Connect to Azure IPSec

[WynneM]

Hi, I'm trying to connect a newly purchased 7800DX to the Azure Virtual Network Gateway. No Billion devices are on the approved list but I figured it was worth a try, however even though they are talking, they don't seem to be speaking the same language. If we can get this work I will post it on a blog and this could mean potential further purchases for this product.

If anyone could spot what I am doing wrong that would be a HUGE help.

I'm following the azure settings published on this page

http://www.windowsazure.com/en-us/manag ... l-network/

and IPSec ones on this page (Its a dynamic gateway)

http://msdn.microsoft.com/en-us/library ... ingGateway

The devices are talking to each other, but clearly not the same language as they aren't connecting.

My settings on my router are



The logs at the office end are

Sep 12 07:54:04 authpriv debug pluto[16096]: | found connection: AzureSg
Sep 12 07:54:04 authpriv warn pluto[16096]: "AzureSg" #263: transition from state STATE_IKEv2_START to state STATE_PARENT_R1
Sep 12 07:54:04 authpriv warn pluto[16096]: "AzureSg" #263: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=aes_256 integ=sha1_96 prf=oakley_sha group=modp1024}
Sep 12 07:54:05 authpriv warn pluto[16096]: "AzureSg" #263: IKEv2 mode peer ID is ID_IPV4_ADDR: '<removed>'
Sep 12 07:54:05 authpriv debug pluto[16096]: | CHILD SA proposals received
Sep 12 07:54:05 authpriv warn pluto[16096]: "AzureSg" #263: PAUL: this is where we have to check the TSi/TSr
Sep 12 07:54:05 authpriv warn pluto[16096]: "AzureSg" #263: transition from state STATE_PARENT_R1 to state STATE_PARENT_R2
Sep 12 07:54:05 authpriv warn pluto[16096]: "AzureSg" #263: STATE_PARENT_R2: received v2I2, PARENT SA established
Sep 12 07:54:06 authpriv debug pluto[16096]: | found connection: AzureSg
Sep 12 07:54:06 authpriv warn pluto[16096]: "AzureSg" #264: transition from state STATE_IKEv2_START to state STATE_PARENT_R1
Sep 12 07:54:06 authpriv warn pluto[16096]: "AzureSg" #264: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=aes_256 integ=sha1_96 prf=oakley_sha group=modp1024}
Sep 12 07:54:06 authpriv warn pluto[16096]: "AzureSg" #264: IKEv2 mode peer ID is ID_IPV4_ADDR: '<removed>'
Sep 12 07:54:06 authpriv debug pluto[16096]: | CHILD SA proposals received
Sep 12 07:54:06 authpriv warn pluto[16096]: "AzureSg" #264: PAUL: this is where we have to check the TSi/TSr
Sep 12 07:54:06 authpriv warn pluto[16096]: "AzureSg" #264: transition from state STATE_PARENT_R1 to state STATE_PARENT_R2
Sep 12 07:54:06 authpriv warn pluto[16096]: "AzureSg" #264: STATE_PARENT_R2: received v2I2, PARENT SA established
Sep 12 07:54:07 authpriv debug pluto[16096]: | found connection: AzureSg
Sep 12 07:54:07 authpriv warn pluto[16096]: "AzureSg" #265: transition from state STATE_IKEv2_START to state STATE_PARENT_R1
Sep 12 07:54:07 authpriv warn pluto[16096]: "AzureSg" #265: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=aes_256 integ=sha1_96 prf=oakley_sha group=modp1024}
Sep 12 07:54:07 authpriv warn pluto[16096]: "AzureSg" #265: IKEv2 mode peer ID is ID_IPV4_ADDR: '<removed>'
Sep 12 07:54:07 authpriv debug pluto[16096]: | CHILD SA proposals received
Sep 12 07:54:07 authpriv warn pluto[16096]: "AzureSg" #265: PAUL: this is where we have to check the TSi/TSr
Sep 12 07:54:07 authpriv warn pluto[16096]: "AzureSg" #265: transition from state STATE_PARENT_R1 to state STATE_PARENT_R2
Sep 12 07:54:07 authpriv warn pluto[16096]: "AzureSg" #265: STATE_PARENT_R2: received v2I2, PARENT SA established
Sep 12 07:54:19 authpriv warn pluto[16096]: "AzureSg" #262: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
Sep 12 07:54:19 authpriv warn pluto[16096]: "AzureSg" #262: received and ignored informational message
Sep 12 07:54:59 authpriv warn pluto[16096]: "AzureSg" #262: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
Sep 12 07:54:59 authpriv warn pluto[16096]: "AzureSg" #262: received and ignored informational message
Sep 12 07:55:39 authpriv warn pluto[16096]: "AzureSg" #262: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
Sep 12 07:55:39 authpriv warn pluto[16096]: "AzureSg" #262: received and ignored informational message
Sep 12 07:56:19 authpriv warn pluto[16096]: "AzureSg" #262: max number of retransmissions (5) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
Sep 12 07:56:19 authpriv warn pluto[16096]: "AzureSg" #266: initiating Main Mode to replace #262
Sep 12 07:56:20 authpriv warn pluto[16096]: "AzureSg" #266: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
Sep 12 07:56:20 authpriv warn pluto[16096]: "AzureSg" #266: received and ignored informational message

And the settings at Azure

[jbravovich]

My understanding is that Azure connects through TCP, HTTP and HTTPS so the router would need to support IPSec over TCP.
Maybe try and enable the NAT Traversal option in the IPSec settings
Most routers use ike, udp and esp though
Have you asked Microsoft what protocol/s their implementation uses and what the router needs to support?

[WynneM]

Someone at Microsoft posted this on my question I posted on their Azure Forum

"Azure connects through TCP, HTTP and HTTPS so the router would need to support IPSec over TCP.

Please check this article:

About VPN Devices for Virtual Network

http://msdn.microsoft.com/en-us/library ... 56075.aspx"

So, yes, it seems that Azure may connect through TCP, HTTP and HTTPS as you eluded to. Does the Billion 7800DX support this?

Enabling the NAT Traversal hasn't made any difference, but without knowing that my settings are correct anyhow I can't say that for sure.

I'm thinking I may have to return the device as its looking increasingly like I won't be able to get it to work.

[WynneM]

Ok, it took days of trial and error, but I got there. Basically the big problem was setting up a dynamic gateway. Which gets set as default when you have a Site-to-Site and Point-to-Site configuration. So I had to ditch the Point-to-Site and set-up and static gateway.

Maybe this means the Billion can't handle a Route based VPN Configuration.

Other settings I got wrong were having to set NAT Transval on and setting the Local & remote ID's.

[bignick8t3]

Sorry to revive an old thread but I don't suppose you've got more details on how you your VPN with Azure working?

Cheers

Nick