ASA5516 9.8(2) IKEv2 (no BGP) site to site connection with Azure fails

I have a Azure subscription, with a virtual network where the gateway subnet is 172.26.0.0/27, and then I have a number of subnets, e.g. 172.26.1.0/24, 172.26.2.0/24, 172.26.3.0/24, ....

On the router side I have configured the network objects for 172.26.0.0/27 and 172.26.1.0/24.

The local network is 10.0.0.0/8.

This is the configuration I have used to setup the site to site connection on the router:

object network HQ-LAN
subnet 10.0.0.0 255.0.0.0
description The HQ LAN
object network AzureLabNet-LAN
subnet 172.26.1.0 255.255.255.0
description The Azure AzureLabNet LAN range
object network AzureLabNet-Gateway
subnet 172.26.0.0 255.255.255.224
object-group network AzureLabNet-network
description Azure AzureLabNet Virtual Network
network-object object AzureLabNet-LAN
network-object object AzureLabNet-Gateway
object-group network HQ-network
description HQ on-premises Network
network-object object HQ-LAN

access-list azure-vpn-acl extended permit ip object-group HQ-network object-group AzureLabNet-network log notifications 
nat (LAN,INTERNET) source static HQ-network HQ-network destination static AzureLabNet-network AzureLabNet-network no-proxy-arp route-lookup

crypto ipsec ikev2 ipsec-proposal AZURE-TRANSFORM-2
protocol esp encryption aes-256
protocol esp integrity sha-256

crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 102400000
crypto ipsec security-association pmtu-aging infinite
crypto ipsec inner-routing-lookup

crypto map CRYPTO-MAP 1 match address azure-vpn-acl
crypto map CRYPTO-MAP 1 set peer 40.a.b.c 
crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal AZURE-TRANSFORM-2
crypto map CRYPTO-MAP 1 set ikev2 pre-shared-key ********
crypto map CRYPTO-MAP 1 set security-association lifetime seconds 3600
crypto map CRYPTO-MAP 1 set nat-t-disable
crypto map CRYPTO-MAP interface INTERNET

crypto ca trustpool policy

crypto ikev2 policy 1
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 28800

crypto ikev2 enable INTERNET

group-policy AzureGroupPolicy internal
group-policy AzureGroupPolicy attributes
vpn-tunnel-protocol ikev2

dynamic-access-policy-record DfltAccessPolicy
tunnel-group 40.a.b.c type ipsec-l2l
tunnel-group 40.a.b.c general-attributes
default-group-policy AzureGroupPolicy
tunnel-group 40.a.b.c ipsec-attributes
ikev2 remote-authentication pre-shared-key ********
ikev2 local-authentication pre-shared-key ********
no tunnel-group-map enable peer-ip
tunnel-group-map default-group 40.a.b.c

sysopt connection tcpmss 1350
sysopt connection preserve-vpn-flows

The connection seems to reach the point where a IKEv2 tunnel is setup, but then the tunnel get rejected with the following error:

751022                  Local:80.x.y.w:500 Remote:40.a.b.c:500 Username:40.a.b.c IKEv2 Tunnel rejected: Crypto Map Policy not found for remote traffic selector 0.0.0.0/255.255.255.255/0/65535/0 local traffic selector 0.0.0.0/255.255.255.255/0/65535/0!

In debug, I found:

IKEv2-PROTO-2: (404): Processing IKE_AUTH message
IKEv2-PLAT-2: (404): Crypto Map: No proxy match on map CRYPTO-MAP seq 1
IKEv2-PROTO-1: (404): Failed to find a matching policy
IKEv2-PROTO-1: (404): Received Policies:
ESP: Proposal 1: AES-GCM-256 Don't use ESN

ESP: Proposal 2: AES-CBC-256 SHA96 Don't use ESN

ESP: Proposal 3: 3DES SHA96 Don't use ESN

ESP: Proposal 4: AES-CBC-256 SHA256 Don't use ESN

ESP: Proposal 5: AES-CBC-128 SHA96 Don't use ESN

ESP: Proposal 6: 3DES SHA256 Don't use ESN

IKEv2-PROTO-1: (404): Failed to find a matching policy
IKEv2-PROTO-1: (404): Expected Policies:
IKEv2-PROTO-5: (404): Failed to verify the proposed policies
IKEv2-PROTO-1: (404): Failed to find a matching policy
IKEv2-PROTO-1: (404):

And also:

IKEv2-PROTO-5: (237): SM Trace-> SA: I_SPI=8D624530AA96162A R_SPI=4A613765BD92DF8F (I) MsgID = 00000004 CurState: DELETE Event: EV_FREE_SA
IKEv2-PROTO-2: (237): Deleting SA
IKEv2-PROTO-1: session is not there in tree
IKEv2-PLAT-2:
CONNECTION STATUS: DOWN... peer: 40.a.b.c:500, phase1_id: 40.a.b.c
IKEv2-PLAT-2: (237): IKEv2 session deregistered from session manager. Reason: 6
IKEv2-PLAT-2: (237): session manager killed ikev2 tunnel. Reason: IKE Delete
IKEv2-PLAT-2: (237): PSH cleanup
IKEv2-PLAT-5: Active ike sa request deleted
IKEv2-PLAT-5: Decrement count for incoming active
IKEv2-PLAT-2: (404): Encrypt success status returned via ipc 1
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IKEv2-PLAT-2: Received PFKEY delete SA for SPI 0xAA15ED6E error FALSE
IKEv2-PLAT-2: Received PFKEY delete SA for SPI 0xFBC930C6 error FALSE
IKEv2-PLAT-2: Received PFKEY delete SA for SPI 0xDA2A46C2 error FALSE
IKEv2-PLAT-2: Received PFKEY delete SA for SPI 0x2EDA754D error FALSE

Update

About the Azure side: The address space on the virtual network is 172.26.0.0/16, the gateway subnet is 172.26.0.0/27, and the subnets are 172.26.1.0/24, 172.26.2.0/24, 172.26.3.0/24, 172.26.4.0/24, 172.26.5.0/24, 172.26.6.0/24, 172.26.7.0/24, 172.26.8.0/24, 172.26.9.0/24, 172.26.10.0/24, 172.26.11.0/24. At the moment I have only one VM up on 172.26.1.0/24 which I am using to test the VPN (and another whole lot of VMs spread across the other subnets).

Any suggestion on how to fix this site to site connection?

Leave Your Comment

Leave a Reply