none
Can't connect Azure ARM VPN to Cisco ASA RRS feed

  • Question

  • Hi all! 

    Can anybody help me with the following problem?

    I have a vpn between Cisco ASA and Azure classic network. Now I'm trying to reconfigure my infrastructure to use resource management. I created a vpn connection from Azure site according to this article:

    https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-create-site-to-site-rm-powershell/

    I even kept the same variables names to avoid mistakes. Then I got Azure VPN gateway IP, and changed in in my Cisco ASA. All other parameters from Cisco side were kept the same. But the tunnel can't work. I get these error messages:

    Dec 09 16:56:55 [IKEv1]IP = 104.45.21.96, IKE_DECODE RECEIVED Message (msgid=492c2110) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 56
    Dec 09 16:56:55 [IKEv1]IP = 104.45.21.96, IKE_DECODE RECEIVED Message (msgid=492c2110) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 56
    Dec 09 16:56:55 [IKEv1]IP = 104.45.21.96, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping
    Dec 09 16:56:55 [IKEv1]IP = 104.45.21.96, Information Exchange processing failed
    Dec 09 16:57:03 [IKEv1]IP = 104.45.21.96, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 404

    It means that the encryption parameters are not equal. But from Azure side there is no commandlets to change these options. From Cisco side I did everything according to examples from 

    https://github.com/Azure/Azure-vpn-config-samples

    There is my Cisco config:

    access-list Ipsec_Traf_Azure2 extended permit ip 10.5.8.0 255.255.248.0 172.16.3.0 255.255.255.0

    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

    crypto map outside_l2lmap 120 match address Ipsec_Traf_Azure2
    crypto map outside_l2lmap 120 set peer 104.45.21.96
    crypto map outside_l2lmap 120 set ikev1 transform-set ESP-AES-256-SHA
    crypto map outside_l2lmap 120 set security-association lifetime seconds 3600
    crypto map outside_l2lmap 120 set security-association lifetime kilobytes 102400000

    crypto ikev1 policy 70
     authentication pre-share
     encryption aes-256
     hash sha
     group 2
     lifetime 28800

    tunnel-group 104.45.21.96 type ipsec-l2l
    tunnel-group 104.45.21.96 ipsec-attributes
     ikev1 pre-shared-key *****

    I tried to recreate VPN from Azure side several times with different real IPs, tried to use different examples. But the result is the same. I don't know what to do next. 

    Sincerely,

      Dmitry

    Thursday, December 10, 2015 9:12 AM

Answers

  • The problem is solved:

    -VpnType PolicyBased #PolicyBased For Static & RouteBased for Dynamic VPN

    It's strange, but Cisco ASA can work only with Static VPN. So, when I changed VpnType to PolicyBased - everything was OK.

    Dmitry

    • Marked as answer by DTeplyakov Tuesday, November 15, 2016 3:34 PM
    Thursday, December 10, 2015 3:43 PM