I have a Cisco 5516-x with v9.7(1)21 on my end and I am trying to create a working VPN to Azure. It looks to me like phase1 goes well but phase2 fails due to policy mismatch.
Any suggestions for how I should change my Azure and/or ASA config to get this working?
Thanks for any suggestions as to how I can solve this!
Debug:
# sh crypto ikev2 sa
IKEv2 SAs:
Session-id:44876, Status:UP-IDLE, IKE count:1, CHILD count:0
Tunnel-id Local Remote Status Role
851718313 <CiscoPubIP>/500 <AzurePubIP>/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA384, DH Grp:24, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/32 sec
#debug crypto ikev2 protocol 127
....
IKEv2-PROTO-2: (554): Processing IKE_AUTH message
IKEv2-PROTO-1: (554): Failed to find a matching policy
IKEv2-PROTO-1: (554): Received Policies:
ESP: Proposal 1: AES-CBC-256 SHA96 Don't use ESN
IKEv2-PROTO-1: (554): Failed to find a matching policy
IKEv2-PROTO-1: (554): Expected Policies:
IKEv2-PROTO-5: (554): Failed to verify the proposed policies
IKEv2-PROTO-1: (554): Failed to find a matching policy
....
Azure Config
$IPSecpolicy = New-AzureRmIpsecPolicy -IkeEncryption AES256 -IkeIntegrity SHA384 -DhGroup DHGroup24 -IpsecEncryption AES256 -IpsecIntegrity SHA1 -PfsGroup PFS24 -SALifeTimeSeconds 28800 -SADataSizeKilobytes 102400000;
Cisco-config
access-list outside_access_in extended permit ip host <azurePubIP> host <CiscoPubIP>
crypto ipsec ikev2 ipsec-proposal AES-256
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 102400000
crypto ipsec security-association pmtu-aging infinite
crypto ipsec inner-routing-lookup
crypto dynamic-map default_map 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES AES-256
crypto map outside_map 65535 ipsec-isakmp dynamic default_map
crypto isakmp identity address
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 28800
crypto ikev2 policy 2
encryption aes-256
integrity sha384
group 24
prf sha384
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 50
encryption aes-256
integrity sha256
group 2
prf sha256 sha
lifetime seconds 86400
crypto ikev2 enable outside
tunnel-group <AzurePubIP> type ipsec-l2l
tunnel-group <AzurePubIP> ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
no tunnel-group-map enable peer-ip
Best Answer
You're missing the corresponding crypto map statements for that tunnel. Without the crypto map statements, you can't form Phase 2. Dynamic tunnels, like you were asking about, are only for when your IP address is dynamic (rather than static), on one end, such as if your ISP assigns you an IP address via DHCP, and your ASA would be the initiator (it could never be the receiver) for all tunnels configured on it, because its IP address would not be permanently known. Unless that's your case here, you should have something like: