[strongSwan] Fwd: Azure dynamic routing VPN and Strongswan
koippa at gmail.com
Thu Sep 26 19:30:08 CEST 2013
I think it just sends cert request but still wants to do PSK. There is
no option to use certificates, as fas as I have understood the azure
admin portal. I can only set and reset PSK.
I can also download configuration script for different VPN servers,
such as MS RRAS (Windows Server 2008 and 2012), which has line:
#Add-VpnS2SInterface -Protocol IKEv2 -AuthenticationMethod PSKOnly
-NumberOfTries 3 -ResponderAuthenticationMethod PSKOnly -Name
azure-public-ip-Destination azure-public-ip -IPv4Subnet
@("10.96.97.0/24:100") -SharedSecret azure-psk
and if I download configuration script for Juniper, it has:
#set security ike proposal azure-proposal authentication-method pre-shared-keys
#set security ike policy azure-policy pre-shared-key ascii-text azure-psk
Maybe the problem is in IDr payloads, because PSK seems to be correct.
I was expecting problems in traffic selectors, but I guess that would
cause "No proposal chosen" or something similar.
2013/9/26 Noel Kuntze <noel at familie-kuntze.de>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> Hello Kimmo,
> The responder wants to get a certificate. It therefore sends you 24 certificate requests.
> I think, that Azure wants you to authenticate using a signed certificate.
> Look for that line:
>> Sep 26 15:04:21 11[IKE] received 24 cert requests for an unknown ca
> Noel Kuntze
> On 26.09.2013 18:37, Kimmo K wrote:
>> I have tried to get this up and running with 5.1.0, having some problems:
>> # strongswan up to-azure
>> initiating IKE_SA to-azure to azure-public-ip
>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>> sending packet: from ss-public-ip to azure-public-ip (648 bytes)
>> received packet: from azure-public-ip to ss-public-ip (845 bytes)
>> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V CERTREQ ]
>> received unknown vendor ID:
>> received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
>> received 24 cert requests for an unknown ca
>> authentication of 'ss-public-ip' (myself) with pre-shared key
>> establishing CHILD_SA to-azure
>> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi
>> TSr N(EAP_ONLY) ]
>> sending packet: from ss-public-ip to azure-public-ip (316 bytes)
>> received packet: from azure-public-ip to ss-public-ip (68 bytes)
>> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
>> received AUTHENTICATION_FAILED notify error
>> establishing connection 'to-azure' failed
>> conn to-azure
>> I have made ipsec.conf based on the configuration examples provided by
>> MS (for Juniper Dynamic routing ipsec). Local network behind SS is
>> 10.96.96.0/24 and remote network in azure is 10.96.97.0/24. Strangely,
>> azure generated example configs have 10.96.96.1/24. I tried with
>> 10.96.96.1/24 as traffic selector too, but no difference.
>> Any help is appreciated.
>> 2013/9/20 Martin Willi <martin at strongswan.org>:
>>>> With that option, site-to-site connection is made with IKEv2 and PSK.
>>>> Is there any way to connect Azure with Strongswan, using IKEv2 and this
>>>> "dynamic routing VPN" option?
>>> According to the documentation, this looks like standard IKEv2 with PSK
>>> authentication. I wouldn't expect any interoperability problems with
>>> Users mailing list
>>> Users at lists.strongswan.org
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.21 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> -----END PGP SIGNATURE-----
More information about the Users