[strongSwan] Microsoft Azure Virtual Network?

John Connett jrc at skylon.demon.co.uk
Wed Aug 1 18:47:23 CEST 2012 

On Mon, 30 Jul 2012 13:37:02 +0100, John Connett <jrc at skylon.demon.co.uk>  
wrote:
> On Thu, 26 Jul 2012 10:15:19 +0100, John Connett  
> <jrc at skylon.demon.co.uk> wrote:
>> I am attempting to use strongSwan 4.5.3-5.4.1 on openSUSE 12.1
>> (x86_64) to provide an endpoint to a Microsoft Azure Virtual Network
>> using the 90-day free trial preview (https://www.windowsazure.com).

   I think I may be getting closer to a working connection.  Traffic is
moving in both directions using ISAKMP (UDP 500); and IPSEC-NAT-T (UDP
4500).  The output of "ipsec statusall" looks promising a couple of
minutes after starting.  However, the connection attempts cycle
through CREATED => CONNECTING => DESTROYING ...

I have turned up logger output and the following looks suspicious:

10[CFG] <2> looking for pre-shared key peer configs matching  
192.168.199.10...168.63.60.212[10.4.1.4]
10[IKE] <2> no peer config found

192.168.199.10: private IP address of strongSwan host system (left)
168.63.60.212:  public IP address of the Azure gateway (right)
10.4.1.4:       private IP address within the tunnel?

Any suggestions as to my next move?
--
John Connett


==== ipsec statusall =================================================
# ipsec statusall
Status of IKE charon daemon (strongSwan 5.0.0, Linux 3.1.10-1.16-desktop,  
x86_64):
   uptime: 2 minutes, since Aug 01 17:18:55 2012
   malloc: sbrk 262144, mmap 0, used 146336, free 115808
   worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0,  
scheduled: 1
   loaded plugins: charon aes des sha1 sha2 md5 random nonce x509  
revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem fips-prf gmp xcbc  
cmac hmac attr kernel-netlink resolve socket-default stroke updown  
xauth-generic
Listening IP addresses:
   192.168.199.10
Connections:
        Azure:  192.168.199.10...168.63.60.212  IKEv2
        Azure:   local:  [86.30.202.35] uses pre-shared key authentication
        Azure:   remote: [168.63.60.212] uses pre-shared key authentication
        Azure:   child:  192.168.199.0/24 === 10.4.2.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
        Azure[1]: CONNECTING, 192.168.199.10[%any]...168.63.60.212[%any]
        Azure[1]: IKEv2 SPIs: 764ace2759d73bb6_i* 0000000000000000_r
        Azure[1]: Tasks active: IKE_VENDOR IKE_INIT IKE_NATD IKE_CERT_PRE  
IKE_AUTH IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE
#
======================================================================

==== /usr/local/etc/ipsec.conf========================================
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
         charonstart=yes
         plutostart=no

# VPN connections

conn Azure
         left=192.168.199.10
         leftid=86.30.202.35
         leftsourceip=%config
         leftsubnet=192.168.199.0/24
         leftauth=psk
         lefthostaccess=yes
         right=168.63.60.212
         rightsubnet=10.4.2.0/24
         rightauth=psk
         forceencaps=yes
         keyexchange=ikev2
         ike=aes128-sha1-modp1024!
         ikelifetime=8h
         esp=aes128-sha1!
         lifetime=1h
         lifebytes=104857600000
         auto=start
======================================================================

==== /usr/local/etc/ipsec.secrets ====================================
86.30.202.35 168.63.60.212 : PSK "<secret>"
======================================================================

More information about the Users mailing list