! > Define IKEv2 Phase 1/Main Mode policy ! > General IKEv2 configuration - enable IKEv2 for VPN Nat (inside,outside) source static destination static Azure- Azure. ! > No NAT required between the on-premises network and Azure VNet ! This access list defines the IPsec SA traffic selectors.Īccess-list Azure-acl extended permit ip object-group object-group Azure. ! > Specify the access-list between the Azure VNet and your on-premises network. ! network properties (address prefixes, VPN device IP, BGP ASN, etc.)ĭescription On-Premises network prefixes ! In Azure network resource, a local network gateway defines the on-premises ! > Object group that corresponding to the prefixes. ! > Object group that consists of all VNet prefixes (e.g., 10.11.0.0/16 &ĭescription Azure virtual network prefixes ! (2) Construct traffic selectors as part of IPsec policy or proposalĪccess-list outside_access_in extended permit ip host host ! (1) Allow S2S VPN tunnels between the ASA and the Azure gateway public IP address ! > Most firewall devices deny all traffic by default.
! > on the inside interface or vlan e.g., 10.51.0.1/24 ! > address on the outside interface or vlan ! (*) Must be unique names in the device configuration ! - => Replace it with the actual nexthop IP address
! - => Replace it with appropriate netmasks ! - => Replace it with a private IP address if applicable ! on-premises network, specifies network prefixes, device public IP, BGP info, etc. ! - * => LocalNetworkGateway - the Azure resource that represents the ! - Interface names - default are "outside" and "inside" ! Replace the following place holders with your actual values: Sample script ! Sample ASA configuration for connecting to Azure VPN gateway
Other parameters, such as TCP MSS clampingĬomplete the following steps before you use the sample script.IPsec policy and parameters (phase 2 or quick mode).IKE policy and parameters (phase 1 or main mode).The S2S VPN tunnel configuration consists of the following parts: The script provides a sample that is based on the configuration and parameters that are described in the previous sections.
Consult your VPN device specifications to verify the algorithms that are supported for your VPN device models and firmware versions. At the time of publication, ASA models 5505, 5510, 5520, 5540, 5550, and 5580 do not support these algorithms. This support requirement applies to newer ASA devices. Support for IPsec Encryption with AES-GCM and IPsec Integrity with SHA-256, SHA-384, or SHA-512, requires ASA version 9.x. Support for DH Group and PFS Group beyond Group 5 requires ASA version 9.x. Support for IKEv2 requires ASA version 8.4 and later. * On some devices, IPsec Integrity must be a null value when the IPsec Encryption algorithm is AES-GCM. The following table lists the IPsec/IKE algorithms and parameters that are used in the sample. This section lists the parameters for the sample. Virtual network and VPN gateway information You can optionally configure the BGP across the VPN tunnel.įor step-by-step instructions to build the Azure configurations, see Single VPN tunnel setup. This configuration consists of a single S2S VPN tunnel between an Azure VPN gateway and an on-premises VPN device. If you specify an exact combination of algorithms and key strengths, be sure to use the corresponding specifications on your VPN devices. You can optionally specify an exact combination of cryptographic algorithms and key strengths for a specific connection, as described in About cryptographic requirements.