<\/span><\/h3>\nFirst we configure the object groups for encryption domain endpoints.<\/p>\n
object-group network AZURE-NET\r\n description Azure Virtual Network\r\n network-object 172.16.0.0 255.255.255.0\r\nobject-group network ONPREM-NET\r\n description OnPrem Network\r\n network-object 192.168.1.0 255.255.255.0\r\n<\/pre>\n<\/span>Encryption Domain<\/span><\/h3>\nWe then configure the encryption domain, using the previously created object groups.<\/p>\n
access-list AZURE-VPN-ACL extended permit ip object-group ONPREM-NET object-group AZURE-NET<\/pre>\n<\/span>NAT<\/span><\/h3>\nNAT is configured to exclude the traffic to\/from the endpoints.<\/p>\n
nat (inside,outside) 1 source static ONPREM-NET ONPREM-NET destination static AZURE-NET AZURE-NET<\/pre>\n<\/span>Phase 1<\/span><\/h3>\nThe Phase 1 parameters are then defined.<\/p>\n
crypto ikev1 enable outside\r\ncrypto ikev1 policy 5\r\n authentication pre-share\r\n encryption aes-256\r\n hash sha\r\n group 2\r\n lifetime 28800<\/pre>\n<\/span>Phase 2<\/span><\/h3>\nThen then phase 2 parameters.<\/p>\n
crypto ipsec ikev1 transform-set azure-ipsec-proposal-set esp-aes-256 esp-sha-hmac\r\ncrypto ipsec security-association lifetime seconds 3600\r\ncrypto ipsec security-association lifetime kilobytes 102400000<\/pre>\n<\/span>Tunnel Group<\/span><\/h3>\nThe tunnel group with the preshared key is configured.<\/p>\n
tunnel-group 13.89.48.98 type ipsec-l2l\r\ntunnel-group 13.89.48.98 ipsec-attribute\r\n ikev1 pre-shared-key <PSK><\/pre>\n<\/span>Crypto<\/span><\/h3>\nThe encryption domain, peer and phase 2 parameters are then all assigned to a tunnel group.<\/p>\n
crypto map azure-crypto-map 1 match address AZURE-VPN-ACL\r\ncrypto map azure-crypto-map 1 set peer 13.89.48.98\r\ncrypto map azure-crypto-map 1 set ikev1 transform-set azure-ipsec-proposal-set\r\ncrypto map azure-crypto-map interface outside<\/pre>\n