You are on page 1of 4

!

Microsoft Corporation
! ------------------------------------------------------------------------------
! Sample VPN tunnel configuration template for Cisco IOS-based devices
!
! ##############################################################################
! !!! Search for "REPLACE" to find the values that require special
! !!! considerations
! !!!
! !!! (1) ACL/access-list rule numbers
! !!! (2) Tunnel interface number
! !!! (3) Tunnel interface IP address
! !!! (4) BGP routes to advertise (if BGP is enabled)
! !!! (5) BGP peer IP address on the device - loopback interface number
! ##############################################################################
!
! [0] Device infomration
!
! > Device vendor: Cisco
! > Device family: IOS-based (ASR, ISR)
! > Firmware version: IOS 15.1 or beyond
! > Test platform: Cisco ISR 2911, version 15.2
!
! [1] Network parameters
!
! > Connection name: VPN-HEC45-LMI-04
! > VPN Gateway name: 57080077-bd59-4bb9-9a9c-100bc6af0c67
! > Public IP addresses:
! + Public IP 1: 20.124.122.8
! > Virtual network address space:
! + CIDR: 10.10.100.0/22
! - Prefix: 10.10.100.0
! - Netmask: 255.255.252.0
! - Wildcard: 0.0.3.255
! > Local network gateway: LNG-HEC45-LMI-04
! > On-premises VPN IP: 200.113.106.156
! > On-premises address prefixes:
! + CIDR: 10.10.10.0/24
! - Prefix: 10.10.10.0
! - Netmask: 255.255.255.0
! - Wildcard: 0.0.0.255
! + CIDR: 10.10.20.0/24
! - Prefix: 10.10.20.0
! - Netmask: 255.255.255.0
! - Wildcard: 0.0.0.255
! + CIDR: 10.10.21.0/24
! - Prefix: 10.10.21.0
! - Netmask: 255.255.255.0
! - Wildcard: 0.0.0.255
! + CIDR: 10.10.30.0/24
! - Prefix: 10.10.30.0
! - Netmask: 255.255.255.0
! - Wildcard: 0.0.0.255
! + CIDR: 10.10.31.0/24
! - Prefix: 10.10.31.0
! - Netmask: 255.255.255.0
! - Wildcard: 0.0.0.255
! + CIDR: 10.10.51.0/24
! - Prefix: 10.10.51.0
! - Netmask: 255.255.255.0
! - Wildcard: 0.0.0.255
! + CIDR: 10.10.60.0/24
! - Prefix: 10.10.60.0
! - Netmask: 255.255.255.0
! - Wildcard: 0.0.0.255
! + CIDR: 10.10.61.0/24
! - Prefix: 10.10.61.0
! - Netmask: 255.255.255.0
! - Wildcard: 0.0.0.255
! + CIDR: 10.10.62.0/24
! - Prefix: 10.10.62.0
! - Netmask: 255.255.255.0
! - Wildcard: 0.0.0.255
! + CIDR: 10.10.63.0/24
! - Prefix: 10.10.63.0
! - Netmask: 255.255.255.0
! - Wildcard: 0.0.0.255
! + CIDR: 10.10.70.0/24
! - Prefix: 10.10.70.0
! - Netmask: 255.255.255.0
! - Wildcard: 0.0.0.255
! + CIDR: 10.10.71.0/24
! - Prefix: 10.10.71.0
! - Netmask: 255.255.255.0
! - Wildcard: 0.0.0.255
! + CIDR: 10.10.72.0/24
! - Prefix: 10.10.72.0
! - Netmask: 255.255.255.0
! - Wildcard: 0.0.0.255
! + CIDR: 10.10.81.0/24
! - Prefix: 10.10.81.0
! - Netmask: 255.255.255.0
! - Wildcard: 0.0.0.255
! + CIDR: 192.168.102.0/24
! - Prefix: 192.168.102.0
! - Netmask: 255.255.255.0
! - Wildcard: 0.0.0.255
!
! [2] IPsec/IKE parameters
!
! > IKE version: IKEv2
! + Encryption algorithm: aes-cbc-256
! + Integrityalgorithm: sha1
! + Diffie-Hellman group: 2
! + SA lifetime (seconds): 3600
! + Pre-shared key: cFw1HQsoqt5ptN+eMArFBHsFncsOL8fe
! + UsePolicyBasedTS: False
!
! > IPsec
! + Encryption algorithm: esp-gcm 256
! + Integrity algorithm:
! + PFS Group: none
! + SA lifetime (seconds): 3600
!
! [3] BGP parameters - Azure VPN gateway
!
! > Azure virtual network
! + Enable BGP: False
! + Azure BGP ASN: VNG_ASN
! > On-premises network / LNG
! + On premises BGP ASN: LNG_ASN
! + On premises BGP IP: LNG_BGPIP
!
! ------------------------------------------------------------------------------
! ACL rules
!
! Some VPN devices require explicit ACL rules to allow cross-premises traffic:
!
! 1. Allow traffic between on premises address ranges and VNet address ranges
! 2. Allow IKE traffic (UDP:500) between on premises VPN devices and Azure VPN
gateway
! 3. Allow IPsec traffic (Proto:ESP) between on premises VPN devices and Azure VPN
gateway

access-list 101 permit ip 10.10.10.0 0.0.0.255 10.10.100.0 0.0.3.255


access-list 101 permit ip 10.10.20.0 0.0.0.255 10.10.100.0 0.0.3.255
access-list 101 permit ip 10.10.21.0 0.0.0.255 10.10.100.0 0.0.3.255
access-list 101 permit ip 10.10.30.0 0.0.0.255 10.10.100.0 0.0.3.255
access-list 101 permit ip 10.10.31.0 0.0.0.255 10.10.100.0 0.0.3.255
access-list 101 permit ip 10.10.51.0 0.0.0.255 10.10.100.0 0.0.3.255
access-list 101 permit ip 10.10.60.0 0.0.0.255 10.10.100.0 0.0.3.255
access-list 101 permit ip 10.10.61.0 0.0.0.255 10.10.100.0 0.0.3.255
access-list 101 permit ip 10.10.62.0 0.0.0.255 10.10.100.0 0.0.3.255
access-list 101 permit ip 10.10.63.0 0.0.0.255 10.10.100.0 0.0.3.255
access-list 101 permit ip 10.10.70.0 0.0.0.255 10.10.100.0 0.0.3.255
access-list 101 permit ip 10.10.71.0 0.0.0.255 10.10.100.0 0.0.3.255
access-list 101 permit ip 10.10.72.0 0.0.0.255 10.10.100.0 0.0.3.255
access-list 101 permit ip 10.10.81.0 0.0.0.255 10.10.100.0 0.0.3.255
access-list 101 permit ip 192.168.102.0 0.0.0.255 10.10.100.0 0.0.3.255

! ==============================================================================
! Internet Key Exchange (IKE) configuration
! - IKE Phase 1 / Main mode configuration
! - Encryption/integrity algorithms, Diffie-Hellman group, pre-shared key

crypto ikev2 proposal VPN-HEC45-LMI-04-proposal


encryption aes-cbc-256
integrity sha1
group 2
exit

crypto ikev2 policy VPN-HEC45-LMI-04-policy


proposal VPN-HEC45-LMI-04-proposal
match address local 200.113.106.156
exit

crypto ikev2 keyring VPN-HEC45-LMI-04-keyring


peer 20.124.122.8
address 20.124.122.8
pre-shared-key cFw1HQsoqt5ptN+eMArFBHsFncsOL8fe
exit
exit

crypto ikev2 profile VPN-HEC45-LMI-04-profile


match address local 200.113.106.156
match identity remote address 20.124.122.8 255.255.255.255
authentication remote pre-share
authentication local pre-share
lifetime 3600
keyring local VPN-HEC45-LMI-04-keyring
exit

! ------------------------------------------------------------------------------
! IPsec configuration
! - IPsec (or IKE Phase 2 / Quick Mode) configuration
! - Transform Set: IPsec encryption/integrity algorithms, IPsec ESP mode

crypto ipsec transform-set VPN-HEC45-LMI-04-TransformSet esp-gcm 256


mode tunnel
exit

crypto ipsec profile VPN-HEC45-LMI-04-IPsecProfile


set transform-set VPN-HEC45-LMI-04-TransformSet
set ikev2-profile VPN-HEC45-LMI-04-profile
set security-association lifetime seconds 3600
exit

! ------------------------------------------------------------------------------
! Tunnel interface (VTI) configuration
! - Create/configure a tunnel interface
! - Configure an APIPA (169.254.x.x) address that does NOT overlap with any
! other address on this device. This is not visible from the Azure gateway.
! * REPLACE: Tunnel interface number and APIPA IP address below
! * In active-active configuration, there will be two tunnel interfaces below

int tunnel 11
ip address 169.254.0.1 255.255.255.252
tunnel mode ipsec ipv4
ip tcp adjust-mss 1350
tunnel source 200.113.106.156
tunnel destination 20.124.122.8
tunnel protection ipsec profile VPN-HEC45-LMI-04-IPsecProfile
exit

! ------------------------------------------------------------------------------
! BGP configuration
! - BGP configuration if enabled for the connection
! * REPLACE: Loopback interface number(s)
! * REPLACE: Local routes and netmasks to advertise - LOCAL_ROUTE and LOCAL_MASK

! ------------------------------------------------------------------------------
! Static routes
! - Adding the static routes to point the VNet prefixes to the IPsec tunnels
! * REPLACE: Tunnel interface number(s)

ip route 10.10.100.0 255.255.252.0 Tunnel 11

You might also like