[Swan] Azure + LibreSwan

Madden, Joe Joe.Madden at mottmac.com
Wed Sep 26 10:47:24 UTC 2018


Hi List,

I have an azure VPN gateway running (vpnGW1) with a custom ipsec policy with the following settings:

[
  {
    "dhGroup": "DHGroup14",
    "ikeEncryption": "AES256",
    "ikeIntegrity": "SHA256",
    "ipsecEncryption": "AES256",
    "ipsecIntegrity": "SHA256",
    "pfsGroup": "PFS2048",
    "saDataSizeKilobytes": 1048576,
    "saLifeTimeSeconds": 28800
  }

The libreswan configuration looks like this:

conn Azure
        authby=         secret
        auto=           start
        type=           tunnel
        left=           ###
        leftsubnet=    ###
        leftnexthop=    %defaultroute
        right=          ###
        rightid=        ###
        rightsubnet=    10.101.0.0/24
        ikev2=          insist
        ike=            aes256-sha2_256;modp2048
        #sha2_truncbug= yes
        phase2=         esp
        phase2alg=      aes256-sha2_256;modp2048
        salifetime=     28800s
        nat-keepalive=  yes
        forceencaps=    no
        pfs=            yes

When I restart the libreswan process, the VPN connection works without an issue.

When I restart azure size of the VPN connection I get the following in the log:

Sep 26 10:19:04 gw pluto[788]: "Azure" #1: initiating v2 parent SA
Sep 26 10:19:04 gw pluto[788]: "Azure" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
Sep 26 10:19:05 gw pluto[788]: "Azure" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=aes_256 integ=sha256_128 prf=OAKLEY_SHA2_256 group=MODP2048}
Sep 26 10:19:05 gw pluto[788]: "Azure" #2: IKEv2 mode peer ID is ID_IPV4_ADDR: '#####'
Sep 26 10:19:05 gw pluto[788]: "Azure" #2: negotiated tunnel [192.168.1.0,192.168.1.255:0-65535 0] -> [10.101.0.0,10.101.0.255:0-65535 0]
Sep 26 10:19:05 gw pluto[788]: "Azure" #2: STATE_PARENT_I3: PARENT SA established tunnel mode {ESP=>0xb5731188 <0xd7f5b357 xfrm=AES_256-HMAC_SHA2_256 NATOA=none NATD=none DPD=passive}
Sep 26 10:33:22 gw pluto[788]: "Azure" #1: received Delete SA payload: replace IPSEC State #2 now
Sep 26 10:33:22 gw pluto[788]: "Azure" #3: initiating v2 parent SA to replace #2
Sep 26 10:33:22 gw pluto[788]: "Azure" #2: deleting state #2 (STATE_PARENT_I3)
Sep 26 10:33:22 gw pluto[788]: "Azure" #2: ESP traffic information: in=0B out=0B
Sep 26 10:33:22 gw pluto[788]: "Azure" #1: deleting state #1 (STATE_IKESA_DEL)
Sep 26 10:33:22 gw pluto[788]: "Azure" #3: STATE_PARENT_I1: sent v2I1, expected v2R1
Sep 26 10:33:22 gw pluto[788]: "Azure" #4: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=aes_256 integ=sha256_128 prf=OAKLEY_SHA2_256 group=MODP2048}
Sep 26 10:33:24 gw pluto[788]: packet from #####:500: initial parent SA message received on 87.85.199.82:500 but no connection has been authorized with policy RSASIG+IKEV2_ALLOW
Sep 26 10:33:24 gw pluto[788]: "Azure" #5: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=aes_256 integ=sha256_128 prf=OAKLEY_SHA2_256 group=MODP2048}
Sep 26 10:33:24 gw pluto[788]: "Azure" #5: IKEv2 mode peer ID is ID_IPV4_ADDR: '#####'
Sep 26 10:33:24 gw pluto[788]: | ikev2_parent_inI2outR2_tail returned STF_FAIL with v2N_NO_PROPOSAL_CHOSEN
Sep 26 10:33:24 gw pluto[788]: "Azure" #5: sending unencrypted notification v2N_NO_PROPOSAL_CHOSEN to #####:500
Sep 26 10:33:25 gw pluto[788]: "Azure" #5: sending unencrypted notification v2N_INVALID_MESSAGE_ID to #####:500
Sep 26 10:33:26 gw pluto[788]: "Azure" #5: sending unencrypted notification v2N_INVALID_MESSAGE_ID to #####:500
Sep 26 10:33:29 gw pluto[788]: "Azure" #5: sending unencrypted notification v2N_INVALID_MESSAGE_ID to #####:500
Sep 26 10:33:36 gw pluto[788]: "Azure" #5: sending unencrypted notification v2N_INVALID_MESSAGE_ID to #####:500
Sep 26 10:33:50 gw pluto[788]: "Azure" #5: sending unencrypted notification v2N_INVALID_MESSAGE_ID to #####:500
Sep 26 10:34:18 gw pluto[788]: "Azure" #5: sending unencrypted notification v2N_INVALID_MESSAGE_ID to #####:500
Sep 26 10:34:19 gw pluto[788]: "Azure" #3: missing payload(s) (ISAKMP_NEXT_v2SK). Message dropped.
Sep 26 10:34:19 gw pluto[788]: "Azure" #3: sending unencrypted notification v2N_INVALID_SYNTAX to #####:500
Sep 26 10:34:19 gw pluto[788]: packet from #####:500: sending unencrypted notification v2N_INVALID_MESSAGE_ID to #####:500
Sep 26 10:34:20 gw pluto[788]: "Azure" #3: missing payload(s) (ISAKMP_NEXT_v2SK). Message dropped.
Sep 26 10:34:20 gw pluto[788]: "Azure" #3: sending unencrypted notification v2N_INVALID_SYNTAX to #####:500
Sep 26 10:34:20 gw pluto[788]: packet from #####:500: sending unencrypted notification v2N_INVALID_MESSAGE_ID to #####:500
Sep 26 10:34:21 gw pluto[788]: "Azure" #3: missing payload(s) (ISAKMP_NEXT_v2SK). Message dropped.
Sep 26 10:34:21 gw pluto[788]: "Azure" #3: sending unencrypted notification v2N_INVALID_SYNTAX to #####:500
Sep 26 10:34:21 gw pluto[788]: packet from #####:500: sending unencrypted notification v2N_INVALID_MESSAGE_ID to #####:500

Sep 26 10:33:24 gw pluto[788]: packet from #####:500: initial parent SA message received on 87.85.199.82:500 but no connection has been authorized with policy RSASIG+IKEV2_ALLOW

The above line I suspect is the issue (Because we are not using RSK to authenticate.

Has anyone else has an issue like this?

Thanks

Joe.


More information about the Swan mailing list