So I was trying to build a Route Based VPN from a Cisco ASA 5506x current code 9.4. I was following the Microsoft article here.
I got everything set up just like it mentioned, but I could not get the VPN to connect. I was constantly seeing it try, fail on phase 1. We tried on and off for a couple days trying to get this VPN up and stable. Eventually I went to other implementations blogs.
Richard J Green: Azure Route-Based VPN to Cisco ASA 5505
Kasperk.it: Cisco ASA Route-Based Site-to-Site VPN to Azure
PeteNetLive: Microsoft Azure To Cisco ASA Site to Site VPN
What I found is a difference in the base ASA software requirements.
- Microsoft Article: Said 9.2 or above
- RichardjGreen: Said 8.4 or above
- it: Said 9.8.2 (tested)
- PeteNetLive: Said the requirement is 9.7(1)
So, after not being able to even get the VPN to connect at the lower versions, we upgraded the firewall from 9.4 to 9.8.3-18. As soon as I got back on the firewall after the upgrade, the tunnel was up and connected. No other configuration changes were necessary.
Essentially, if you are having issues with a Route-Based VPN to Azure from a Cisco ASA, save yourself a bunch of problems and upgrade to at least 9.8.
Now the base configuration that I used on the firewall (IPs, PSKs have been changed to protect the guilty):
access-list CUST-2-AZURE extended permit ip 10.249.0.0 255.255.240.0 10.249.16.0 255.255.240.0
route outside 18.104.22.168 255.255.255.255 22.214.171.124 1
crypto ipsec ikev2 ipsec-proposal AES-256
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto map outside_map 200 match address CUST-2-AZURE
crypto map outside_map 200 set pfs group24
crypto map outside_map 200 set peer 126.96.36.199
crypto map outside_map 200 set ikev2 ipsec-proposal AES-256
crypto map outside_map 200 set ikev2 pre-shared-key SomeReallyLongKeyOrPasswordVerySecure
crypto map outside_map 200 set security-association lifetime seconds 7200
crypto map outside_map 200 set nat-t-disable
crypto map outside_map interface outside
crypto ikev2 enable outside
crypto ikev2 policy 1
lifetime seconds 28800
group-policy 188.8.131.52 internal
group-policy 184.108.40.206 attributes
tunnel-group 220.127.116.11 type ipsec-l2l
tunnel-group 18.104.22.168 general-attributes
tunnel-group 22.214.171.124 ipsec-attributes
ikev2 remote-authentication pre-shared-key SomeReallyLongKeyOrPasswordVerySecure
ikev2 local-authentication pre-shared-key SomeReallyLongKeyOrPasswordVerySecure
This is the configuration that has worked for a couple route-based tunnels to Azure. Your millage may vary.
Jason Howe, Senior Networking Engineer