locked
Azure to Cisco ASA with IKEv2 RRS feed

  • Question

  • Hi,

    I seem to be having trouble with two different Cisco ASA's

    Both of these were work but we decided to remove our Azure environment to we could get a better naming schema. On setting everything back up and change the Cisco configs to reflect the new Azure External IP, we now get the following:

    This is happening on Phase , Phase 1 Tunnel is up! Cisco TAC have said Azure is sending the wrong information.

    IKEv2 Tunnel rejected: Crypto Map Policy not found for the remote traffic selector 0.0.0.0/255.255.255.255

    Any assistance would be great.

    Simon


    Friday, April 8, 2016 11:09 PM

All replies

  • Hi,

    Thanks for posting here.

    When setting up a Site-to-Site VPN with Azure, you will need to see if Azure is offering subnet-to-subnet or gateway-to-gateway VPN:

      • If Azure is using subnet-to-subnet, then Check Point side must be configured in the following way in Check Point SmartDashboard: go to IPSec VPN tab - double-click on the relevant VPN Community - go to the Tunnel Management page - in the section VPN Tunnel Sharing, select One VPN tunnel per subnet pair - click on OK to apply the settings - install the policy.
      • If Azure is using gateway-to-gateway, then Check Point side must be configured in the following way in Check Point SmartDashboard: go to IPSec VPN tab - double-click on the relevant VPN Community - go to the 'Tunnel Management' page - in the section VPN Tunnel Sharing, select One VPN tunnel per Gateway pair - click on OK to apply the settings - install the policy.
    • Make sure the Networks in the respective encryption domains correspond to the settings configured at the Azure side (you may use the setting subnet_for_range_and_peer to make sure the subnets are negotiated as required - for details, refer to "Scenario 1" in sk108600 - VPN Site-to-Site with 3rd party).
    Saturday, April 9, 2016 1:03 PM
  • Hi Girish,

    Thanks for the reply. We're using a Cisco ASA and I have no concept of subnet-to-subnet or gateway-to-gateway?

    We've established a VPN between Azure Virtual Network Gateway (Local Network Gateway & Connection) to External IP of the Cisco ASA.

    Sunday, April 10, 2016 2:34 AM
  • Hi Simon,

    Cisco ASA is not compatible with dynamic gateways (route based) in Azure. The traffic selector that we are sending is what we send for these types of gateways. With the way the ASA works, it does not accept this.

    Therefore, we have a hard requirement that Cisco ASAs are only compatible with static gateways (or policy based).

    Thanks,

    Phillip
    Monday, April 11, 2016 5:56 PM
  • Hi Simon,

    I am also facing the same issue , I configured the s2s between azure and cisco ASA with policy based routing , but it is still showing in "IDEL" state , In my scenario  I allready have one ikev2 s2s  with another cisco ASA .

    Can you please suggest will I can go with Ikev1 or IKev2 for configuring s2s between azure nad cisco asa.

    Thanks

    Abhinash

    Monday, December 24, 2018 1:52 PM