My setup:
EdgeRouter LAN: 10.0.0.0/24
Outside interface: eth0
Azure network: 172.16.0.0/27
The connection is attempting to establish, but I can not get it to connect properly. The error logs are at the end of this post. Can anyone help? Thanks!
My configuration:
set vpn ipsec auto-firewall-nat-exclude enable set vpn ipsec esp-group esp-azure compression disable set vpn ipsec esp-group esp-azure lifetime 3600 set vpn ipsec esp-group esp-azure mode tunnel set vpn ipsec esp-group esp-azure pfs disable set vpn ipsec esp-group esp-azure proposal 1 encryption aes256 set vpn ipsec esp-group esp-azure proposal 1 hash sha1 set vpn ipsec ike-group ike-azure ikev2-reauth no set vpn ipsec ike-group ike-azure key-exchange ikev2 set vpn ipsec ike-group ike-azure lifetime 28800 set vpn ipsec ike-group ike-azure proposal 1 dh-group 2 set vpn ipsec ike-group ike-azure proposal 1 encryption aes256 set vpn ipsec ike-group ike-azure proposal 1 hash sha1 set vpn ipsec ipsec-interfaces interface eth0 set vpn ipsec nat-networks allowed-network 0.0.0.0/0 set vpn ipsec nat-traversal enable set vpn ipsec site-to-site peer AZURE_PUBLIC_IP authentication mode pre-shared-secret set vpn ipsec site-to-site peer AZURE_PUBLIC_IP authentication pre-shared-secret SUPERSECRETSTUFF set vpn ipsec site-to-site peer AZURE_PUBLIC_IP connection-type respond set vpn ipsec site-to-site peer AZURE_PUBLIC_IP default-esp-group esp-azure set vpn ipsec site-to-site peer AZURE_PUBLIC_IP description Azure set vpn ipsec site-to-site peer AZURE_PUBLIC_IP ike-group ike-azure set vpn ipsec site-to-site peer AZURE_PUBLIC_IP ikev2-reauth inherit set vpn ipsec site-to-site peer AZURE_PUBLIC_IP local-address PUBLIC_IP_ADDRESS_OF_EDGEROUTER set vpn ipsec site-to-site peer AZURE_PUBLIC_IP tunnel 1 allow-nat-networks disable set vpn ipsec site-to-site peer AZURE_PUBLIC_IP tunnel 1 allow-public-networks disable set vpn ipsec site-to-site peer AZURE_PUBLIC_IP tunnel 1 esp-group esp-azure set vpn ipsec site-to-site peer AZURE_PUBLIC_IP tunnel 1 local prefix 10.0.0.0/24 set vpn ipsec site-to-site peer AZURE_PUBLIC_IP tunnel 1 protocol all set vpn ipsec site-to-site peer AZURE_PUBLIC_IP tunnel 1 remote prefix 172.16.0.0/27
Results from "show vpn ipsec sa:
remote-access: #36, ESTABLISHED, IKEv1, XXXXXXXXX:XXXXXXXXXX local 'PUBLIC_IP_ADDRESS_OF_EDGEROUTER' @ PUBLIC_IP_ADDRESS_OF_EDGEROUTER remote 'AZURE_PUBLIC_IP ' @ AZURE_PUBLIC_IP AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024 established 52s ago
Results from "show vpn ipsec status"
IPSec Process Running PID: 17676
0 Active IPsec Tunnels
IPsec Interfaces :
eth0 (PUBLIC_IP_ADDRESS_OF_EDGEROUTER)Results from "sudo swanctl --log"
14[NET] received packet: from AZURE_PUBLIC_IP[500] to PUBLIC_IP_ADDRESS_OF_EDGEROUTER[500] (396 bytes) 14[IKE] received retransmit of request with ID 1, but no response to retransmit 04[NET] received packet: from AZURE_PUBLIC_IP[500] to PUBLIC_IP_ADDRESS_OF_EDGEROUTER[500] (108 bytes) 04[ENC] parsed INFORMATIONAL_V1 request 2349965102 [ HASH D ] 04[IKE] received DELETE for IKE_SA remote-access[38] 04[IKE] deleting IKE_SA remote-access[38] between PUBLIC_IP_ADDRESS_OF_EDGEROUTER[PUBLIC_IP_ADDRESS_OF_EDGEROUTER]...AZURE_PUBLIC_IP[AZURE_PUBLIC_IP] 07[NET] received packet: from AZURE_PUBLIC_IP[500] to PUBLIC_IP_ADDRESS_OF_EDGEROUTER[500] (372 bytes) 07[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ] 07[ENC] received unknown vendor ID: XX:XX:XXXXXXXXXXXXX 07[IKE] received MS NT5 ISAKMPOAKLEY vendor ID 07[IKE] received NAT-T (RFC 3947) vendor ID 07[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID 07[IKE] received FRAGMENTATION vendor ID 07[ENC] received unknown vendor ID: XX:XX:XXXXXXXXXXXXX 07[ENC] received unknown vendor ID: XX:XX:XXXXXXXXXXXXX 07[ENC] received unknown vendor ID: XX:XX:XXXXXXXXXXXXX 07[IKE] AZURE_PUBLIC_IP is initiating a Main Mode IKE_SA 07[ENC] generating ID_PROT response 0 [ SA V V V ] 07[NET] sending packet: from PUBLIC_IP_ADDRESS_OF_EDGEROUTER[500] to AZURE_PUBLIC_IP[500] (136 bytes) 05[NET] received packet: from AZURE_PUBLIC_IP[500] to PUBLIC_IP_ADDRESS_OF_EDGEROUTER[500] (284 bytes) 05[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ] 05[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ] 05[NET] sending packet: from PUBLIC_IP_ADDRESS_OF_EDGEROUTER[500] to AZURE_PUBLIC_IP[500] (268 bytes) 08[NET] received packet: from AZURE_PUBLIC_IP[500] to PUBLIC_IP_ADDRESS_OF_EDGEROUTER[500] (92 bytes) 08[ENC] parsed ID_PROT request 0 [ ID HASH ] 08[CFG] looking for pre-shared key peer configs matching PUBLIC_IP_ADDRESS_OF_EDGEROUTER...AZURE_PUBLIC_IP[AZURE_PUBLIC_IP] 08[CFG] selected peer config "remote-access" 08[IKE] IKE_SA remote-access[39] established between PUBLIC_IP_ADDRESS_OF_EDGEROUTER[PUBLIC_IP_ADDRESS_OF_EDGEROUTER]...AZURE_PUBLIC_IP[AZURE_PUBLIC_IP] 08[IKE] DPD not supported by peer, disabled 08[ENC] generating ID_PROT response 0 [ ID HASH ] 08[NET] sending packet: from PUBLIC_IP_ADDRESS_OF_EDGEROUTER[500] to AZURE_PUBLIC_IP[500] (92 bytes) 11[NET] received packet: from AZURE_PUBLIC_IP[500] to PUBLIC_IP_ADDRESS_OF_EDGEROUTER[500] (396 bytes) 11[ENC] parsed QUICK_MODE request 1 [ HASH SA No ID ID ] 11[IKE] no matching CHILD_SA config found 11[ENC] generating INFORMATIONAL_V1 request 4035635853 [ HASH N(INVAL_ID) ] 11[NET] sending packet: from PUBLIC_IP_ADDRESS_OF_EDGEROUTER[500] to AZURE_PUBLIC_IP[500] (92 bytes) 05[NET] received packet: from AZURE_PUBLIC_IP[500] to PUBLIC_IP_ADDRESS_OF_EDGEROUTER[500] (396 bytes) 05[IKE] received retransmit of request with ID 1, but no response to retransmit 04[NET] received packet: from AZURE_PUBLIC_IP[500] to PUBLIC_IP_ADDRESS_OF_EDGEROUTER[500] (396 bytes) 04[IKE] received retransmit of request with ID 1, but no response to retransmit 12[NET] received packet: from AZURE_PUBLIC_IP[500] to PUBLIC_IP_ADDRESS_OF_EDGEROUTER[500] (396 bytes) 12[IKE] received retransmit of request with ID 1, but no response to retransmit 11[NET] received packet: from AZURE_PUBLIC_IP[500] to PUBLIC_IP_ADDRESS_OF_EDGEROUTER[500] (396 bytes) 11[IKE] received retransmit of request with ID 1, but no response to retransmit