID = 1):Sending Packet [To 137.135.246.42:500/From x.y.z.221:500/VRF i0:f0] Initiator SPI : 684E76D76792ACC4 - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) May 26 18:35:31.225: IKEv2:(SA ID = 1):Maximum number of retransmissions reached May 26 18:35:31.225: IKEv2:(SA ID = 1): May 26 18:35:31.225: IKEv2:(SA ID = 1):Failed SA init exchange May 26 18:35:31.225: IKEv2:(SA ID = 1):Initial exchange failed May 26 18:35:31.225: IKEv2:(SA ID = 1):Initial exchange failed May 26 18:35:31.225: IKEv2:(SA ID = 1):Abort exchange May 26 18:35:31.225: IKEv2:(SA ID = 1):Deleting SA May 26 18:35:43.089: IPSEC(key_engine): request timer fired: count = 1, (identity) local= x.y.z.221:0, remote= 137.135.246.42:0, local_proxy= 0.0.0.0/0.0.0.0/256/0, remote_proxy= 0.0.0.0/0.0.0.0/256/0 May 26 18:35:43.089: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= x.y.z.221:500, remote= 137.135.246.42:500, local_proxy= 0.0.0.0/0.0.0.0/256/0, remote_proxy= 0.0.0.0/0.0.0.0/256/0, protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Tunnel), lifedur= 3600s and 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0 May 26 18:35:43.089: IKEv2:% Getting preshared key from profile keyring azure-keyring May 26 18:35:43.089: IKEv2:% Matched peer block '137.135.246.42' May 26 18:35:43.089: IKEv2:Searching Policy with fvrf 0, local address x.y.z.221 May 26 18:35:43.089: IKEv2:Found Policy 'azure-policy' May 26 18:35:43.089: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 2 May 26 18:35:43.089: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED May 26 18:35:43.089: IKEv2:(SA ID = 1):Request queued for computation of DH key May 26 18:35:43.089: IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch May 26 18:35:43.089: IKEv2:(SA ID = 1):Generating IKE_SA_INIT message May 26 18:35:43.089: IKEv2:(SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation), Num. transforms: 6 AES-CBC AES-CBC 3DES SHA1 SHA96 DH_GROUP_1024_MODP/Group 2 May 26 18:35:43.093: IKEv2:(SA ID = 1):Sending Packet [To 137.135.246.42:500/From x.y.z.221:500/VRF i0:f0] Initiator SPI : C27AE69DBED79DC8 - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) May 26 18:35:43.093: IKEv2:(SA ID = 1):Insert SA May 26 18:35:44.909: IKEv2:(SA ID = 1):Retransmitting packet May 26 18:35:44.909: IKEv2:(SA ID = 1):Sending Packet [To 137.135.246.42:500/From x.y.z.221:500/VRF i0:f0] Initiator SPI : C27AE69DBED79DC8 - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) May 26 18:35:48.697: IKEv2:(SA ID = 1):Retransmitting packet May 26 18:35:48.697: IKEv2:(SA ID = 1):Sending Packet [To 137.135.246.42:500/From x.y.z.221:500/VRF i0:f0] Initiator SPI : C27AE69DBED79DC8 - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) May 26 18:35:55.969: IKEv2:(SA ID = 1):Retransmitting packet May 26 18:35:55.969: IKEv2:(SA ID = 1):Sending Packet [To 137.135.246.42:500/From x.y.z.221:500/VRF i0:f0] Initiator SPI : C27AE69DBED79DC8 - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) May 26 18:36:11.702: IKEv2:(SA ID = 1):Retransmitting packet May 26 18:36:11.702: IKEv2:(SA ID = 1):Sending Packet [To 137.135.246.42:500/From x.y.z.221:500/VRF i0:f0] Initiator SPI : C27AE69DBED79DC8 - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) May 26 18:36:13.090: IPSEC(key_engine): request timer fired: count = 2, (identity) local= x.y.z.221:0, remote= 137.135.246.42:0, local_proxy= 0.0.0.0/0.0.0.0/256/0, remote_proxy= 0.0.0.0/0.0.0.0/256/0 May 26 18:36:26.262: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= x.y.z.221:500, remote= 137.135.246.42:500, local_proxy= 0.0.0.0/0.0.0.0/256/0, remote_proxy= 0.0.0.0/0.0.0.0/256/0, protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Tunnel), lifedur= 3600s and 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0 May 26 18:36:26.266: IKEv2:% Getting preshared key from profile keyring azure-keyring May 26 18:36:26.266: IKEv2:% Matched peer block '137.135.246.42' May 26 18:36:26.266: IKEv2:Searching Policy with fvrf 0, local address x.y.z.221 May 26 18:36:26.266: IKEv2:Found Policy 'azure-policy' May 26 18:36:26.266: IKEv2:SA is already in negotiation, hence not negotiating again r0-scedu# May 26 18:36:27.914: %SYS-5-CONFIG_I: Configured from console by Ross.Mason on vty0 (10.66.0.33) May 26 18:36:43.103: IKEv2:(SA ID = 1):Retransmitting packet May 26 18:36:43.103: IKEv2:(SA ID = 1):Sending Packet [To 137.135.246.42:500/From x.y.z.221:500/VRF i0:f0] Initiator SPI : C27AE69DBED79DC8 - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) May 26 18:36:45.611: IPSEC(key_engine): got a queue event with 1 KMI message(s)
We do have a Dynamic Multi Point VPN running on the device but I have removed the config for this and the Azure Tunnel still won't connect.
Can someone help with the debug and give me some pointers?