Microsoft Azure To Cisco ISR Router Site to Site VPN

KB ID 0001220 

Problem

Last week I was having problems getting a VPN up from a client’s Cisco ASA into Azure. This was because the Azure estate was using ‘route-based‘ or a ‘dynamic routing VPN‘. See the following article;

Azure to Cisco VPN – ‘Failed to allocate PSH from platform’

So the firewall was a non-starter, but Cisco ISR routers are supported, and they can handle virtual tunnel interfaces (VTI’s). So I used a Cisco ISR 1921 router, sat that beside the firewall, and gave that a public IP. Note: I did have to route the traffic to Azure, to use this router instead of the firewall but that’s easy. 

Now we just need to  get the VPN Tunnel up.

 

Solution

OK, before you get started your router needs to be able to support crypto/VPN’s. That means you should be running a ‘security’ license (show license should say you have a securityk9 licence installed and running, or K8 if you live in North Korea, or 1986). If you don’t, the router will not recognise any of the crypto commands.

To establish ‘Phase 1‘ of the VPN tunnel we need an IKE proposal. Note I’m using IKEv2, that is a requirement for route-based, or dynamic routing from Azure.

[box]

Petes-ISR#conf terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Petes-ISR(config)#crypto ikev2 proposal IKE-PROP-AZURE 
IKEv2 proposal should have atleast an encryption algorithm, an integrity algorithm and a dh group configured 
Petes-ISR(config-ikev2-proposal)# encryption aes-cbc-256 aes-cbc-128 3des 
Petes-ISR(config-ikev2-proposal)# integrity sha1 
Petes-ISR(config-ikev2-proposal)# group 2 
Petes-ISR(config-ikev2-proposal)# exit

[/box]

Then add the proposal we created above to an IKEv2 Policy, (Note: a policy can have multiple proposals).

[box]

Petes-ISR(config)#crypto ikev2 policy IKE-POLICY-AZURE
IKEv2 policy should have atleast one complete proposal attached 
Petes-ISR(config-ikev2-policy)# proposal IKE-PROP-AZURE
Petes-ISR(config-ikev2-policy)# exit

[/box]

Create a keyring, (in IKEv2 you can have multiple keys), and specify your VPN pre shared key, (PSK or shared secret).

[box]

Petes-ISR(config)#crypto ikev2 keyring KEYRING-AZURE
Petes-ISR(config-ikev2-keyring)# peer 40.113.16.195
Petes-ISR(config-ikev2-keyring-peer)# address 40.113.16.195
Petes-ISR(config-ikev2-keyring-peer)# pre-shared-key 1234567890asdfg
Petes-ISR(config-ikev2-keyring-peer)# exit
Petes-ISR(config-ikev2-keyring)# exit

[/box]

Now all the ‘Phase 1‘ settings get tied together in a Phase 1 profile. (Note: GigabitEthernet0/0 is the public facing port, yours may be different).

[box]

Petes-ISR(config)#crypto ikev2 profile PROFILE-PH1-AZURE
% IKEv2 profile MUST have match identity or match certificate statements
Petes-ISR(config-ikev2-profile)# match address local interface GigabitEthernet0/0
Petes-ISR(config-ikev2-profile)# match identity remote address 40.113.16.195 255.255.255.255
Petes-ISR(config-ikev2-profile)# authentication remote pre-share
Petes-ISR(config-ikev2-profile)# authentication local pre-share
Petes-ISR(config-ikev2-profile)# keyring KEYRING-AZURE
Petes-ISR(config-ikev2-profile)# exit

[/box]

For ‘Phase 2‘ (IPSEC) you create a ‘transform set’.

[box]

Petes-ISR(config)#crypto ipsec transform-set TRANSFORM-AZURE esp-aes 256 esp-sha-hmac
Petes-ISR(cfg-crypto-trans)# mode tunnel
Petes-ISR(cfg-crypto-trans)# exit

[/box]

Then you tie all the ‘Phase 2‘ settings together with a ‘Phase 2’ profile, and link that back to the ‘Phase 1‘ profile.

[box]

Petes-ISR(config)#crypto ipsec profile PROFILE-PH2-AZURE
Petes-ISR(ipsec-profile)# set transform-set TRANSFORM-AZURE
Petes-ISR(ipsec-profile)# set ikev2-profile PROFILE-PH1-AZURE
Petes-ISR(ipsec-profile)# exit

[/box]

You then need to create a tunnel, that will use all these settings.

Note: Yes you can use 169.254.x.x (I know it’s an APIPA address, but it will work fine).

[box]

Petes-ISR(config)#int tunnel 1
Petes-ISR(config-if)# ip address 169.254.0.1 255.255.255.0
Petes-ISR(config-if)# ip tcp adjust-mss 1350
Petes-ISR(config-if)# tunnel source GigabitEthernet0/0
Petes-ISR(config-if)# tunnel mode ipsec ipv4
Petes-ISR(config-if)# tunnel destination 40.113.16.195
Petes-ISR(config-if)# tunnel protection ipsec profile PROFILE-PH2-AZURE
Petes-ISR(config-if)# exit

[/box]

Finally the router needs to ‘know’ that traffic destined for Azure is sent down the VPN tunnel.

[box]

Petes-ISR(config)#ip route 10.0.0.0 255.255.255.0 tunnel 1

[/box]

Do I Need To Worry About NAT?

No, (even if you are doing NAT Overload). Unlike an IPSEC VPN on a firewall you do not need to exempt the traffic for the VPN, from NAT translation. That’s because it leaves the router through the tunnel interface and not the public facing interface.

Below are all the commands you can copy and paste and change accordingly;

[box]

Assumptions

192.168.100.0/24 is behind the router
10.0.0.0/16 is the Azure network
40.113.16.195 is the Azure Gateway IP
1234567890asdfg is the pre shared key
GigabitEthernet0/0 is the ‘public facing interface on the router’


!
access-list 101 permit ip 192.168.100.0 0.0.0.255 10.0.0.0 0.0.0.255
!
crypto ikev2 proposal IKE-PROP-AZURE
 encryption aes-cbc-256 aes-cbc-128 3des
 integrity sha1
 group 2
 exit
!
crypto ikev2 policy IKE-POLICY-AZURE
 proposal IKE-PROP-AZURE
 exit
!
crypto ikev2 keyring KEYRING-AZURE
 peer 40.113.16.195
   address 40.113.16.195
   pre-shared-key 1234567890asdfg
   exit
 exit
!
crypto ikev2 profile PROFILE-PH1-AZURE
 match address local interface GigabitEthernet0/0
 match identity remote address 40.113.16.195 255.255.255.255
 authentication remote pre-share
 authentication local pre-share
 keyring KEYRING-AZURE
 exit
!
crypto ipsec transform-set TRANSFORM-AZURE esp-aes 256 esp-sha-hmac
 mode tunnel
 exit
!
crypto ipsec profile PROFILE-PH2-AZURE
 set transform-set TRANSFORM-AZURE
 set ikev2-profile PROFILE-PH1-AZURE
 exit
!
int tunnel 1
 ip address 169.254.0.1 255.255.255.0
 ip tcp adjust-mss 1350
 tunnel source GigabitEthernet0/0
 tunnel mode ipsec ipv4
 tunnel destination 40.113.16.195
 tunnel protection ipsec profile PROFILE-PH2-AZURE
 exit
!
ip route 10.0.0.0 255.255.255.0 tunnel 1

[/box]

 

Related Articles, References, Credits, or External Links

Microsoft Azure To Cisco ASA Site to Site VPN

Azure to Cisco VPN – ‘Failed to allocate PSH from platform’

KB ID 0001219

Problem

It’s been a week for strange VPN shenanigans with Cisco and Azure. I was liaising with an Azure service provider for a customer this week, and trying to get a VPN up from a Cisco ASA in one of our data centres in the UK. This is what we were seeing;

And I could see the same error in the debugs;

[box]

Decrypted packet:Data: 616 bytes
IKEv2-PROTO-1: Failed to allocate PSH from platform
IKEv2-PROTO-1:
IKEv2-PROTO-5: SM Trace-> SA: I_SPI=65EAE07164D4916D R_SPI=034FB3DBCA5E9891 (R) MsgID = 00000000 CurState: IDLE Event: EV_DELETE
IKEv2-PROTO-5: Action: Action_Null
IKEv2-PROTO-5: SM Trace-> SA: I_SPI=65EAE07164D4916D R_SPI=034FB3DBCA5E9891 (R) MsgID = 00000000 CurState: EXIT Event: EV_ABORT
IKEv2-PROTO-5: SM Trace-> SA: I_SPI=65EAE07164D4916D R_SPI=034FB3DBCA5E9891 (R) MsgID = 00000000 CurState: EXIT Event: EV_CHK_PENDING_ABORT
IKEv2-PROTO-5: SM Trace-> SA: I_SPI=65EAE07164D4916D R_SPI=034FB3DBCA5E9891 (R) MsgID = 00000000 CurState: EXIT Event: EV_UPDATE_CAC_STATS
IKEv2-PROTO-2: Abort exchange
IKEv2-PROTO-2: Deleting SA

[/box]

Solution

After a conversation with the service provider, it turns out that they are providing a multi tenant solution that utilises many VPNs for multiple clients, because of this they HAVE TO use a security gateway that uses ‘Route Based/Dynamic Routing’.

There are two types of VPNs that you can run out of Azure;

  • Static routing VPNs – Static routing VPNs or policy-based VPNs. These encrypt and route traffic through an interface based on a customer defined policy. Static routing VPNs require a static routing VPN gateway. With this type of VPN you CAN NOT have multiple site to site VPNs.
  • Dynamic routing VPNs – Dynamic routing or route-based VPNs. These depend on a tunnel interface specifically created for forwarding traffic. Any traffic arriving on the virtual tunnel interface (VTI) will be forwarded through the correct VPN connection. 

Why is this a problem?

If you look on the currently supported VPN devices for Azure;

Route-based is not compatible, this is because VPN’s based on VTI’s are NOT supported on the Cisco ASA platform. If you are a Cisco firewall type, this is the same reason you can’t use an ASA for DMVPN, or to terminate a GRE tunnel on.

What can you do?

In my case I’m going to put a Cisco IOS Router (Cisco ISR 1921), beside the Firewall and route all the Azure traffic via that. As you can see from the table above that IS supported.

Related Articles, References, Credits, or External Links

NA

Cisco ASA IKEv2 – ‘Failed To Allocate Memory’

KB ID 0001218 

Problem

This week I was trying to get a VPN tunnel up for a client. They wanted a tunnel from their Cisco ASA into Microsoft Azure. Normally I’d use IKEv1 (because I know how to troubleshoot it!) But the guys running the site in Azure were using policy routing, which needs IKEv2.

So I converted from IKEv2 to IKEv2. As I said I’m used to debugging IKEv1, but not IKEv2, so I was struggling to make sense of what was going on. The ‘interesting traffic’ was spawning a LOT of phase 1 tunnels, but Phase 2 IPSEC refused to pass traffic.

[box]

Clients-ASA(config)# show cry isa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:151, Status:UP-IDLE, IKE count:25, CHILD count:0

Tunnel-id                 Local                Remote     Status         Role
526939783    222.222.222.222/500     123.123.123.123/500      READY    RESPONDER
      Encr: 3DES, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/4423 sec

Tunnel-id                 Local                Remote     Status         Role
3227575251    222.222.222.222/500     123.123.123.123/500      READY    RESPONDER
      Encr: 3DES, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/4425 sec

Tunnel-id                 Local                Remote     Status         Role
3073641799    222.222.222.222/500     123.123.123.123/500      READY    RESPONDER
      Encr: 3DES, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/4482 sec
-----------------Further Output Removed for the Sake of Brevity------------------

[/box]

 

A debug of IKEv2 was pretty confusing but it did reveal this;

[box]

Decrypted packet:Data: 616 bytes
IKEv2-PROTO-1: Failed to allocate memory
IKEv2-PROTO-1:
IKEv2-PROTO-5: SM Trace-> SA: I_SPI=E212F1C2B09EC680 R_SPI=6F2FE9A86EEDB017 (R) MsgID = 00000000 CurState: IDLE Event: EV_DELETE
IKEv2-PROTO-5: Action: Action_Null
IKEv2-PROTO-5: SM Trace-> SA: I_SPI=E212F1C2B09EC680 R_SPI=6F2FE9A86EEDB017 (R) MsgID = 00000000 CurState: EXIT Event: EV_ABORT
IKEv2-PROTO-5: SM Trace-> SA: I_SPI=E212F1C2B09EC680 R_SPI=6F2FE9A86EEDB017 (R) MsgID = 00000000 CurState: EXIT Event: EV_CHK_PENDING_ABORT
IKEv2-PROTO-5: SM Trace-> SA: I_SPI=E212F1C2B09EC680 R_SPI=6F2FE9A86EEDB017 (R) MsgID = 00000000 CurState: EXIT Event: EV_UPDATE_CAC_STATS
IKEv2-PROTO-3: Abort exchange
IKEv2-PROTO-2: Deleting SA
IKEv2-PROTO-3: Rx [L 222.222.222.222:500/R 123.123.123.123:500/VRF i0:f0] m_id: 0x0
IKEv2-PROTO-3: HDR[i:E212F1C2B09EC680 - r: 0000000000000000]
IKEv2-PROTO-4: IKEV2 HDR ispi: E212F1C2B09EC680 - rspi: 0000000000000000
IKEv2-PROTO-4: Next payload: SA, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_SA_INIT, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x0, length: 616

[/box]

Solution

The ASA was running version 8.4(6) which is not listed as being affected by this bug

ASA IKEv2 fails to accept incoming IKEV2 connections
CSCud50997
 
But that’s what the problem was, upgrade to 9.2(4) and the tunnel came straight up without error.

 

(Related Articles, References, Credits, or External Links

NA

Group Policy To Throttle Network Speed via QoS

KB ID 0001217 

Problem

Why would you want to do this? Well what if you want to test slow link group policy processing, or you are testing BranchCache? Using Group policy you can ‘throttle’ traffic to and from a particular IP address. Below I will pick a domain client on 192.168.110.120, and throttle all traffic between that client, and the domain controller to be 100kbps.

Solution

As I sad above I’m throttling traffic to my domain controller so I’ll create a GPO and link it to the Domain Controllers OU. Call it something sensible.

Edit the policy

Navigate to;

Computer Configuration > Policies > Windows Settings > Policy-based-Qos > Create new policy.

Give the policy a name and set the throttle rate > Next.

All Applications > Next.

Specify the IP you are throttling traffic to and from > Next.

TCP and UDP > Finish.

Then wait for the policy to apply, or run gpupdate /force on the DC.

Related Articles, References, Credits, or External Links

NA

PowerShell – Updating Users Email Addresses In Active Directory

KB ID 0001216 

Problem

Note: I’m referring to the Email address value that is listed on the user object in Active Directory, this will not effect any Exchange Settings!

A colleague asked me today if I had any PowerShell to update ALL the users in a clients AD, to match their UPN to their Email addresses. A quick internet search turned up loads of handy scripts to update the UPN to mach the email address, but not the way round he wanted.

Solution

In most (not all) cases your UPN is the same as your sAMaccountname and your domain name, so you can simply run the following;

[box]

Import-Module ActiveDirectory
Get-ADUser -Filter * -SearchBase 'DC=test,DC=net' | `
    ForEach-Object { Set-ADUser -EmailAddress ($_.samaccountname + '@test.net') -Identity $_ }

[/box]

Note: Save the above as a file with a .ps1 extension, or execute both commands separately.

Now you may, (like on my test network above,) have your user logon name set to something other than firstname.lastname if so and you would prefer to set the Email value to firstname.lastname@domain.com then use the following instead.

[box]

Import-Module ActiveDirectory
Get-ADUser -Filter * -SearchBase 'DC=test,DC=net' | `
    ForEach-Object { Set-ADUser -EmailAddress ($_.givenName + '.' + $_.surname + '@test.net') -Identity $_ }

[/box]

Note: Save the above as a file with a ps1 extension, or execute both commands separately.

Related Articles, References, Credits, or External Links

PowerShell – Update All Domain Users With Email Address From UPN

Remote Desktop Web – Session Timeouts (Altering)

KB ID 0001215 

Problem

Timeouts for the RDWeb portal are defined by the choice you made when you logged in, if you selected ‘private’ or ‘public’ on the PC options, this sets the timeout. The default is 240 mins for private, and 20 minutes for public connections.

Solution

To alter these values you need to make changes in the ‘Internet Information Services Management Console’ on the RDWeb server.

Navigate to {Server-name} > Sites > Default Web Site > RDWeb > Pages > Application Settings.

You need to alter;

PrivateModeSessionTimeoutIn… AND PublicModeSessionTimeoutIn…

Edit the values according to your requirements.

If you find that the changes don’t take effect immediately drop to command line and issue an ‘iisreset’ command.

Related Articles, References, Credits, or External Links

NA

Hyper-V Ceate and Deploy Machine Templates (Without VMM)

KB ID 0001214 

Problem

Last week, myself and a few of my colleagues had to deploy a LOT of servers into Hyper-V. The client did not have System Center Virtual Machine Manager, so the process of creating and deploying a machine from a template is a little more convoluted

Solution

Here I’m deploying Windows Server 2012 Datacenter, but we repeated the process for Oracle Linux (Red Hat,) and, with the exception of sysprep, the process was the same. To start, build an ‘image machine‘ and ensure it is updated, and has on it any software you may require.

Keeping the Image For Future Updates?

If you intend to re-use this master image in the future, i.e. start it up install any outstanding updates, and then re-use it to deploy future virtual machines then BEFORE you sysprep it, take a ‘Checkpoint’. Then in future you can revert to this checkpoint and rerun sysprep again, this is because there is a three time limit on sysprep with the generalize option.

Run sys prep, it lives in;

C:\Windows\System32\Sysprep\

Tick the ‘Generalise’ option, and set it to ‘Shutdown’.

Create a folder to hold your template(s).

Export your master VM into the templates directory you have just created.

Hyper-V Deploying Machines From Template

Create a new virtual machine.

MAKE SURE: You select the option ‘attach a virtual disk later’, select all other options for the new VM as you require.

 

Within your template directory, create a copy of the hard drive and rename it so it has the same name as your newly deployed VM. 

Then cut/paste this newly renamed drive into the folder for your new virtual machine.

On your new VM > Settings > SCSI Controller > Hard Drive > Add.

Navigate to the hard drive file you copied and renamed > Apply > OK.

On the ‘Firmware’ tab move the new hard drive up, so it is at the top of the boot order.

You can now power on the new VM.

Related Articles, References, Credits, or External Links

NA