[Swan] Azure + LibreSwan
Madden, Joe
Joe.Madden at mottmac.com
Wed Sep 26 10:47:24 UTC 2018
Hi List,
I have an azure VPN gateway running (vpnGW1) with a custom ipsec policy with the following settings:
[
{
"dhGroup": "DHGroup14",
"ikeEncryption": "AES256",
"ikeIntegrity": "SHA256",
"ipsecEncryption": "AES256",
"ipsecIntegrity": "SHA256",
"pfsGroup": "PFS2048",
"saDataSizeKilobytes": 1048576,
"saLifeTimeSeconds": 28800
}
The libreswan configuration looks like this:
conn Azure
authby= secret
auto= start
type= tunnel
left= ###
leftsubnet= ###
leftnexthop= %defaultroute
right= ###
rightid= ###
rightsubnet= 10.101.0.0/24
ikev2= insist
ike= aes256-sha2_256;modp2048
#sha2_truncbug= yes
phase2= esp
phase2alg= aes256-sha2_256;modp2048
salifetime= 28800s
nat-keepalive= yes
forceencaps= no
pfs= yes
When I restart the libreswan process, the VPN connection works without an issue.
When I restart azure size of the VPN connection I get the following in the log:
Sep 26 10:19:04 gw pluto[788]: "Azure" #1: initiating v2 parent SA
Sep 26 10:19:04 gw pluto[788]: "Azure" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
Sep 26 10:19:05 gw pluto[788]: "Azure" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=aes_256 integ=sha256_128 prf=OAKLEY_SHA2_256 group=MODP2048}
Sep 26 10:19:05 gw pluto[788]: "Azure" #2: IKEv2 mode peer ID is ID_IPV4_ADDR: '#####'
Sep 26 10:19:05 gw pluto[788]: "Azure" #2: negotiated tunnel [192.168.1.0,192.168.1.255:0-65535 0] -> [10.101.0.0,10.101.0.255:0-65535 0]
Sep 26 10:19:05 gw pluto[788]: "Azure" #2: STATE_PARENT_I3: PARENT SA established tunnel mode {ESP=>0xb5731188 <0xd7f5b357 xfrm=AES_256-HMAC_SHA2_256 NATOA=none NATD=none DPD=passive}
Sep 26 10:33:22 gw pluto[788]: "Azure" #1: received Delete SA payload: replace IPSEC State #2 now
Sep 26 10:33:22 gw pluto[788]: "Azure" #3: initiating v2 parent SA to replace #2
Sep 26 10:33:22 gw pluto[788]: "Azure" #2: deleting state #2 (STATE_PARENT_I3)
Sep 26 10:33:22 gw pluto[788]: "Azure" #2: ESP traffic information: in=0B out=0B
Sep 26 10:33:22 gw pluto[788]: "Azure" #1: deleting state #1 (STATE_IKESA_DEL)
Sep 26 10:33:22 gw pluto[788]: "Azure" #3: STATE_PARENT_I1: sent v2I1, expected v2R1
Sep 26 10:33:22 gw pluto[788]: "Azure" #4: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=aes_256 integ=sha256_128 prf=OAKLEY_SHA2_256 group=MODP2048}
Sep 26 10:33:24 gw pluto[788]: packet from #####:500: initial parent SA message received on 87.85.199.82:500 but no connection has been authorized with policy RSASIG+IKEV2_ALLOW
Sep 26 10:33:24 gw pluto[788]: "Azure" #5: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=aes_256 integ=sha256_128 prf=OAKLEY_SHA2_256 group=MODP2048}
Sep 26 10:33:24 gw pluto[788]: "Azure" #5: IKEv2 mode peer ID is ID_IPV4_ADDR: '#####'
Sep 26 10:33:24 gw pluto[788]: | ikev2_parent_inI2outR2_tail returned STF_FAIL with v2N_NO_PROPOSAL_CHOSEN
Sep 26 10:33:24 gw pluto[788]: "Azure" #5: sending unencrypted notification v2N_NO_PROPOSAL_CHOSEN to #####:500
Sep 26 10:33:25 gw pluto[788]: "Azure" #5: sending unencrypted notification v2N_INVALID_MESSAGE_ID to #####:500
Sep 26 10:33:26 gw pluto[788]: "Azure" #5: sending unencrypted notification v2N_INVALID_MESSAGE_ID to #####:500
Sep 26 10:33:29 gw pluto[788]: "Azure" #5: sending unencrypted notification v2N_INVALID_MESSAGE_ID to #####:500
Sep 26 10:33:36 gw pluto[788]: "Azure" #5: sending unencrypted notification v2N_INVALID_MESSAGE_ID to #####:500
Sep 26 10:33:50 gw pluto[788]: "Azure" #5: sending unencrypted notification v2N_INVALID_MESSAGE_ID to #####:500
Sep 26 10:34:18 gw pluto[788]: "Azure" #5: sending unencrypted notification v2N_INVALID_MESSAGE_ID to #####:500
Sep 26 10:34:19 gw pluto[788]: "Azure" #3: missing payload(s) (ISAKMP_NEXT_v2SK). Message dropped.
Sep 26 10:34:19 gw pluto[788]: "Azure" #3: sending unencrypted notification v2N_INVALID_SYNTAX to #####:500
Sep 26 10:34:19 gw pluto[788]: packet from #####:500: sending unencrypted notification v2N_INVALID_MESSAGE_ID to #####:500
Sep 26 10:34:20 gw pluto[788]: "Azure" #3: missing payload(s) (ISAKMP_NEXT_v2SK). Message dropped.
Sep 26 10:34:20 gw pluto[788]: "Azure" #3: sending unencrypted notification v2N_INVALID_SYNTAX to #####:500
Sep 26 10:34:20 gw pluto[788]: packet from #####:500: sending unencrypted notification v2N_INVALID_MESSAGE_ID to #####:500
Sep 26 10:34:21 gw pluto[788]: "Azure" #3: missing payload(s) (ISAKMP_NEXT_v2SK). Message dropped.
Sep 26 10:34:21 gw pluto[788]: "Azure" #3: sending unencrypted notification v2N_INVALID_SYNTAX to #####:500
Sep 26 10:34:21 gw pluto[788]: packet from #####:500: sending unencrypted notification v2N_INVALID_MESSAGE_ID to #####:500
Sep 26 10:33:24 gw pluto[788]: packet from #####:500: initial parent SA message received on 87.85.199.82:500 but no connection has been authorized with policy RSASIG+IKEV2_ALLOW
The above line I suspect is the issue (Because we are not using RSK to authenticate.
Has anyone else has an issue like this?
Thanks
Joe.
More information about the Swan
mailing list