I am struggling to setup an ipsec vpn to azure.
Following the azure IPSec parameters in the doc below:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices
Getting the below errors in isakmpd, and am stumped where to look next:
Default exchange_run: exchange_validate failed
Default dropped message from 2.2.2.2 port 500 due to notification type
PAYLOAD_MALFORMED
Can anyone point me in the right direction, as my google-fu isn't
feeling strong.
Thanks!
OpenBSD6.0/AMD64 MP vm on esxi 6.5
# cat /etc/ipsec.conf
WAN1= "carp901001" #Interface address 1.1.1.1
localNets = "{10.10.0.0/24}"
remoteGW= "2.2.2.2" #AzureGateway
remoteNets = "{10.20.2.0/24}" #remote azure networks
ike esp from $localNets to $remoteNets \
peer $remoteGW \
main auth hmac-sha1 enc aes-256 group modp1024 lifetime 28800 \
quick auth hmac-sha1 enc aes-256 group none lifetime 3600 \
psk somekey
# isakmpd -dvvvK
073538.301968 Default isakmpd: starting [priv]
073548.958802 Default isakmpd: phase 1 done: initiator id 1.1.1.1,
responder id 2.2.2.2, src: 1.1.1.1 dst: 2.2.2.2
073548.993564 Default isakmpd: quick mode done: src: 1.1.1.1 dst: 2.2.2.2
073549.027410 Default exchange_run: exchange_validate failed
073549.027425 Default dropped message from 2.2.2.2 port 500 due to
notification type PAYLOAD_MALFORMED
^C073612.581088 Default isakmpd: shutting down...
# 073612.581509 Default isakmpd: exit
# ipsecctl -s all
FLOWS:
flow esp in from 10.20.2.0/24 to 10.10.0.0/24 peer 2.2.2.2 srcid
1.1.1.1/32 dstid 2.2.2.2/32 type use
flow esp out from 10.10.0.0/24 to 10.20.2.0/24 peer 2.2.2.2 srcid
1.1.1.1/32 dstid 2.2.2.2/32 type require
SAD:
esp tunnel from 2.2.2.2 to 1.1.1.1 spi 0x44461664 auth hmac-sha1 enc aes-256
esp tunnel from 1.1.1.1 to 2.2.2.2 spi 0x55f07894 auth hmac-sha1 enc aes-256
07:29:44.949102 0.0.0.0.isakmp > 2.2.2.2.isakmp: [udp sum ok] isakmp
v1.0 exchange ID_PROT
cookie: e3ee87821c134d03-> msgid: len: 184
payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz:
0 xforms: 1
payload: TRANSFORM len: 36
transform: 0 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = AES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 28800
attribute KEY_LENGTH = 256
payload: VENDOR len: 20
payload: VENDOR len: 20 (supports v2 NAT-T,
draft-ietf-ipsec-nat-t-ike-02)
payload: VENDOR len: 20 (supports v3 NAT-T,
draft-ietf-ipsec-nat-t-ike-03)
payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 212)
07:29:44.992169 2.2.2.2.isakmp > 1.1.1.1.isakmp: [udp sum ok] isakmp
v1.0 exchange ID_PROT
cookie: e3ee87821c134d03->5e09a5d35142c2d9 msgid: len: 212
payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 48 proposal: 1 proto: ISAKMP spisz:
0 xforms: 1
payload: TRANSFORM len: 40
transform: 0 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = AES_CBC
attribute KEY_LENGTH = 256
attribute HASH_ALGORITHM = SHA
attribute GROUP_DESCRIPTION = MODP_1024
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 7080
payload: VENDOR len: 24
payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
payload: VENDOR len: 20 (supports v2 NAT-T,
draft-ietf-ipsec-nat-t-ike-02)
payload: VENDOR len: 20
payload: VENDOR len: 20
payload: VENDOR len: 20 [ttl 0] (id 1, len 240)
07:29:44.993067 1.1.1.1.isakmp > 2.2.2.2.isakmp: [udp sum ok] isakmp
v1.0 exchange ID_PROT
cookie: e3ee87821c134d03->5e09a5d35142c2d9 msgid: len: 228
payload: KEY_EXCH len: 132
payload: NONCE len: 20
payload: NAT-D len: 24
payload: NAT-D len: 24 [ttl 0] (id 1, len 256)
07:29:45.036032 2.2.2.2.isakmp > 1.1.1.1.isakmp: [udp sum ok] isakmp
v1.0 exchange ID_PROT
cookie: e3ee87821c134d03->5e09a5d35142c2d9 msgid: len: 260
payload: KEY_EXCH len: 132
payload: NONCE len: 52
payload: NAT-D len: 24
payload: NAT-D len: 24 [ttl 0] (id 1, len 288)
07:29:45.036815 1.1.1.1.isakmp > 2.2.2.2.isakmp: [udp sum ok] isakmp
v1.0 exchange ID_PROT
cookie: e3ee87821c134d03->5e09a5d35142c2d9 msgid: len: 92
payload: ID len: 12 type: IPV4_ADDR = 1.1.1.1