!azure stack (15.02.2018) support only aes-gcm-256 as esp encryption
object-group network Azure-Networks
network-object <external>0.0 255.255.255.0
object-group network Onprem-Networks
network-object <internal>20.0 255.255.255.0
access-list outside_access_in extended permit ip host <external_gw> host <internal_gw>
access-list Azure-VMNetworks-acl extended permit ip object-group Onprem-Networks object-group Azure-Networks
sysopt connection tcpmss 1350
sysopt connection preserve-vpn-flows
crypto ipsec ikev2 ipsec-proposal AES-256
protocol esp encryption aes-gcm-256
protocol esp integrity sha-1
crypto map Azure-VMNetworks-map 1 match address Azure-VMNetworks-acl
crypto map Azure-VMNetworks-map 1 set pfs group24
! or try to use group 14
!crypto map Azure-VMNetworks-map 1 set pfs group14
crypto map Azure-VMNetworks-map 1 set peer <external_gw>
crypto map Azure-VMNetworks-map 1 set ikev2 ipsec-proposal AES-256
crypto map Azure-VMNetworks-map 1 set security-association lifetime seconds 14400
crypto map Azure-VMNetworks-map interface outside
crypto isakmp identity address
crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 2
prf sha256
lifetime seconds 28800
crypto ikev2 enable outside
tunnel-group <external_gw> type ipsec-l2l
tunnel-group <external_gw> ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2
object-group network Azure-Networks
network-object <external>0.0 255.255.255.0
object-group network Onprem-Networks
network-object <internal>20.0 255.255.255.0
access-list outside_access_in extended permit ip host <external_gw> host <internal_gw>
access-list Azure-VMNetworks-acl extended permit ip object-group Onprem-Networks object-group Azure-Networks
sysopt connection tcpmss 1350
sysopt connection preserve-vpn-flows
crypto ipsec ikev2 ipsec-proposal AES-256
protocol esp encryption aes-gcm-256
protocol esp integrity sha-1
crypto map Azure-VMNetworks-map 1 match address Azure-VMNetworks-acl
crypto map Azure-VMNetworks-map 1 set pfs group24
! or try to use group 14
!crypto map Azure-VMNetworks-map 1 set pfs group14
crypto map Azure-VMNetworks-map 1 set peer <external_gw>
crypto map Azure-VMNetworks-map 1 set ikev2 ipsec-proposal AES-256
crypto map Azure-VMNetworks-map 1 set security-association lifetime seconds 14400
crypto map Azure-VMNetworks-map interface outside
crypto isakmp identity address
crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 2
prf sha256
lifetime seconds 28800
crypto ikev2 enable outside
tunnel-group <external_gw> type ipsec-l2l
tunnel-group <external_gw> ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2
Комментариев нет:
Отправить комментарий