Cisco ASA Route-based Site-to-Site VPN to Azure

prerequirements: ASA software 9.8.1 (I have tested 9.8.2)

Azure configuration:
add a Virtual network gateway to you azure subnet, I use basic, then adding a connection to the gateway like this:

ASA configuration

Configure VPN interface:

crypto ikev2 policy 3
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 10800

crypto ipsec ikev2 ipsec-proposal Proposal-Azure
  protocol esp encryption aes-256
  protocol esp integrity sha-1

crypto ipsec profile Profile-Azure
  set ikev2 ipsec-proposal Proposal-Azure
  set pfs group2
  set security-association lifetime kilobytes 102400000
  set security-association lifetime seconds 10800

interface Tunnel1
  nameif VPN-AZURE
  ip address standby
  tunnel source interface outside
  tunnel destination [Azure vpngateway public ip]
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile Profile-Azure

tunnel-group [Azure vpngateway public ip] type ipsec-l2l
tunnel-group [Azure vpngateway public ip] ipsec-attributes
ikev2 remote-authentication pre-shared-key [PreesharedKey]
ikev2 local-authentication pre-shared-key [PreesharedKey]

Configure static route to azure networks:

route VPN-AZURE [local azure subnet scope] [Azure vpngateway public ip] 1



Leave a Reply