SharePoint Stuff



CISCO ASA RouteBase IKE V2 configuration

Written by Luke Smith. Posted in Uncategorized

As of June 2017 update to the CISCO IOS you can now establish RouteBased VPN’s into Azure using VTI and IKEv2

RouteBased Connection was previously known as Dynamic Routing.

Minimum IOS Version: 9.8.1 Released 15th May 2017 (https://software.cisco.com/download/release.html?mdfid=286285782&softwareid=280775065&release=9.8.1)
Recommended IOS Version in a HA configuration: 9.8.1-5 (known bug in previous versions)

Example below will create an Azure VpnGw1 VPN using an IPSec Custom Policy with BGP enabled (on the Azure End)

Below is the config sample for the CISCO ASA:


crypto ikev2 policy 3
crypto ikev2 policy 3
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 28000

crypto ipsec ikev2 ipsec-proposal PROP-AZURE-PRD
protocol esp encryption aes-256
protocol esp integrity sha-1

crypto ipsec profile PROF-AZURE-PRD
set ikev2 ipsec-proposal PROP-AZURE-PRD
set pfs group24
set security-association lifetime kilobytes 102400000
set security-association lifetime seconds 27000

interface Tunnel 1
nameif VPN-AZURE-PRD

ip address 10.255.255.1 255.255.255.0
tunnel source interface outside
tunnel destination "Azure VPN Public IP"
tunnel mode ipsec ipv4
tunnel protection ipsec profile PROF-AZURE-PRD

tunnel-group "Azure VPN Public IP" type ipsec-l2l
tunnel-group "Azure VPN Public IP" ipsec-attributes
ikev2 remote-authentication pre-shared-key xxxxxx
ikev2 local-authentication pre-shared-key xxxxxx

route VPN-AZURE-PRD "Azure Address Space IP" "Azure Address Space Subnet" "Azure VPN Public IP"
route VPN-AZURE-PRD 10.10.0.0 255.255.0.0 "Azure VPN Public IP"

Below is the powershell for an ARM based Azure VPN:

#based on https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps

Login-AzureRmAccount
Select-AzureRmSubscription -SubscriptionName "Your Subscription Name" #Update Accordingly
$VirtualNetworkName = "Your VNET Name" #Update Accordingly
$ResourceGroup = "Your Resource Group Name" #Update Accordingly
$Location = "UK South" #Update Accordingly
$LocalGatewayName = "HeadOfficeVPN" #Update Accordingly
$HeadOfficeVPNIP = "Local VPN Public IP" #Update Accordingly
$LocalAddressPrefix = @("172.16.0.0/24","172.17.0.0/23","10.255.255.0/24") #your local network ranges
$GatewayIpName = "Vnetgwpublicip1" #Update Accordingly
$GatewaySubnetName = "GatewaySubnet"
$GatewayIpConfigName = "Vnetgwconfig1" #Update Accordingly
$GatewayVPNType = "RouteBased" #Update Accordingly
$GatewaySKU = "VpnGw1" #Update Accordingly
$GatewayName = "VNetgw1" #Update Accordingly
$GatewayConnectionName = "VNetgw1toHeadOfficeVPN" #Update Accordingly
$PreSharedKey = "**************" #Your PreShared Key

#Create Local Network Gateway
New-AzureRmLocalNetworkGateway -Name $LocalGatewayname `
-Location "$location" -AddressPrefix $LocalAddressPrefix `
-GatewayIpAddress $HeadOfficeVPNIP -ResourceGroupName $ResourceGroup
#Create Public IP Address
$ipaddress = New-AzureRmPublicIpAddress -Name $GatewayIpName `
-ResourceGroupName $ResourceGroup -Location $location `
-AllocationMethod Dynamic

#Create Gateway IP addressing configuration
$subnet = Get-AzureRmVirtualNetworkSubnetConfig -Name $GatewaySubnetName -VirtualNetwork (Get-AzureRmVirtualNetwork -Name $VirtualNetworkName -ResourceGroupName $ResourceGroup)
$gwipconfig = New-AzureRmVirtualNetworkGatewayIpConfig -Name $GatewayIpConfigName -SubnetId $subnet.id -PublicIpAddressId $ipaddress.id

#Create the VPN gateway

New-AzureRmVirtualNetworkGateway -Name $GatewayName -ResourceGroupName $ResourceGroup -Location $location -GatewaySKU $GatewaySKU -GatewayType Vpn -IpConfigurations $gwipconfig -EnableBgp $true -VpnType $GatewayVPNType

#IPSec Custom Policy

$ipsecpolicy = New-AzureRmIpsecPolicy -IkeEncryption AES256 -IkeIntegrity SHA1 -DhGroup DHGroup2 -IpsecEncryption AES256 -IpsecIntegrity SHA1 -PfsGroup PFS24 -SALifeTimeSeconds 27000 -SADataSizeKilobytes 102400000

#Gateway Name

$vnet1gw = Get-AzureRmVirtualNetworkGateway -Name $GatewayName -ResourceGroupName $ResourceGroup
$LocalGatewayName1 = Get-AzureRmLocalNetworkGateway -Name $LocalGatewayName -ResourceGroupName $ResourceGroup

New-AzureRmVirtualNetworkGatewayConnection -Name $GatewayConnectionName -ResourceGroupName $ResourceGroup -VirtualNetworkGateway1 $vnet1gw -LocalNetworkGateway2 $LocalGatewayName1 -Location $Location -ConnectionType IPsec -UsePolicyBasedTrafficSelectors $True -IpsecPolicies $ipsecpolicy -SharedKey $PreSharedKey

#Get GatewayPublicIP

Get-azurermpublicipaddress -name $gatewayipname -resourcegroup $resourcegroup

#Get BGP Information
$vnet1gw = Get-AzureRmVirtualNetworkGateway -Name $gatewayname -ResourceGroupName $resourcegroup
$vnet1gw.BgpSettingsText

Good Luck

Trackback from your site.

Luke Smith

I’ve been working with Microsoft Technologies for over 15 years, my main focus being Windows Azure IaaS and Office 365. I Manage the Cloud Services at ClearPeople ltd and as a PTSP at Microsoft. I have worked with many organisations from SMB to EPG. I’ve been working with Microsoft Technologies since DOS 5.0, to date I have been working on Microsoft’s latest cloud technology Windows Azure, Office 365 and Microsoft SharePoint

Comments (4)

  • rajesh s

    |

    Hi Luke,

    Thanks for this article.
    Im new to this Azure. Im working for a client with a requirement to have Express route as primary and VPN tunnel secondary path.
    We have Cisco ASA 8.4 5585 as on prem VPN GW.
    I understand we need to have route based VPN for Express route and IPSEC to coexist.
    However my concern is 9.8.2 which supports Route based VPN is verymuch a latest version and i dont want to use it.
    Is there anyother option to have Primary and secondary path working ?

    Reply

  • Andre Christian Frogner

    |

    Hi

    Great article! One question though, won’t the setting -UsePolicyBasedTrafficSelectors $True make the VirtualNetworkGatewayConnection policybased, not route based?

    BR Andre

    Reply

  • Jagat

    |

    Hi Luke,

    Many many thanks for sharing this useful details. May I know whether we should use the No NAT here or not ?

    Awaiting for your reply.

    Regards,

    Jagat

    Reply

Leave a comment