Answered by:
Initial setup VPN issues

Question
-
Hello to all; any assistance is greatly appreciated,
I'm using a Cisco 1811/K9 router with Advanced IP services (crypto / ipsec vpn capable)
APKCLDSVCS_RTR#sh version
Cisco IOS Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 12.4(6)T11, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 06-Mar-08 20:56 by khuieROM: System Bootstrap, Version 12.3(8r)YH13, RELEASE SOFTWARE (fc1)
APKCLDSVCS_RTR uptime is 2 days, 59 minutes
System returned to ROM by reload at 19:17:05 UTC Tue Jul 3 2012
System image file is "flash:c181x-advipservicesk9-mz.124-6.T11.bin"
The current configuration follows:
NOTE: the following addresses were substituted in the given configuration report:
1.2.3.4 255.255.255.240 = Organization public IP address
2.3.4.5 255.255.255.240 = Organization public default gateway
111.111.111.111 = Azure gateway / peer address
*********************************************************************************************************************
APKCLDSVCS_RTR#sh run
Building configuration...
Current configuration : 2100 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname HOST
boot-start-marker
boot-end-marker
!
logging console informational
enable secret 5 OMITTED
no aaa new-model
!
resource policy
!
!
!
no ip cef
!
!
no ip domain lookup
!
!
!
username OMITTED privilege 15 password 7 OMITTED
!
!
crypto isakmp policy 101
encr aes
authentication pre-share
group 2
lifetime 28800
crypto isakmp key ASDFGHJKLLKJHGFDSA address 111.111.111.111
crypto ipsec security-association lifetime kilobytes 102400000
!
crypto ipsec transform-set AZURE esp-aes esp-sha-hmac
!
crypto map APKCLDSVCS 1 ipsec-isakmp
set peer 111.111.111.111
set transform-set AZURE
match address 101
!
!
!
!
interface FastEthernet0
ip address 172.16.150.225 255.255.0.0
duplex auto
speed auto
!
interface FastEthernet1
ip address 1.2.3.4 255.255.255.240
ip tcp adjust-mss 1350
duplex auto
speed auto
crypto map APKCLDSVCS
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface FastEthernet4
shutdown
!
interface FastEthernet5
shutdown
!
interface FastEthernet6
shutdown
!
interface FastEthernet7
shutdown
!
interface FastEthernet8
shutdown
!
interface FastEthernet9
shutdown
!
interface Vlan1
no ip address
!
interface Async1
no ip address
encapsulation slip
!
ip default-gateway 2.3.4.5
ip route 0.0.0.0 0.0.0.0 2.3.4.5
ip route 192.168.0.0 255.255.0.0 172.16.151.1
!
!
no ip http server
no ip http secure-server
!
logging trap debugging
logging 172.16.150.103
access-list 101 permit ip host 1.2.3.4 host 111.111.111.111
!
!
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
login local
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
exec-timeout 0 0
logging synchronous
login local
line vty 5 15
exec-timeout 0 0
logging synchronous
login local
!
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
APKCLDSVCS_RTR#sh cry sess
Crypto session current status
Interface: FastEthernet1
Session status: DOWN
Peer: 111.111.111.111 port 500
IPSEC FLOW: permit ip host 1.2.3.4 host 111.111.111.111
Active SAs: 0, origin: crypto map
Interface: FastEthernet1
Session status: UP-IDLE
Peer: 111.111.111.111 port 1024
IKE SA: local 1.2.3.4/4500 remote 111.111.111.111/1024 Active
APKCLDSVCS_RTR#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
1.2.3.4 111.111.111.111 QM_IDLE 2001 0 ACTIVE
IPv6 Crypto ISAKMP SA
APKCLDSVCS_RTR#sh cry ipsec sa
interface: FastEthernet1
Crypto map tag: APKCLDSVCS, local addr 66.192.16.218
protected vrf: (none)
local ident (addr/mask/prot/port): (1.2.3.4/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (111.111.111.111/255.255.255.255/0/0)
current_peer 111.111.111.111 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 1.2.3.4, remote crypto endpt.: 111.111.111.111
path mtu 1500, ip mtu 1500
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
APKCLDSVCS_RTR#
*********************************************************************************************************************
I have utilized the tutorials located at https://www.windowsazure.com/en-us/manage/services/networking/ and the sample configuration script located athttp://msdn.microsoft.com/en-us/library/windowsazure/jj156087.
Please advise at your earliest regarding this; we feel we have correctly configured the router and the portal, however we cannot get the tunnels to establish properly.Thanks to all in advance
- Moved by Arwind - MSFT Friday, July 6, 2012 3:26 AM (From:Connectivity and Messaging - Windows Azure)
Thursday, July 5, 2012 9:02 PM
Answers
-
Hi!
I believe this may be because your ACL is not configured correctly.
access-list 101 permit ip host 1.2.3.4 host 111.111.111.111
It should be
access-list 101 permit ip <On-Prem Subnet> <Subnet mask> <Azure Subnet> <Subnet mask>
- Marked as answer by Tiger LiMicrosoft employee Monday, July 9, 2012 10:20 AM
Friday, July 6, 2012 3:37 PM
All replies
-
Hi!
I believe this may be because your ACL is not configured correctly.
access-list 101 permit ip host 1.2.3.4 host 111.111.111.111
It should be
access-list 101 permit ip <On-Prem Subnet> <Subnet mask> <Azure Subnet> <Subnet mask>
- Marked as answer by Tiger LiMicrosoft employee Monday, July 9, 2012 10:20 AM
Friday, July 6, 2012 3:37 PM -
I'd considered the same; however I have the same results with:
access-list 101 permit ip any any
which explicitly specifies allowance of any IP from any interior host to any external.
Thanks
Monday, July 9, 2012 5:36 PM -
Anyone else have any ideas? I'm sort of at a stopping poiint; the only technical support appears to be in forums, so any ideas are well received.
Thanks
Tuesday, July 17, 2012 6:39 PM