Initial setup VPN issues

Question

Hello to all; any assistance is greatly appreciated,

I'm using a Cisco 1811/K9 router with Advanced IP services (crypto / ipsec vpn capable)

APKCLDSVCS_RTR#sh version
Cisco IOS Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 12.4(6)T11, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 06-Mar-08 20:56 by khuie

ROM: System Bootstrap, Version 12.3(8r)YH13, RELEASE SOFTWARE (fc1)

APKCLDSVCS_RTR uptime is 2 days, 59 minutes
System returned to ROM by reload at 19:17:05 UTC Tue Jul 3 2012
System image file is "flash:c181x-advipservicesk9-mz.124-6.T11.bin"

The current configuration follows:
NOTE: the following addresses were substituted in the given configuration report:
 
1.2.3.4 255.255.255.240 = Organization public IP address
2.3.4.5 255.255.255.240 = Organization public default gateway
111.111.111.111 = Azure gateway / peer address
 
*********************************************************************************************************************
APKCLDSVCS_RTR#sh run
Building configuration...
 
Current configuration : 2100 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname HOST
boot-start-marker
boot-end-marker
!
logging console informational
enable secret 5 OMITTED
no aaa new-model
!
resource policy
!
!
!
no ip cef
!
!
no ip domain lookup
!
!
!
username OMITTED privilege 15 password 7 OMITTED
!
!
crypto isakmp policy 101
 encr aes
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key ASDFGHJKLLKJHGFDSA address 111.111.111.111
crypto ipsec security-association lifetime kilobytes 102400000
!
crypto ipsec transform-set AZURE esp-aes esp-sha-hmac
!
crypto map APKCLDSVCS 1 ipsec-isakmp
 set peer 111.111.111.111
 set transform-set AZURE
 match address 101
!
!
!
!
interface FastEthernet0
 ip address 172.16.150.225 255.255.0.0
 duplex auto
 speed auto
!
interface FastEthernet1
 ip address 1.2.3.4 255.255.255.240
 ip tcp adjust-mss 1350
 duplex auto
 speed auto
 crypto map APKCLDSVCS
!
interface FastEthernet2
 shutdown
!
interface FastEthernet3
 shutdown
!
interface FastEthernet4
 shutdown
!
interface FastEthernet5
 shutdown
!
interface FastEthernet6
 shutdown
!
interface FastEthernet7
 shutdown
!
interface FastEthernet8
 shutdown
!
interface FastEthernet9
 shutdown
!
interface Vlan1
 no ip address
!
interface Async1
 no ip address
 encapsulation slip
!
ip default-gateway 2.3.4.5
ip route 0.0.0.0 0.0.0.0 2.3.4.5
ip route 192.168.0.0 255.255.0.0 172.16.151.1
!
!
no ip http server
no ip http secure-server
!
logging trap debugging
logging 172.16.150.103
access-list 101 permit ip host 1.2.3.4 host 111.111.111.111
!
!
!
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
 login local
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 exec-timeout 0 0
 logging synchronous
 login local
line vty 5 15
 exec-timeout 0 0
 logging synchronous
 login local
!
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end
 
APKCLDSVCS_RTR#sh cry sess
Crypto session current status
 
Interface: FastEthernet1
Session status: DOWN
Peer: 111.111.111.111 port 500
  IPSEC FLOW: permit ip host 1.2.3.4 host 111.111.111.111
        Active SAs: 0, origin: crypto map
 
Interface: FastEthernet1
Session status: UP-IDLE
Peer: 111.111.111.111 port 1024
  IKE SA: local 1.2.3.4/4500 remote 111.111.111.111/1024 Active
 
APKCLDSVCS_RTR#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
1.2.3.4   111.111.111.111   QM_IDLE           2001    0 ACTIVE
 
IPv6 Crypto ISAKMP SA
 
APKCLDSVCS_RTR#sh cry ipsec sa
 
interface: FastEthernet1
    Crypto map tag: APKCLDSVCS, local addr 66.192.16.218
 
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (1.2.3.4/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (111.111.111.111/255.255.255.255/0/0)
   current_peer 111.111.111.111 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
 
     local crypto endpt.: 1.2.3.4, remote crypto endpt.: 111.111.111.111
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)
 
     inbound esp sas:
 
     inbound ah sas:
 
     inbound pcp sas:
 
     outbound esp sas:
 
     outbound ah sas:
 
     outbound pcp sas:
APKCLDSVCS_RTR#
*********************************************************************************************************************
I have utilized the tutorials located at https://www.windowsazure.com/en-us/manage/services/networking/ and the sample configuration script located at

http://msdn.microsoft.com/en-us/library/windowsazure/jj156087.
 
Please advise at your earliest regarding this; we feel we have correctly configured the router and the portal, however we cannot get the tunnels to establish properly.

Thanks to all in advance

Answer 1

Hi!

I believe this may be because your ACL is not configured correctly.

access-list 101 permit ip host 1.2.3.4 host 111.111.111.111

It should be

access-list 101 permit ip <On-Prem Subnet> <Subnet mask> <Azure Subnet> <Subnet mask>

Answer 2

I'd considered the same; however I have the same results with:

access-list 101 permit ip any any

which explicitly specifies allowance of any IP from any interior host to any external.

Thanks

Answer 3

Anyone else have any ideas? I'm sort of at a stopping poiint; the only technical support appears to be in forums, so any ideas are well received.

Thanks