We have been running a VPN from an Asa 5510 running ASA8.2 successfully, between our on-prem network and a VNET in Azure. I now wanted to setup a VNET1 to VNET 2VPN scenario, as well as on-prem to VNET1 and VNET2 (like a big VPN mesh). I built this via the XML config, uploaded it to Azure and got the VNET to VNET working by changing the preshared key. I’m now having difficulty getting the VNET to Onprem VPN’s up and running. I have configured our ASA and run some debugging and are getting these errors:
Jun 18 14:53:48 [IKEv1]: IP = 23.100.xx.xx, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping
Jun 18 14:53:48 [IKEv1]: IP = 23.100.xx.xx, Information Exchange processing failed
It looks like a Phase1/Isakmp issue however the config our end is all still the same (ie the same as when I had it working fine on-prem to one VNET). I don’t know why changing the config on the Azure end has broken this but I am a bit stumped. One pertinent change during this is changing from Static routing to dynamic routing – it needs to be dynamic for this scenario to work though.
Technically only ASA 8.3 is supported however it was working fine before, so I don’t think this is the issue.
My question is this, what does changing the routing from dynamic to static actually do as far as third party VPN devices are concerned? Is there a requirement to then change the ISAKMP properties?
–Update– Turns out Dynamic routing uses IkeV2 which is supported from ASA 8.4 onwards. Even though this is the case, Azure lists the ASA (even on the newest code) as an unsupported device. ASR’s are supported however.