[strongSwan] Fwd: Azure dynamic routing VPN and Strongswan

Kimmo K koippa at gmail.com
Thu Sep 26 19:30:08 CEST 2013 

 Hello Noel

I think it just sends cert request but still wants to do PSK. There is
no option to use certificates, as fas as I have understood the azure
admin portal. I can only set and reset PSK.

I can also download configuration script for different VPN servers,
such as MS RRAS (Windows Server 2008 and 2012), which has line:

#Add-VpnS2SInterface -Protocol IKEv2 -AuthenticationMethod PSKOnly
-NumberOfTries 3 -ResponderAuthenticationMethod PSKOnly -Name
azure-public-ip-Destination azure-public-ip -IPv4Subnet
@("10.96.97.0/24:100") -SharedSecret azure-psk

and if I download configuration script for Juniper, it has:

#set security ike proposal azure-proposal authentication-method pre-shared-keys
#set security ike policy azure-policy pre-shared-key ascii-text azure-psk

Maybe the problem is in IDr payloads, because PSK seems to be correct.
I was expecting problems in traffic selectors, but I guess that would
cause "No proposal chosen" or something similar.

Regards,
Kimmo



2013/9/26 Noel Kuntze <noel at familie-kuntze.de>:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Kimmo,
>
> The responder wants to get a certificate. It therefore sends you 24 certificate requests.
> I think, that Azure wants you to authenticate using a signed certificate.
> Look for that line:
>> Sep 26 15:04:21 11[IKE] received 24 cert requests for an unknown ca
>
> Regards
> Noel Kuntze
>
> On 26.09.2013 18:37, Kimmo K wrote:
>>  Hello
>>
>> I have tried to get this up and running with 5.1.0, having some problems:
>>
>> # strongswan up to-azure
>> initiating IKE_SA to-azure[1] to azure-public-ip
>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>> sending packet: from ss-public-ip[500] to azure-public-ip[500] (648 bytes)
>> received packet: from azure-public-ip[500] to ss-public-ip[500] (845 bytes)
>> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V CERTREQ ]
>> received unknown vendor ID:
>> 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:09
>> received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
>> received 24 cert requests for an unknown ca
>> authentication of 'ss-public-ip' (myself) with pre-shared key
>> establishing CHILD_SA to-azure
>> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi
>> TSr N(EAP_ONLY) ]
>> sending packet: from ss-public-ip[500] to azure-public-ip[500] (316 bytes)
>> received packet: from azure-public-ip[500] to ss-public-ip[500] (68 bytes)
>> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
>> received AUTHENTICATION_FAILED notify error
>> establishing connection 'to-azure' failed
>>
>> conn to-azure
>>         closeaction=clear
>>         dpdaction=clear
>>         ike=aes256-sha1-modp1024
>>         esp=aes256-sha1
>>         reauth=no
>>         keyexchange=ikev2
>>         mobike=no
>>         ikelifetime=28800s
>>         keylife=3600s
>>         keyingtries=%forever
>>         authby=secret
>>         left=ss-public-ip
>>         leftid=ss-public-ip
>>         leftfirewall=no
>>         leftsubnet=10.96.96.0/24
>>         right=azure-public-ip
>>         rightid=azure-public-ip
>>         rightsubnet=10.96.97.0/24
>>         auto=add
>>
>>
>> I have made ipsec.conf based on the configuration examples provided by
>> MS (for Juniper Dynamic routing ipsec). Local network behind SS is
>> 10.96.96.0/24 and remote network in azure is 10.96.97.0/24. Strangely,
>> azure generated example configs have 10.96.96.1/24. I tried with
>> 10.96.96.1/24 as traffic selector too, but no difference.
>>
>> Any help is appreciated.
>>
>> Regards,
>> Kimmo
>>
>>
>>
>> 2013/9/20 Martin Willi <martin at strongswan.org>:
>>> Kimmo,
>>>
>>>> With that option, site-to-site connection is made with IKEv2 and PSK.
>>>
>>> Interesting.
>>>
>>>> Is there any way to connect Azure with Strongswan, using IKEv2 and this
>>>> "dynamic routing VPN" option?
>>>
>>> According to the documentation, this looks like standard IKEv2 with PSK
>>> authentication. I wouldn't expect any interoperability problems with
>>> strongSwan.
>>>
>>> Regards
>>> Martin
>>>
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.21 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJSRGaoAAoJEDg5KY9j7GZYFI8P/1QSKW7CG/tEhl9a+wcsfxYH
> feVr7ls5DXoUoJmaOMVTQVVhn35R+EaARVyrnVCA7OOV9kbRz3n1vUxx1/+AY3Jw
> Abvyr31U4mtmSN+PcnBN1r1tSZRpLAlpWr8TO6F+e+1HxN8LLoB5FB45CgfTKuaP
> varOW2w9mA4wYRiY0oStFkv0rqiBzvi5zbQexdYOD1p7x5DxjUPN8mWiCcoFBWyr
> JFxNktyGxVIuXb4jQJTX0CUh08X8pMrNsa+f9uh+eDMmOu4G3g3fDW8oAKVL+8L1
> pNP5kCHvaD1Uf+IJwFKFpe3ANBJStAXfqpnCAbDmIeIGFAXY0Ra04lSeDL+44E3V
> 4eAdO6WGzi+BC0L71hWkm4mQC2v9Qqy68u3MZ/zQ1iAKuFr116p4vMiOYk56QF+v
> voFQO71dIR7nGh9eX31a5xZw06nSjI2+MN6+TIsD7q6sjIqkhD96hOFeyF6531J+
> OzDgbzEdvlg5s6Olpk2eat13r/2XDhz1fnY/p1W0HwsqyUKRf6B8bbfUoEdPcFVh
> cBHG4yx93IQsDHEOgmN6RlfRY5IV+PMylQVBK/x+Bu8unb8qLiE/SG98sM6tGQav
> 01pcjYzAeki3siF0N2G5UE8wr9mVhqF31lJgJNAljWKI3Htz6yePOcTI4+tXEhAN
> lfHkAVPxTdNQ1ZpVRFgJ
> =nmPE
> -----END PGP SIGNATURE-----
>

More information about the Users mailing list