IPSEC VPN Azure to ASA with BGP

IPSEC VPN Azure to ASA with BGP

Azure vnet 192.168.1.0/24 --- ASA 192.168.80.0/24

#####################VNET Name    AzureVNETAddress Range    192.168.1.0/24  <---这是Azure里面vnet 网络地址段GatewaySubnet    192.168.0.0/24 <---这是Azure里面gateway网络地址端VPN Type    Route-basedAzure BGP ASN    64513Azure BGP Public IP    104.43.16.252Azure BGP peer IP    192.168.0.254  <----gateway subnet 里的

On Premise Public IP    50.56.20.6On Premise BGP ASN    64512On Premise BGP Peer IP    192.168.100.2  <----任意ip,只要不在双方的网络里面，

Login Azure.

这里面需要把 选择configure BGP.

BGP  Azure 64513 和ASA 64512方面都是用私有的。

这里注意virtual network gateway必须有gateway subnet.

如果你还没有vnet,先要创建好vnet

1.Create virtual network gateway. Address Range    192.168.1.0/24　这个网关是加在VNET上的GatewaySubnet    192.168.0.0/24 <----必须有 /27 或以上，这个subnet是在包含在整个VNET 里的VPN Type    Route-basedBGP 64513Azure BGP Public IP    104.43.16.252　＜－－自动分配的Azure BGP peer IP    192.168.0.254 <--这个地址得再Gateway subnet 里

2. Create Local network gateway <---On Premise or peer ip address

这个Local  network gateway 是远端ASA 方面的设置，比如ASA端的公网地址

这里最主要的就是BGP peer Ip address ，

就是我们在ASA在虚拟接口是用的Ip地址，

address space 192.168.100.2/32 必须和BGP peer Ip address  相同

这个地址不能是在双方的地址空间内，不能在下面地址空间内，你可以用一个你没有用过的地址

Azure VNET 192.168.1.0/24  192.168.0.0/24

ASA 192.168.80.0/24

这个IP地址和On Premise Public IP    50.56.20.6On Premise BGP ASN    64512On Premise BGP Peer IP    192.168.100.2 <-----就是我们在ASA在虚拟接口是用的Ip地址，

3.Create new connection

ASA side.

interface Tunnel2

nameif vti-remote-vpn-gateway-104.43.16.252

ip address 192.168.100.2 255.255.255.0

tunnel source interface OUTSIDE

tunnel destination 104.43.16.252

tunnel mode ipsec ipv4

tunnel protection ipsec profile Azure-Ipsec-PROF-remote-vpn-gateway-104.43.16.252

#gateway subnet route to

#这里必须把Azure gateway subnet 路由到192.168.0.254,这个是Azure 方面的BGP IP地址

route vti-remote-vpn-gateway-104.43.16.252 192.168.0.0 255.255.255.0 192.168.0.254

router bgp 64512

bgp log-neighbor-changes

bgp router-id 192.168.0.2

address-family ipv4 unicast

neighbor 192.168.0.254 remote-as 64513

neighbor 192.168.0.254 ebgp-multihop 255 <---必须指定多跳

neighbor 192.168.0.254 activate

network 192.168.80.0

no auto-summary

no synchronization

exit-address-family

!!!!!!!!!!!!!!!!!!!!!!! PHASE 1 : IKEv2 POLICY

crypto ikev2 policy 20

encryption aes-256 aes-192 aes

integrity sha512 sha384 sha256 sha

group 14 2

prf sha512 sha384 sha256 sha

lifetime seconds 86400

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! PHASE 2:

crypto ipsec ikev2 ipsec-proposal Azure-Ipsec-PROP-remote-vpn-gateway-104.43.16.252

protocol esp encryption aes-256

protocol esp integrity sha-256

crypto ipsec profile Azure-Ipsec-PROF-remote-vpn-gateway-104.43.16.252

set ikev2 ipsec-proposal Azure-Ipsec-PROP-remote-vpn-gateway-104.43.16.252

group-policy 104.43.16.252 internal

group-policy 104.43.16.252 attributes

vpn-tunnel-protocol ikev2

tunnel-group 104.43.16.252 type ipsec-l2l

tunnel-group 104.43.16.252 general-attributes

default-group-policy 104.43.16.252

tunnel-group 104.43.16.252 ipsec-attributes

ikev2 remote-authentication pre-shared-key **********

ikev2 local-authentication pre-shared-key **********

no tunnel-group-map enable peer-ip

tunnel-group-map default-group 104.43.16.252

#双方配置完成后，就可以测试了

# sh bgp sumBGP router identifier 192.168.0.2, local AS number 64512BGP table version is 8, main routing table version 83 network entries using 600 bytes of memory3 path entries using 240 bytes of memory2/2 BGP path/bestpath attribute entries using 416 bytes of memory1 BGP AS-PATH entries using 24 bytes of memory0 BGP route-map cache entries using 0 bytes of memory0 BGP filter-list cache entries using 0 bytes of memoryBGP using 1280 total bytes of memoryBGP activity 8/5 prefixes, 8/5 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd192.168.0.254   4        64513 4       5              6    0    0 00:00:04  2

FW-990037-493100/sec/act# sh bgp

BGP table version is 8, local router ID is 192.168.0.2Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,              r RIB-failure, S Stale, m multipathOrigin codes: i - IGP, e - EGP, ? - incomplete

Network          Next Hop        Metric LocPrf Weight  Path*> 192.168.0.0/22   192.168.0.254                      0  64513 i*> 192.168.80.0     0.0.0.0              0         32768  i <---本地路由FW-990037-493100/sec/act# Received disconnect from 10.17.30.101 port 22:10: Session timed out

#参考

https://github.com/yinghli/azure-vpn-asa

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。