[strongSwan] Azure dynamic routing VPN and Strongswan

Kimmo K koippa at gmail.com
Thu Sep 26 18:37:30 CEST 2013


 Hello

I have tried to get this up and running with 5.1.0, having some problems:

# strongswan up to-azure
initiating IKE_SA to-azure[1] to azure-public-ip
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from ss-public-ip[500] to azure-public-ip[500] (648 bytes)
received packet: from azure-public-ip[500] to ss-public-ip[500] (845 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V CERTREQ ]
received unknown vendor ID:
1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:09
received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
received 24 cert requests for an unknown ca
authentication of 'ss-public-ip' (myself) with pre-shared key
establishing CHILD_SA to-azure
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi
TSr N(EAP_ONLY) ]
sending packet: from ss-public-ip[500] to azure-public-ip[500] (316 bytes)
received packet: from azure-public-ip[500] to ss-public-ip[500] (68 bytes)
parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
received AUTHENTICATION_FAILED notify error
establishing connection 'to-azure' failed

conn to-azure
        closeaction=clear
        dpdaction=clear
        ike=aes256-sha1-modp1024
        esp=aes256-sha1
        reauth=no
        keyexchange=ikev2
        mobike=no
        ikelifetime=28800s
        keylife=3600s
        keyingtries=%forever
        authby=secret
        left=ss-public-ip
        leftid=ss-public-ip
        leftfirewall=no
        leftsubnet=10.96.96.0/24
        right=azure-public-ip
        rightid=azure-public-ip
        rightsubnet=10.96.97.0/24
        auto=add


I have made ipsec.conf based on the configuration examples provided by
MS (for Juniper Dynamic routing ipsec). Local network behind SS is
10.96.96.0/24 and remote network in azure is 10.96.97.0/24. Strangely,
azure generated example configs have 10.96.96.1/24. I tried with
10.96.96.1/24 as traffic selector too, but no difference.

Any help is appreciated.

Regards,
Kimmo



2013/9/20 Martin Willi <martin at strongswan.org>:
> Kimmo,
>
>> With that option, site-to-site connection is made with IKEv2 and PSK.
>
> Interesting.
>
>> Is there any way to connect Azure with Strongswan, using IKEv2 and this
>> "dynamic routing VPN" option?
>
> According to the documentation, this looks like standard IKEv2 with PSK
> authentication. I wouldn't expect any interoperability problems with
> strongSwan.
>
> Regards
> Martin
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: vpn.log.gz
Type: application/x-gzip
Size: 8221 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130926/2359c185/attachment.bin>


More information about the Users mailing list