I have changed my configuration to test if it is possible to make a connection with MS Azure using the policy based configuration as I had problems configuring the Router based solutions.
I can happely say that I have accomplished this task.
First you have to setup Azure to setup a VPN Policy based config. You the get the IP address space and the IP address of the gateway to Azure.
Then comes the fun part:
Create an Access list to guide the traffic:
acl advanced 3102
rule 0 permit ip source <YOUR INTERNAL SUBNET> 0.0.0.255 destination <AZURE SUBNET> 0.0.1.255
create your key-chain:
ike keychain Azure1
pre-shared-key address <MSAZURE IP ADDRESS> 255.255.255.255 key simple <add your key>
Creat an ike proposal
ike proposal 20
encryption-algorithm aes-cbc-256
dh group2
sa duration 28800
description Azure IKE proposal
Next create your IKE profile:
ike profile Azure-Profile
keychain Azure1
local-identity address <YOUR IP ADDRESS>
match remote identity address <NS AZURE IP ADDRESS> 255.255.255.255
proposal 20
Next Construct your IPSEC Transform-Set
ipsec transform-set azure-trans
esp encryption-algorithm aes-cbc-256
esp authentication-algorithm sha1
Next create your IPSEC prolicy
ipsec policy AzurePolicy 10 isakmp
transform-set azure-trans
security acl 3102
remote-address <MS AZURE IP ADDRESS>
ike-profile Azure-Profile
sa duration time-based 3600
sa duration traffic-based 102400000
Now lets tie it all together by applying to to the interface:
interface GigabitEthernet0/0
port link-mode route
mtu 1400
ip address <YOUR INTERNET IP ADDRESS> 255.255.255.248
nat outbound
ipsec apply policy AzurePolicy
So far so good.
The connetion works and you can see the connection with:
dis ipsec sa
dis ike sa
But if you try to ping the subnet within MS Azure your traffic will not route.
You need to add in a static route. Now my question:
I have tried every thing and all possible options and nothing seems to work.
The most logical is to add
ip route-static 10.0.0.0 0.0.1.255 <MS AZURE IP ADDRESS> but this doen't seem to work. No traffic is flowing, So what am I missing something? Can anybody help me get the traffic to flow?
#ipsec#MSR954#Ike#Comwarev7#Azure