I am having a little bit of a problem setting up a IKEv2 site to site to Azure cloud. I am using the IPSec permaeters from this document.
Phase1 is established, but I cant figure out Phase2, here is the crypto config:
Config
crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set azure-ipsec-proposal-set esp-aes-256 esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal azure-ikev2-ipsec-proposal-set
protocol esp encryption aes-gcm-256
protocol esp integrity sha-1
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 102400000
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 10 match address vpn-traffic-ikev2
crypto map outside_map 10 set peer 1.1.1.1
crypto map outside_map 10 set ikev2 ipsec-proposal azure-ikev2-ipsec-proposal-set
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 5
encryption aes-256 3des
integrity sha256 sha
group 2
prf sha
lifetime seconds 10800
crypto ikev2 enable outside
crypto ikev2 enable Comcast
Debug
Its lengthy so I will just paste where the problem is:
IKEv2-PROTO-2: (34): Processing IKE_AUTH message
IKEv2-PROTO-1: (34): Failed to find a matching policy
IKEv2-PROTO-1: (34): Received Policies:
ESP: Proposal 1: AES-GCM-256 Don't use ESN
ESP: Proposal 2: AES-CBC-256 SHA96 Don't use ESN
ESP: Proposal 3: AES-CBC-256 SHA256 Don't use ESN
ESP: Proposal 4: AES-CBC-128 SHA96 Don't use ESN
ESP: Proposal 5: 3DES SHA96 Don't use ESN
ESP: Proposal 6: 3DES SHA256 Don't use ESN
ESP: Proposal 7: DES SHA96 Don't use ESN
ESP: Proposal 8: AES-CBC-256 SHA96 Don't use ESN
ESP: Proposal 9: AES-CBC-256 SHA96 Don't use ESN
ESP: Proposal 10: AES-CBC-256 SHA96 Don't use ESN
ESP: Proposal 11: AES-CBC-128 SHA96 Don't use ESN
ESP: Proposal 12: AES-CBC-128 SHA96 Don't use ESN
ESP: Proposal 13: AES-CBC-128 SHA96 Don't use ESN
ESP: Proposal 14: 3DES SHA96 Don't use ESN
ESP: Proposal 15: 3DES SHA96 Don't use ESN
ESP: Proposal 16: 3DES SHA256 Don't use ESN
ESP: Proposal 17: AES-CBC-256 SHA256 Don't use ESN
ESP: Proposal 18: AES-CBC-256 SHA256 Don't use ESN
ESP: Proposal 19: AES-CBC-256 SHA256 Don't use ESN
ESP: Proposal 20: AES-CBC-256 SHA96 Don't use ESN
ESP: Proposal 21: AES-CBC-256 SHA256 Don't use ESN
ESP: Proposal 22: AES-CBC-128 SHA256 Don't use ESN
ESP: Proposal 23: AES-CBC-128 SHA256 Don't use ESN
ESP: Proposal 24: AES-CBC-128 SHA256 Don't use ESN
ESP: Proposal 25: AES-CBC-128 SHA256 Don't use ESN
ESP: Proposal 26: 3DES SHA96 Don't use ESN
IKEv2-PROTO-1: (34): Failed to find a matching policy
IKEv2-PROTO-1: (34): Expected Policies:
IKEv2-PROTO-5: (34): Failed to verify the proposed policies
IKEv2-PROTO-1: (34): Failed to find a matching policy
So from the debug its obvious that I have the policies messed up during the Phase2 negotiation process, but according to debug Proposal 1 should be AES-GCM-256, which is what I have configured.
Phase1 Tunnel
IKEv2 SAs:
Session-id:44, Status:UP-IDLE, IKE count:1, CHILD count:0
Tunnel-id Local Remote Status Role
980175485 2.2.2.2/500 1.1.1.1/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 10800/26 sec
Best Answer
Azure Route-Based VPNs actually do support Cisco ASAs, but you have to configure Policy Based Traffic Selectors on the Azure Gateway.