dcvr1#sh crypto ipsec sa interface: Tunnel1 Crypto map tag: Tunnel1-head-0, local addr [CSR1kv IP] protected vrf: (none) local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer [Azure VPN IP] port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 240, #pkts encrypt: 240, #pkts digest: 240 #pkts decaps: 2055, #pkts decrypt: 2055, #pkts verify: 2055 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: [CSR1kv IP], remote crypto endpt.: [Azure VPN IP] plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1 current outbound spi: 0x72373376(1916220278) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0x331D3369(857551721) transform: esp-256-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 2374, flow_id: CSR:374, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0 sa timing: remaining key lifetime (k/sec): (4607999/2867) IV size: 16 bytes replay detection support: Y ecn bit support: N status: off Status: ACTIVE(ACTIVE) inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x72373376(1916220278) transform: esp-256-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 2373, flow_id: CSR:373, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0 sa timing: remaining key lifetime (k/sec): (4607999/2867) IV size: 16 bytes replay detection support: Y ecn bit support: N status: off Status: ACTIVE(ACTIVE) outbound ah sas: outbound pcp sas: dcvr1#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status IPv6 Crypto ISAKMP SA dcvr1#sh run Building configuration... Current configuration : 2733 bytes ! ! Last configuration change at 15:54:46 UTC Mon Nov 7 2016 by oe0745 ! version 15.4 service timestamps debug datetime msec service timestamps log datetime msec no platform punt-keepalive disable-kernel-core platform console virtual ! hostname dcvr1 ! boot-start-marker boot-end-marker ! ! enable secret 5 blah ! no aaa new-model ! ! ! ! ! ! ! ip domain name blah ! ! ! ! ! ! ! ! ! ! subscriber templating ! multilink bundle-name authenticated ! ! license udi pid CSR1000V sn 9Z4BECZ8E0W license accept end user agreement license boot level premium spanning-tree extend system-id ! ! redundancy mode none ! crypto ikev2 proposal azure-proposal encryption aes-cbc-256 aes-cbc-128 3des integrity sha1 group 2 ! crypto ikev2 policy azure-policy proposal azure-proposal ! crypto ikev2 keyring azure-keyring peer 51.140.186.0 address 51.140.186.0 255.255.255.0 pre-shared-key [Azure Key] ! ! ! crypto ikev2 profile azure-profile match address local interface GigabitEthernet1 match identity remote address [Azure VPN IP] 255.255.255.255 authentication remote pre-share authentication local pre-share keyring local azure-keyring ! ! ! ! ip ssh version 2 ! ! ! ! ! ! ! crypto ipsec transform-set azure-ipsec-proposal-set esp-aes 256 esp-sha-hmac mode tunnel ! crypto ipsec profile azure-vti set transform-set azure-ipsec-proposal-set set ikev2-profile azure-profile ! ! ! ! ! ! ! ! interface Tunnel1 ip address 169.254.0.1 255.255.255.0 ip tcp adjust-mss 1350 tunnel source GigabitEthernet1 tunnel mode ipsec ipv4 tunnel destination [Azure VPN IP] tunnel protection ipsec profile azure-vti ! interface GigabitEthernet1 ip address [CSR1kv IP] 255.255.255.0 negotiation auto ! ! virtual-service csr_mgmt activate ! ip forward-protocol nd ! no ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 [CSR1kv subnet gateway] ip route 10.240.0.0 255.255.0.0 Tunnel1 ! access-list 101 permit ip 137.222.0.0 0.0.255.255 10.240.0.0 0.0.255.255 access-list 102 permit udp host [Azure VPN IP] eq isakmp host [CSR1kv IP] access-list 102 permit esp host [Azure VPN IP] host [CSR1kv IP] ! ! ! control-plane ! ! line con 0 stopbits 1 line aux 0 stopbits 1 line vty 0 4 session-timeout 180 access-class 99 in logging synchronous login local transport preferred none transport input ssh escape-character 3 line vty 5 97 access-class 98 in login ! ! end