Azure VPN Connection issues

a.jones — Tue, 20 Aug 2024 14:34:34 GMT

Hi All,

Appreciate any help with an Azure VPN connection. I have a couple that works but this one is problematic.

I have configured to match the Azure configuration so my end:

IKE: AES-256-CBC, SHA256, Group 14 and Key 8Hrs

IPSEC: AES-256-CBC, SHA256, No-PFS and key 27000secs.

Gateway: Their Peer IP, My Peer IP, PSK, IKEv2 mode, Passive Mode enabled and Liveness unticked. IKE config selected.

IPSec Tunnels: Tunnel interface assigned, IKE Gateway and IPSec Profile selected.Proxy ID's assigned.

Policy: Peer IPs permitted on outside interface as bi-directional rule.

Issue: Phase 1 and Phase 2 not coming up.

I look at cli for sessions from peer IP and this is what I see:

show session all filter source "peer"

--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])
Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
1593311 ike ACTIVE FLOW "remote_peer"[500]/Firewall_Untrust_Internet/17 ("remote_peer"[500])
vsys2 "local_peer"[500]/Firewall_Untrust_Internet ("local_peer"[500])

I look at the state of the IKE gateway:

show vpn ike-sa gateway IKEGW-0001

There is no IKEv1 phase-1 SA found.

There is no IKEv1 phase-2 SA found.

IKEv2 SAs
Gateway ID Peer-Address Gateway Name Role SN Algorithm Established Expiration Xt Child ST
---------- ------------ ------------ ---- -- --------- ----------- ---------- -- ----- --
19 "Remote_Peer" IKEGW-0001 Resp 43895 PSK/DH14/A256/SHA256 0 0 INIT sent
19 "Remote_Peer" IKEGW-0001 Resp 43896 PSK/DH14/A256/SHA256 0 0 INIT sent
19 "Remote_Peer" IKEGW-0001 Resp 43897 PSK/DH14/A256/SHA256 0 0 INIT sent
19 "Remote_Peer" IKEGW-0001 Resp 43898 PSK/DH14/A256/SHA256 0 0 INIT sent
19 "Remote_Peer" IKEGW-0001 Resp 43899 PSK/DH14/A256/SHA256 0 0 INIT sent
Show IKEv2 SA: Total 17 gateways found. 5 ike sa found.

I am tailing the IKE Manager log to see what is going on:

2024-08-20 15:27:02.283 +0100 [INFO]: { 19: }: passive mode is specified for IKE gateway IKEGW-0001
2024-08-20 15:27:02.418 +0100 [INFO]: { 19: }: received IKE request "Remote_Peer"[500] to "Local_Peer"[500], found IKE gateway IKEGW-0001
2024-08-20 15:27:02.418 +0100 [PNTF]: { 19: }: ====> IKEv2 IKE SA NEGOTIATION STARTED AS RESPONDER, non-rekey; gateway IKEGW-LINC-0001-Cirdan <====
====> Initiated SA: 5.255.48.251[500]-"Remote_Peer"[500] SPI:371ac746e7d5a8b0:e49716e42da7a08c SN:43900 <====
2024-08-20 15:27:02.418 +0100 [DEBG]: { 19: }: received Notify type NAT_DETECTION_SOURCE_IP
2024-08-20 15:27:02.418 +0100 [PWRN]: { 19: }: "Local_Peer"[500] - "Remote_Peer"[500]:0x56510c70bdf0 ignoring unauthenticated notify payload (NAT_DETECTION_SOURCE_IP)
2024-08-20 15:27:02.418 +0100 [DEBG]: { 19: }: received Notify type NAT_DETECTION_DESTINATION_IP
2024-08-20 15:27:02.418 +0100 [PWRN]: { 19: }: "Local_Peer"[500] - "Remote_Peer"[500]:0x56510c70bdf0 ignoring unauthenticated notify payload (NAT_DETECTION_DESTINATION_IP)
2024-08-20 15:27:02.418 +0100 [PWRN]: { 19: }: "Local_Peer"[500] - "Remote_Peer"[500]:0x56510c70bdf0 vendor id payload ignored
2024-08-20 15:27:02.418 +0100 [PWRN]: { 19: }: "Local_Peer"[500] - "Remote_Peer"[500]:0x56510c70bdf0 vendor id payload ignored
2024-08-20 15:27:02.418 +0100 [PWRN]: { 19: }: "Local_Peer"[500] - "Remote_Peer"[500]:0x56510c70bdf0 vendor id payload ignored
2024-08-20 15:27:02.419 +0100 [PWRN]: { 19: }: "Local_Peer"[500] - "Remote_Peer"[500]:0x56510c70bdf0 vendor id payload ignored
2024-08-20 15:27:02.419 +0100 [DEBG]: { 19: }: see whether there's matching transform
2024-08-20 15:27:02.419 +0100 [DEBG]: { 19: }: found same ID(12,12). compare attributes
2024-08-20 15:27:02.419 +0100 [DEBG]: { 19: }: OK; advance to next of my transform type
2024-08-20 15:27:02.419 +0100 [DEBG]: { 19: }: see whether there's matching transform
2024-08-20 15:27:02.419 +0100 [DEBG]: { 19: }: found same ID(5,5). compare attributes
2024-08-20 15:27:02.419 +0100 [DEBG]: { 19: }: OK; advance to next of my transform type
2024-08-20 15:27:02.419 +0100 [DEBG]: { 19: }: see whether there's matching transform
2024-08-20 15:27:02.419 +0100 [DEBG]: { 19: }: found same ID(12,12). compare attributes
2024-08-20 15:27:02.419 +0100 [DEBG]: { 19: }: OK; advance to next of my transform type
2024-08-20 15:27:02.419 +0100 [DEBG]: { 19: }: see whether there's matching transform
2024-08-20 15:27:02.419 +0100 [DEBG]: { 19: }: found same ID(14,14). compare attributes
2024-08-20 15:27:02.419 +0100 [DEBG]: { 19: }: OK; advance to next of my transform type
2024-08-20 15:27:02.419 +0100 [DEBG]: { 19: }: success
2024-08-20 15:27:02.419 +0100 [DEBG]: { 19: }: update request message_id 0x0
2024-08-20 15:27:07.889 +0100 [INFO]: { 19: }: passive mode is specified for IKE gateway IKEGW-0001

I am asking remote end to check they are receiving return traffic and arranging another session to resolve the issue but any help/advice will be grateful.

Can anyone see anything incorrect? Across my infrastructure I have around 200 VPNs configured with around 10 that are Azure with no issue - just never seen one this painful to establish before.

Regards

Adrian

topic Azure VPN Connection issues in VM-Series in the Public Cloud

Azure VPN Connection issues