08-20-2024 07:34 AM
Hi All,
Appreciate any help with an Azure VPN connection. I have a couple that works but this one is problematic.
I have configured to match the Azure configuration so my end:
IKE: AES-256-CBC, SHA256, Group 14 and Key 8Hrs
IPSEC: AES-256-CBC, SHA256, No-PFS and key 27000secs.
Gateway: Their Peer IP, My Peer IP, PSK, IKEv2 mode, Passive Mode enabled and Liveness unticked. IKE config selected.
IPSec Tunnels: Tunnel interface assigned, IKE Gateway and IPSec Profile selected.Proxy ID's assigned.
Policy: Peer IPs permitted on outside interface as bi-directional rule.
Issue: Phase 1 and Phase 2 not coming up.
I look at cli for sessions from peer IP and this is what I see:
show session all filter source "peer"
--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])
Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
1593311 ike ACTIVE FLOW "remote_peer"[500]/Firewall_Untrust_Internet/17 ("remote_peer"[500])
vsys2 "local_peer"[500]/Firewall_Untrust_Internet ("local_peer"[500])
I look at the state of the IKE gateway:
show vpn ike-sa gateway IKEGW-0001
There is no IKEv1 phase-1 SA found.
There is no IKEv1 phase-2 SA found.
IKEv2 SAs
Gateway ID Peer-Address Gateway Name Role SN Algorithm Established Expiration Xt Child ST
---------- ------------ ------------ ---- -- --------- ----------- ---------- -- ----- --
19 "Remote_Peer" IKEGW-0001 Resp 43895 PSK/DH14/A256/SHA256 0 0 INIT sent
19 "Remote_Peer" IKEGW-0001 Resp 43896 PSK/DH14/A256/SHA256 0 0 INIT sent
19 "Remote_Peer" IKEGW-0001 Resp 43897 PSK/DH14/A256/SHA256 0 0 INIT sent
19 "Remote_Peer" IKEGW-0001 Resp 43898 PSK/DH14/A256/SHA256 0 0 INIT sent
19 "Remote_Peer" IKEGW-0001 Resp 43899 PSK/DH14/A256/SHA256 0 0 INIT sent
Show IKEv2 SA: Total 17 gateways found. 5 ike sa found.
I am tailing the IKE Manager log to see what is going on:
2024-08-20 15:27:02.283 +0100 [INFO]: { 19: }: passive mode is specified for IKE gateway IKEGW-0001
2024-08-20 15:27:02.418 +0100 [INFO]: { 19: }: received IKE request "Remote_Peer"[500] to "Local_Peer"[500], found IKE gateway IKEGW-0001
2024-08-20 15:27:02.418 +0100 [PNTF]: { 19: }: ====> IKEv2 IKE SA NEGOTIATION STARTED AS RESPONDER, non-rekey; gateway IKEGW-LINC-0001-Cirdan <====
====> Initiated SA: 5.255.48.251[500]-"Remote_Peer"[500] SPI:371ac746e7d5a8b0:e49716e42da7a08c SN:43900 <====
2024-08-20 15:27:02.418 +0100 [DEBG]: { 19: }: received Notify type NAT_DETECTION_SOURCE_IP
2024-08-20 15:27:02.418 +0100 [PWRN]: { 19: }: "Local_Peer"[500] - "Remote_Peer"[500]:0x56510c70bdf0 ignoring unauthenticated notify payload (NAT_DETECTION_SOURCE_IP)
2024-08-20 15:27:02.418 +0100 [DEBG]: { 19: }: received Notify type NAT_DETECTION_DESTINATION_IP
2024-08-20 15:27:02.418 +0100 [PWRN]: { 19: }: "Local_Peer"[500] - "Remote_Peer"[500]:0x56510c70bdf0 ignoring unauthenticated notify payload (NAT_DETECTION_DESTINATION_IP)
2024-08-20 15:27:02.418 +0100 [PWRN]: { 19: }: "Local_Peer"[500] - "Remote_Peer"[500]:0x56510c70bdf0 vendor id payload ignored
2024-08-20 15:27:02.418 +0100 [PWRN]: { 19: }: "Local_Peer"[500] - "Remote_Peer"[500]:0x56510c70bdf0 vendor id payload ignored
2024-08-20 15:27:02.418 +0100 [PWRN]: { 19: }: "Local_Peer"[500] - "Remote_Peer"[500]:0x56510c70bdf0 vendor id payload ignored
2024-08-20 15:27:02.419 +0100 [PWRN]: { 19: }: "Local_Peer"[500] - "Remote_Peer"[500]:0x56510c70bdf0 vendor id payload ignored
2024-08-20 15:27:02.419 +0100 [DEBG]: { 19: }: see whether there's matching transform
2024-08-20 15:27:02.419 +0100 [DEBG]: { 19: }: found same ID(12,12). compare attributes
2024-08-20 15:27:02.419 +0100 [DEBG]: { 19: }: OK; advance to next of my transform type
2024-08-20 15:27:02.419 +0100 [DEBG]: { 19: }: see whether there's matching transform
2024-08-20 15:27:02.419 +0100 [DEBG]: { 19: }: found same ID(5,5). compare attributes
2024-08-20 15:27:02.419 +0100 [DEBG]: { 19: }: OK; advance to next of my transform type
2024-08-20 15:27:02.419 +0100 [DEBG]: { 19: }: see whether there's matching transform
2024-08-20 15:27:02.419 +0100 [DEBG]: { 19: }: found same ID(12,12). compare attributes
2024-08-20 15:27:02.419 +0100 [DEBG]: { 19: }: OK; advance to next of my transform type
2024-08-20 15:27:02.419 +0100 [DEBG]: { 19: }: see whether there's matching transform
2024-08-20 15:27:02.419 +0100 [DEBG]: { 19: }: found same ID(14,14). compare attributes
2024-08-20 15:27:02.419 +0100 [DEBG]: { 19: }: OK; advance to next of my transform type
2024-08-20 15:27:02.419 +0100 [DEBG]: { 19: }: success
2024-08-20 15:27:02.419 +0100 [DEBG]: { 19: }: update request message_id 0x0
2024-08-20 15:27:07.889 +0100 [INFO]: { 19: }: passive mode is specified for IKE gateway IKEGW-0001
I am asking remote end to check they are receiving return traffic and arranging another session to resolve the issue but any help/advice will be grateful.
Can anyone see anything incorrect? Across my infrastructure I have around 200 VPNs configured with around 10 that are Azure with no issue - just never seen one this painful to establish before.
Regards
Adrian
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
