As of June 2017 update to the CISCO IOS you can now establish RouteBased VPN’s into Azure using VTI and IKEv2
RouteBased Connection was previously known as Dynamic Routing.
Minimum IOS Version: 9.8(1) Released 15th May 2017 (https://software.cisco.com/download/release.html?mdfid=286285782&softwareid=280775065&release=9.8.1)
Recommended IOS Version in a HA configuration: 9.8(1.5) (known bug in previous versions) or 9.8(2) released August 2017
Example below will create an Azure VpnGw1 VPN using an IPSec Custom Policy with BGP enabled (on the Azure End)
Below is the config sample for the CISCO ASA:
crypto ikev2 policy 3
crypto ikev2 policy 3
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 28000
crypto ipsec ikev2 ipsec-proposal PROP-AZURE-PRD
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec profile PROF-AZURE-PRD
set ikev2 ipsec-proposal PROP-AZURE-PRD
set pfs group24
set security-association lifetime kilobytes 102400000
set security-association lifetime seconds 27000
interface Tunnel 1
nameif VPN-AZURE-PRD
ip address 10.255.255.1 255.255.255.0
tunnel source interface outside
tunnel destination "Azure VPN Public IP"
tunnel mode ipsec ipv4
tunnel protection ipsec profile PROF-AZURE-PRD
tunnel-group "Azure VPN Public IP" type ipsec-l2l
tunnel-group "Azure VPN Public IP" ipsec-attributes
ikev2 remote-authentication pre-shared-key xxxxxx
ikev2 local-authentication pre-shared-key xxxxxx
route VPN-AZURE-PRD "Azure Address Space IP" "Azure Address Space Subnet" "Azure VPN Public IP"
route VPN-AZURE-PRD 10.10.0.0 255.255.0.0 "Azure VPN Public IP"
Below is the powershell for an ARM based Azure VPN:
#based on https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps
Login-AzureRmAccount
Select-AzureRmSubscription -SubscriptionName "Your Subscription Name" #Update Accordingly
$VirtualNetworkName = "Your VNET Name" #Update Accordingly
$ResourceGroup = "Your Resource Group Name" #Update Accordingly
$Location = "UK South" #Update Accordingly
$LocalGatewayName = "HeadOfficeVPN" #Update Accordingly
$HeadOfficeVPNIP = "Local VPN Public IP" #Update Accordingly
$LocalAddressPrefix = @("172.16.0.0/24","172.17.0.0/23","10.255.255.0/24") #your local network ranges
$GatewayIpName = "Vnetgwpublicip1" #Update Accordingly
$GatewaySubnetName = "GatewaySubnet"
$GatewayIpConfigName = "Vnetgwconfig1" #Update Accordingly
$GatewayVPNType = "RouteBased" #Update Accordingly
$GatewaySKU = "VpnGw1" #Update Accordingly
$GatewayName = "VNetgw1" #Update Accordingly
$GatewayConnectionName = "VNetgw1toHeadOfficeVPN" #Update Accordingly
$PreSharedKey = "**************" #Your PreShared Key
#Create Local Network Gateway
New-AzureRmLocalNetworkGateway -Name $LocalGatewayname `
-Location "$location" -AddressPrefix $LocalAddressPrefix `
-GatewayIpAddress $HeadOfficeVPNIP -ResourceGroupName $ResourceGroup
#Create Public IP Address
$ipaddress = New-AzureRmPublicIpAddress -Name $GatewayIpName `
-ResourceGroupName $ResourceGroup -Location $location `
-AllocationMethod Dynamic
#Create Gateway IP addressing configuration
$subnet = Get-AzureRmVirtualNetworkSubnetConfig -Name $GatewaySubnetName -VirtualNetwork (Get-AzureRmVirtualNetwork -Name $VirtualNetworkName -ResourceGroupName $ResourceGroup)
$gwipconfig = New-AzureRmVirtualNetworkGatewayIpConfig -Name $GatewayIpConfigName -SubnetId $subnet.id -PublicIpAddressId $ipaddress.id
#Create the VPN gateway
New-AzureRmVirtualNetworkGateway -Name $GatewayName -ResourceGroupName $ResourceGroup -Location $location -GatewaySKU $GatewaySKU -GatewayType Vpn -IpConfigurations $gwipconfig -EnableBgp $true -VpnType $GatewayVPNType
#IPSec Custom Policy
$ipsecpolicy = New-AzureRmIpsecPolicy -IkeEncryption AES256 -IkeIntegrity SHA1 -DhGroup DHGroup2 -IpsecEncryption AES256 -IpsecIntegrity SHA1 -PfsGroup PFS24 -SALifeTimeSeconds 27000 -SADataSizeKilobytes 102400000
#Gateway Name
$vnet1gw = Get-AzureRmVirtualNetworkGateway -Name $GatewayName -ResourceGroupName $ResourceGroup
$LocalGatewayName1 = Get-AzureRmLocalNetworkGateway -Name $LocalGatewayName -ResourceGroupName $ResourceGroup
New-AzureRmVirtualNetworkGatewayConnection -Name $GatewayConnectionName -ResourceGroupName $ResourceGroup -VirtualNetworkGateway1 $vnet1gw -LocalNetworkGateway2 $LocalGatewayName1 -Location $Location -ConnectionType IPsec -UsePolicyBasedTrafficSelectors $True -IpsecPolicies $ipsecpolicy -SharedKey $PreSharedKey
#Get GatewayPublicIP
Get-azurermpublicipaddress -name $gatewayipname -resourcegroup $resourcegroup
#Get BGP Information
$vnet1gw = Get-AzureRmVirtualNetworkGateway -Name $gatewayname -ResourceGroupName $resourcegroup
$vnet1gw.BgpSettingsText
Good Luck