Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2106
Views
0
Helpful
2
Replies

Cisco ASA VPN Tunnel to Azure VPN Gateway IKEV2 with VTI

Nathan Brock
Level 1
Level 1

‎06-05-2017 12:46 PM

With the latest release of the Cisco ASA iOS, they have added support for Virtual Tunnel Interfaces over IKEV2. 

I have been able to successfully great a tunnel and pass traffic between my ASA Inside Network and my Azure Hosted Virtual network. 

But after so long my tunnel drops and I have to change the static IP on the VTI to get the tunnel to start back up. 

Does anyone have an example ASA config that has been working consistently for several days? 

Once I resolve this issue, I will be posting the powershell instructions for setting up a VPN Gateway on Azure for Cisco ASA and the Cisco ASA Config once my deployment is perfected. 

Thanks,

Nate

1 person had this problem
Labels:
0 Helpful
2 Replies 2

Nathan Brock
Level 1
Level 1

‎06-07-2017 04:48 AM

I just noticed this but Azure has new VPN SKUs

Gateway SKUs

When you create a virtual network gateway, you need to specify the gateway SKU that you want to use. Select the SKUs that satisfy your requirements based on the types of workloads, throughputs, features, and SLAs. Azure offers the following VPN gateway SKUs:

SKU S2S/VNet-to-VNet
Tunnels		 P2S
Connections		 Aggregate
Throughput
VpnGw1 Max. 30 Max. 128 500 Mbps
VpnGw2 Max. 30 Max. 128 1 Gbps
VpnGw3 Max. 30 Max. 128 1.25 Gbps
Basic Max. 10 Max. 128 100 Mbps
0 Helpful

NetworkResponsible
Level 1
Level 1

‎10-13-2017 03:46 AM

Hi Nathan,

 

Can you pls help me out to establish the s2s VTI VPN connection between ASA on prem and Azure site. I don't have any idea how Azure configuring the solution. My concern here is

1)Would I use any pvt range IP adds for configuring Tunnel interfaec or it should be mutually decide from both end.Let's say I use 172.16.1.1/24 then will Azure use 172.16.1.2/24 at their virtual interface ?

2)Should I create any ACL for identifying the interesting traffic or no need as it is route based VPN ?

3)After establishing the tunnel ,our demand is force-tunneling.It means Azure side machines sould be redirected to on prem/our side to access internet,so how we reserve the bandwidth and controll the traffic on our ASA?

 

Thnak you very very much in advance.Waiting for your reply.

 

Regards,

 

Jagat

0 Helpful
Customers Also Viewed These Support Documents