SharePoint Stuff

CISCO ASA RouteBase IKE V2 configuration

Written by Luke Smith. Posted in Microsoft

As of June 2017 update to the CISCO IOS you can now establish RouteBased VPN’s into Azure using VTI and IKEv2

RouteBased Connection was previously known as Dynamic Routing.

Minimum IOS Version: 9.8(1) Released 15th May 2017 (
Recommended IOS Version in a HA configuration: 9.8(1.5) (known bug in previous versions) or 9.8(2) released August 2017

Example below will create an Azure VpnGw1 VPN using an IPSec Custom Policy with BGP enabled (on the Azure End)

Below is the config sample for the CISCO ASA:

crypto ikev2 policy 3
crypto ikev2 policy 3
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 28000

crypto ipsec ikev2 ipsec-proposal PROP-AZURE-PRD
protocol esp encryption aes-256
protocol esp integrity sha-1

crypto ipsec profile PROF-AZURE-PRD
set ikev2 ipsec-proposal PROP-AZURE-PRD
set pfs group24
set security-association lifetime kilobytes 102400000
set security-association lifetime seconds 27000

interface Tunnel 1

ip address
tunnel source interface outside
tunnel destination "Azure VPN Public IP"
tunnel mode ipsec ipv4
tunnel protection ipsec profile PROF-AZURE-PRD

tunnel-group "Azure VPN Public IP" type ipsec-l2l
tunnel-group "Azure VPN Public IP" ipsec-attributes
ikev2 remote-authentication pre-shared-key xxxxxx
ikev2 local-authentication pre-shared-key xxxxxx

route VPN-AZURE-PRD "Azure Address Space IP" "Azure Address Space Subnet" "Azure VPN Public IP"
route VPN-AZURE-PRD "Azure VPN Public IP"

Below is the powershell for an ARM based Azure VPN:

#based on

Select-AzureRmSubscription -SubscriptionName "Your Subscription Name" #Update Accordingly
$VirtualNetworkName = "Your VNET Name" #Update Accordingly
$ResourceGroup = "Your Resource Group Name" #Update Accordingly
$Location = "UK South" #Update Accordingly
$LocalGatewayName = "HeadOfficeVPN" #Update Accordingly
$HeadOfficeVPNIP = "Local VPN Public IP" #Update Accordingly
$LocalAddressPrefix = @("","","") #your local network ranges
$GatewayIpName = "Vnetgwpublicip1" #Update Accordingly
$GatewaySubnetName = "GatewaySubnet"
$GatewayIpConfigName = "Vnetgwconfig1" #Update Accordingly
$GatewayVPNType = "RouteBased" #Update Accordingly
$GatewaySKU = "VpnGw1" #Update Accordingly
$GatewayName = "VNetgw1" #Update Accordingly
$GatewayConnectionName = "VNetgw1toHeadOfficeVPN" #Update Accordingly
$PreSharedKey = "**************" #Your PreShared Key

#Create Local Network Gateway
New-AzureRmLocalNetworkGateway -Name $LocalGatewayname `
-Location "$location" -AddressPrefix $LocalAddressPrefix `
-GatewayIpAddress $HeadOfficeVPNIP -ResourceGroupName $ResourceGroup
#Create Public IP Address
$ipaddress = New-AzureRmPublicIpAddress -Name $GatewayIpName `
-ResourceGroupName $ResourceGroup -Location $location `
-AllocationMethod Dynamic

#Create Gateway IP addressing configuration
$subnet = Get-AzureRmVirtualNetworkSubnetConfig -Name $GatewaySubnetName -VirtualNetwork (Get-AzureRmVirtualNetwork -Name $VirtualNetworkName -ResourceGroupName $ResourceGroup)
$gwipconfig = New-AzureRmVirtualNetworkGatewayIpConfig -Name $GatewayIpConfigName -SubnetId $ -PublicIpAddressId $

#Create the VPN gateway

New-AzureRmVirtualNetworkGateway -Name $GatewayName -ResourceGroupName $ResourceGroup -Location $location -GatewaySKU $GatewaySKU -GatewayType Vpn -IpConfigurations $gwipconfig -EnableBgp $true -VpnType $GatewayVPNType

#IPSec Custom Policy

$ipsecpolicy = New-AzureRmIpsecPolicy -IkeEncryption AES256 -IkeIntegrity SHA1 -DhGroup DHGroup2 -IpsecEncryption AES256 -IpsecIntegrity SHA1 -PfsGroup PFS24 -SALifeTimeSeconds 27000 -SADataSizeKilobytes 102400000

#Gateway Name

$vnet1gw = Get-AzureRmVirtualNetworkGateway -Name $GatewayName -ResourceGroupName $ResourceGroup
$LocalGatewayName1 = Get-AzureRmLocalNetworkGateway -Name $LocalGatewayName -ResourceGroupName $ResourceGroup

New-AzureRmVirtualNetworkGatewayConnection -Name $GatewayConnectionName -ResourceGroupName $ResourceGroup -VirtualNetworkGateway1 $vnet1gw -LocalNetworkGateway2 $LocalGatewayName1 -Location $Location -ConnectionType IPsec -UsePolicyBasedTrafficSelectors $True -IpsecPolicies $ipsecpolicy -SharedKey $PreSharedKey

#Get GatewayPublicIP

Get-azurermpublicipaddress -name $gatewayipname -resourcegroup $resourcegroup

#Get BGP Information
$vnet1gw = Get-AzureRmVirtualNetworkGateway -Name $gatewayname -ResourceGroupName $resourcegroup

Good Luck

Tags: , , , ,

Trackback from your site.

Luke Smith

I’ve been working with Microsoft Technologies for over 20 years, my main focus now being Microsoft Online Services. I manage the Cloud Services at ElysianIT Limited and as a P-SELLER at Microsoft. I have worked with many organisations from SMC to Enterprise. I’ve been working with Microsoft Technologies since DOS 5.0, to date I have been working on Microsoft’s latest cloud technology Windows Azure, Windows 10 Office 365 and Microsoft SharePoint

Comments (5)

  • rajesh s


    Hi Luke,

    Thanks for this article.
    Im new to this Azure. Im working for a client with a requirement to have Express route as primary and VPN tunnel secondary path.
    We have Cisco ASA 8.4 5585 as on prem VPN GW.
    I understand we need to have route based VPN for Express route and IPSEC to coexist.
    However my concern is 9.8.2 which supports Route based VPN is verymuch a latest version and i dont want to use it.
    Is there anyother option to have Primary and secondary path working ?


  • Andre Christian Frogner



    Great article! One question though, won’t the setting -UsePolicyBasedTrafficSelectors $True make the VirtualNetworkGatewayConnection policybased, not route based?

    BR Andre


  • Jagat


    Hi Luke,

    Many many thanks for sharing this useful details. May I know whether we should use the No NAT here or not ?

    Awaiting for your reply.




  • Amuzed


    What is the reason for “crypto ikev2 policy 3”?
    Is it related to configuring route-based VPN?


Leave a comment