Project

General

Profile

Issue #3561

Azure P2S VPN Linux connection error

Added by Scott D 3 months ago. Updated 3 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
configuration
Affected version:
5.8.2
Resolution:

Description

Have an Azure P2S running on windows 10 and tried setting up on Linux Ubuntu 20.04. Followed instructions on the two pages

https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-vpn-client-configuration-azure-cert#installlinux

https://serverfault.com/questions/840920/how-connect-a-linux-box-to-an-azure-point-to-site-gateway

Startup up IPSec Azure and get the following messages.
Have tried on 2nd machine with same results.

Please let me know what other information is needed to get this connection receiving.

sudo ipsec up azure
initiating IKE_SA azure[1] to xx.xx.xx.xx
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 10.110.0.254[500] to xx,xx,xx,xx[500] (796 bytes)
received packet: from xx,xx,xx,xx[500] to 10.110.0.254[500] (36 bytes)
parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN notify error

Syslog tail

Sep 12 21:38:56 virtualpps-SERVER charon: 05[CFG] added configuration 'azure'
Sep 12 21:39:01 virtualpps-SERVER CRON[296840]: (root) CMD (  [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
Sep 12 21:39:04 virtualpps-SERVER charon: 07[CFG] received stroke: initiate 'azure'
Sep 12 21:39:04 virtualpps-SERVER charon: 10[IKE] initiating IKE_SA azure[1] to xx.xx.xx.xx
Sep 12 21:39:04 virtualpps-SERVER charon: 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sep 12 21:39:04 virtualpps-SERVER charon: 10[NET] sending packet: from 10.110.0.254[500] to xx.xx.xx.xx[500] (796 bytes)
Sep 12 21:39:04 virtualpps-SERVER charon: 11[NET] received packet: from xx.xx.xx.xx[500] to 10.110.0.254[500] (36 bytes)
Sep 12 21:39:04 virtualpps-SERVER charon: 11[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
Sep 12 21:39:04 virtualpps-SERVER charon: 11[IKE] received NO_PROPOSAvirtualpps@virtualpps

IPSec.conf

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

conn azure
  keyexchange=ikev2
  type=tunnel
  leftfirewall=yes
  left=%any
  leftauth=eap-tls
  leftid=%client # use the DNS alternative name prefixed with the %
  right=azuregateway-Xxx.vpn.azure.com
  rightid=%azuregateway-Xxx.vpn.azure.com
  rightsubnet=0.0.0.0/0
  leftsourceip=%config
  auto=add

History

#1 Updated by Tobias Brunner 3 months ago

  • Description updated (diff)
  • Category set to configuration
  • Status changed from New to Feedback

Presumably the Windows machine still uses the weak modp1024 DH group, which strongSwan hasn't included in its default proposal for years. So either try to change the server so it uses a stronger group (see WindowsClients for some pointers, although, that's the client side, maybe Windows responders have similar knobs), or configure the IKE proposal(s) explicitly so modp1024 is included (not recommended due to the weak key exchange, but ike=aes128-sha1-modp1024 might work).

#2 Updated by Scott D 3 months ago

Tobias, Thanks for your quick response. My machine explanation wasn’t interpreted correctly.

What I meant was the Azure P2S was working successfully on a windows 10 machine and subsequently configured on Ubuntu 20.04 which is where the connection was not successful. All the configuration and outputs provided are from the Ubuntu machine attempting to connect to the Azure VPN gateway.

#3 Updated by Tobias Brunner 3 months ago

Changes nothing really about what I wrote above (either change the server's or the client's config).

#4 Updated by Scott D 3 months ago

Tobias,
Made some progress taking your option of adding the IKE proposal to the config file shown below. Syslog accompanied last.

Is the problem with certificates now?

  1. ipsec.conf - strongSwan IPsec configuration file
  1. basic configuration

conn azure
keyexchange=ikev2
ike=aes128-sha1-modp1024
type=tunnel
leftfirewall=yes
left=%any
leftauth=eap-tls
leftid=%client # use the DNS alternative name prefixed with the %
right=azuregateway-b2340063-d493-459d-a6b0-cc73e5af2e1d-de780e1e55b7.vpn.azure.com
rightid=%azuregateway-b2340063-d493-459d-a6b0-cc73e5af2e1d-de780e1e55b7.vpn.azure.com
rightsubnet=0.0.0.0/0
leftsourceip=%config
auto=add

SYSLOG

Sep 15 21:44:39 virtualpps-SERVER charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.8.2, Linux 5.4.0-7642-generic, x86_64)
Sep 15 21:44:39 virtualpps-SERVER charon: 00[CFG] PKCS11 module '<name>' lacks library path
Sep 15 21:44:39 virtualpps-SERVER charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Sep 15 21:44:39 virtualpps-SERVER charon: 00[CFG] loaded ca certificate "C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root" from '/etc/ipsec.d/cacerts/VpnServerRoot.cer'
Sep 15 21:44:39 virtualpps-SERVER charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Sep 15 21:44:39 virtualpps-SERVER charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Sep 15 21:44:39 virtualpps-SERVER charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Sep 15 21:44:39 virtualpps-SERVER charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Sep 15 21:44:39 virtualpps-SERVER charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Sep 15 21:44:39 virtualpps-SERVER charon: 00[ASN] 3DES_CBC encryption algorithm not available
Sep 15 21:44:39 virtualpps-SERVER charon: 00[CFG] loaded ca certificate "CN=VPN CA" from '/etc/ipsec.d/private/client.p12'
Sep 15 21:44:39 virtualpps-SERVER charon: 00[CFG] loaded certificate "CN=client" from '/etc/ipsec.d/private/client.p12'
Sep 15 21:44:39 virtualpps-SERVER charon: 00[CFG] loaded 0 RADIUS server configurations
Sep 15 21:44:39 virtualpps-SERVER charon: 00[CFG] HA config misses local/remote address
Sep 15 21:44:39 virtualpps-SERVER charon: 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ccm gcm ntru drbg curl attr kernel-netlink resolve socket-default connmark farp stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
Sep 15 21:44:39 virtualpps-SERVER charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Sep 15 21:44:39 virtualpps-SERVER charon: 00[JOB] spawning 16 worker threads
Sep 15 21:44:39 virtualpps-SERVER charon: 06[CFG] received stroke: add connection 'azure'
Sep 15 21:44:39 virtualpps-SERVER charon: 06[CFG] added configuration 'azure'
Sep 15 21:44:44 virtualpps-SERVER charon: 09[CFG] received stroke: initiate 'azure'
Sep 15 21:44:44 virtualpps-SERVER charon: 10[IKE] initiating IKE_SA azure1 to xx.xx.xx.xx
Sep 15 21:44:44 virtualpps-SERVER charon: 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sep 15 21:44:44 virtualpps-SERVER charon: 10[NET] sending packet: from 10.110.0.254500 to xx.xx.xx.xx500 (936 bytes)
Sep 15 21:44:44 virtualpps-SERVER charon: 11[NET] received packet: from xx.xx.xx.xx500 to 10.110.0.254500 (364 bytes)
Sep 15 21:44:44 virtualpps-SERVER charon: 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V ]
Sep 15 21:44:44 virtualpps-SERVER charon: 11[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Sep 15 21:44:44 virtualpps-SERVER charon: 11[IKE] received MS-Negotiation Discovery Capable vendor ID
Sep 15 21:44:44 virtualpps-SERVER charon: 11[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Sep 15 21:44:44 virtualpps-SERVER charon: 11[IKE] local host is behind NAT, sending keep alives
Sep 15 21:44:44 virtualpps-SERVER charon: 11[IKE] sending cert request for "CN=VPN CA"
Sep 15 21:44:44 virtualpps-SERVER charon: 11[IKE] sending cert request for "C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root"
Sep 15 21:44:44 virtualpps-SERVER charon: 11[IKE] establishing CHILD_SA azure{1}
Sep 15 21:44:44 virtualpps-SERVER charon: 11[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Sep 15 21:44:44 virtualpps-SERVER charon: 11[NET] sending packet: from 10.110.0.2544500 to xx.xx.xx.xx4500 (332 bytes)
Sep 15 21:44:44 virtualpps-SERVER charon: 12[NET] received packet: from xx.xx.xx.xx4500 to 10.110.0.2544500 (76 bytes)
Sep 15 21:44:44 virtualpps-SERVER charon: 12[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Sep 15 21:44:44 virtualpps-SERVER charon: 12[IKE] received AUTHENTICATION_FAILED notify error

#5 Updated by Tobias Brunner 3 months ago

The server rejects the client's IKE_AUTH request. Maybe it doesn't expect an EAP authentication, or the identities are no good. Have a look at the server logs for details.

Also available in: Atom PDF