Azure/Point-to-Site VPN
Connect to Azure p2s VPN from Linux using Strongswan
Install
- Install U16
apt-get install strongswan-ikev2 strongswan-plugin-eap-tls # in Ubuntu 16.04 install libstrongswan-standard-plugins for p12 keypair container support apt-get install libstrongswan-standard-plugins
- Install U18 - details
sudo apt install strongswan strongswan-pki libstrongswan-extra-plugins
- Logging
sudo ipsec stroke loglevel any 4 #verbose from -1|-q (quiet) to 4 sudo journalctl -xef or sudo tail -f /var/log/{daemon,syslog,messages}
Create Root and Client certificates
This procedure produces certificates fitting into Azure requirements for p2s VPN connection. In official docs there a few tools approved to create certificates, it includes OpenSSL and only Strongswan as a VPNClient for Linux is officially supported.
Docs makes this guidance for OpenSSL:
- When exporting certificates, be sure to convert the root certificate to Base64.
- For the client certificate:
- When creating the private key, specify the length as 4096.
- When creating the certificate, for the -extensions parameter, specify usr_cert.
Note: Starting July 1, 2018, VPN Gateway will support only TLS 1.2
Export PKI variables
cat << 'EOF' > 0_config.sh #!/bin/env bash export PKIROOTCN="p2s-vpn-root-g1" #CommonName export PKIROOTCER="${PKIROOTCN}-cer.pem" #in PEM format export PKIROOTKEY="${PKIROOTCN}-key.pem" #in PEM format export PKIUSERCN="p2s-vpn-client-g1" #CommonName export PKIUSERKEY="${PKIUSERCN}-key.pem" export PKIUSERCER="${PKIUSERCN}-cer.pem" export PKIUSERPASS="userpass123" #.p12 or a key password EOF
OpenSSL
## Client certificate # Generate a private key openssl genrsa -out ${PKIUSERCN}-key.pem 4096 #4k required by Azure ## Create CSR (public part to be signed, it contains metadata like CN= etc..) - in format PKCS#10 # Simple openssl req -new -sha256 -out ${PKIUSERCN}.csr -key ${PKIUSERKEY} -subj /CN="${PKIUSERCN}" # With SANs (this command has not been verified) openssl req -new -sha256 -out ${PKIUSERCN}.csr -key ${PKIUSERKEY} \ -subj "/C=UK/ST=Northants/O=Acme, Inc./CN=${PKIUSERCN}" \ -reqexts SAN \ -extensions SAN \ -x509_extensions = usr_cert \ -config <(cat /etc/ssl/openssl.cnf \ <(printf "\n[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com")) ## Get it signed by rootCA openssl x509 -req -sha256 -in ${PKIUSERCN}.csr -out ${PKIUSERCER} \ -CAkey ${PKIROOTKEY} -CA ${PKIROOTCER} -days 1800 \ -CAcreateserial -CAserial serial
IPsec - Strongswan
# Generate rootCA ipsec pki --gen --type rsa --size 4096 --outform pem > ${PKIROOTKEY} #caKey.pem; Azure potencially requires 4096 keys ipsec pki --self --in ${PKIROOTKEY} --dn "CN=${PKIROOTCN}" --ca --outform pem > ${PKIROOTCER} #caCert.pem #rootCa with SAN ipsec pki --self --in ${PKIROOTKEY} --dn "CN=${PKIROOTCN}" --san "${PKIROOTCN}" --ca --outform pem > ${PKIROOTCER} #caCert.pem # Print rootCA certificate in base64 format, supported by Azure portal openssl x509 -in ${PKIROOTCER} -outform der | base64 -w0 ; echo # Generate client(user) certificate signed by rootCA ipsec pki --gen --type rsa --size 4096 --outform pem > "${PKIUSERKEY}" ipsec pki --pub --in "${PKIUSERKEY}" \ | ipsec pki --issue --cacert ${PKIROOTCER} --cakey ${PKIROOTKEY} --dn "CN=${PKIUSERCN}" --san "${PKIUSERCN}" --flag clientAuth --outform pem \ > "${PKIUSERCER}" # Create .p12 (pkcs12) bundle openssl pkcs12 -in "${PKIUSERCER}" -inkey "${PKIUSERKEY}" -certfile ${PKIROOTCER} -export -out "${PKIUSERCN}.p12" -password "pass:${PKIUSERPASS}" #Verify .p12 openssl pkcs12 -in ${PKIUSERCN}.p12 -info ######### Configure Strongswan client VPN # Downloas ClientVPN package from Azure portal, eg. downloadedClientVPN.zip # Install AzureGw Server Certificate sudo unzip -j downloadedClientVPN.zip Generic/VpnServerRoot.cer -d /etc/ipsec.d/cacerts # Verify server certificate openssl x509 -inform der -in /etc/ipsec.d/cacerts/VpnServerRoot.cer -text -noout # Then extract VPN server DNS: unzip -p downloadedClientVPN.zip Generic/VpnSettings.xml | grep VpnServer # Create configuration sudo -i cat << 'EOF' >> /etc/ipsec.conf conn azure keyexchange=ikev2 type=tunnel leftfirewall=yes left=%any leftauth=eap-tls leftid=%client # use the DNS alternative name prefixed with the % right=azuregateway-00112233-4455-6677-8899-aabbccddeeff-aabbccddeeff.cloudapp.net # Azure VPN gateway address rightid=%azuregateway-00112233-4455-6677-8899-aabbccddeeff-aabbccddeeff.cloudapp.net # Azure VPN gateway address, prefixed with % rightsubnet=0.0.0.0/0 leftsourceip=%config auto=add EOF exit # Copy .p12 client certificate to ipsec private secrets folder sudo cp ${PKIUSERCN}.p12 /etc/ipsec.d/private/ # Add entry to /etc/ipsec.secrets # Manually : P12 client.p12 'password' # key filename inside /etc/ipsec.d/private directory : P12 client.p12 '' # no password #Redirect sudo -E bash -c 'echo ": P12 ${PKIUSERCN}.p12 \"${PKIUSERPASS}\"" >> /etc/ipsec.secrets'
Usful commands
# ipsec service management sudo service ipsec status|restart sudo systemctl status|restart strongswan.service sudo systemctl status|restart ipsec.service sudo ipsec setup --start sudo ipsec statusall # status, who's connected, etc. sudo iptables -L -v # how much traffic has been forwarded, dropped, etc.? ip xfrm state # states of IPsec tunnel ip xfrm policy # policies # List loaded private keys ipsec listcerts # shows has private key for that certificate vagrant@u16gui-2:~/az-cert1$ sudo ipsec listcerts List of X.509 End Entity Certificates: altNames: p2s-vpn-client-g6 subject: "CN=p2s-vpn-client-g6" issuer: "CN=p2s-vpn-root-g6" serial: 2a:e6:ec:63:f2:f4:99:6a validity: not before Dec 29 16:16:44 2018, ok not after Dec 28 16:16:44 2021, ok pubkey: RSA 4096 bits, has private key keyid: cb:6b:b0:3d:66:e8:8c:a6:7f:fa:01:e0:4a:a6:55:bd:fc:21:e3:a8 subjkey: 05:20:39:1f:33:dd:62:fe:05:4f:6b:6f:fc:26:88:aa:dc:08:a8:7d authkey: 76:71:98:d9:d9:cb:1b:0c:c0:bb:45:78:3b:91:72:a7:9f:18:d4:1c # Show certificate pki --print --in p2s-vpn-client-generic-g3-cer.pem --type x509 pki -p -i p2s-vpn-client-generic-g3-cer.pem -t x509 openssl x509 -text -in p2s-vpn-client-generic-g3-cer.pem -text
Windows
netsh interface ip show addresses {"if0"|Idx} netsh interface ip show route
Established connections
Status - connected to US - strongSwan U5.3.5, Ubuntu 16.04
Established connections examples to US from Vbox bridged 192.168.1.2 interface - Linux strongSwan U5.3.5/K4.4.0-141-generic
vagrant@u16gui-2:~/az-cert1$ sudo ipsec statusall Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-141-generic, x86_64): uptime: 20 minutes, since Dec 29 16:33:35 2018 malloc: sbrk 2715648, mmap 0, used 632912, free 2082736 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3 loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity Listening IP addresses: 192.168.1.2 Connections: sandbox_infra_use1: %any...azuregateway-AAAAAAA-0029-4917-ac46-191c666ea2b9-BBBBBBBBBBBB.vpn.azure.com IKEv2 sandbox_infra_use1: local: [p2s-vpn-client-g6] uses EAP_TLS authentication sandbox_infra_use1: remote: [azuregateway-AAAAAAA-0029-4917-ac46-191c666ea2b9-BBBBBBBBBBBB.vpn.azure.com] uses public key authentication sandbox_infra_use1: child: dynamic === 0.0.0.0/0 TUNNEL Security Associations (1 up, 0 connecting): sandbox_infra_use1[1]: ESTABLISHED 19 minutes ago, 192.168.1.2[p2s-vpn-client-g6]...13.66.111.222[C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=AAAAAAA-0029-4917-ac46-191c666ea2b9.vpn.azure.com] sandbox_infra_use1[1]: IKEv2 SPIs: f720bd11c9ffb44d_i* 521003ca12200da5_r, EAP reauthentication in 2 hours sandbox_infra_use1[1]: IKE proposal: AES_GCM_16_256/PRF_HMAC_SHA2_384/MODP_2048_256 sandbox_infra_use1{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c8a2fd93_i f8c8954a_o sandbox_infra_use1{1}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 29 minutes sandbox_infra_use1{1}: 10.155.233.2/32 === 10.155.4.0/23 10.155.233.0/25 # Note of Azure Gw DNS: # azuregateway-AAAAAAA-0029-4917-ac46-191c666ea2b9-BBBBBBBBBBBB.vpn.azure.com A 13.66.111.222 vagrant@u16gui-2:~/az-cert1$ ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 02:f2:ad:b6:19:8d brd ff:ff:ff:ff:ff:ff inet 192.168.1.2/24 brd 192.168.1.255 scope global enp0s3 valid_lft forever preferred_lft forever inet 10.155.233.2/32 scope global enp0s3 valid_lft forever preferred_lft forever inet6 fe80::f2:adff:feb6:198d/64 scope link valid_lft forever preferred_lft forever vagrant@u16gui-2:~/az-cert1$ sudo ip xfrm state src 192.168.1.2 dst 13.66.111.222 proto esp spi 0xf8c8954a reqid 1 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha1) 0x6412b92b167102c1820d4db23e7f31d49735e395 96 enc cbc(aes) 0x492e22e3e556fdd96f05930da22012578e7d3b7a9ee5efd43e8e89e61c833a59 encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 src 13.66.111.222 dst 192.168.1.2 proto esp spi 0xc8a2fd93 reqid 1 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha1) 0x98f2f3962f9afbd2f3a40d934fdf40b24cbb101f 96 enc cbc(aes) 0x77985d65304e566cb03a18dc0967c7fe21240f7d2d173a19a02b0fb6ba27adac encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 vagrant@u16gui-2:~/az-cert1$ sudo ip xfrm policy src 10.155.233.0/25 dst 10.155.233.2/32 dir fwd priority 2847 tmpl src 13.66.111.222 dst 192.168.1.2 proto esp reqid 1 mode tunnel src 10.155.233.0/25 dst 10.155.233.2/32 dir in priority 2847 tmpl src 13.66.111.222 dst 192.168.1.2 proto esp reqid 1 mode tunnel src 10.155.233.2/32 dst 10.155.233.0/25 dir out priority 2847 tmpl src 192.168.1.2 dst 13.66.111.222 proto esp reqid 1 mode tunnel src 10.155.4.0/23 dst 10.155.233.2/32 dir fwd priority 2855 tmpl src 13.66.111.222 dst 192.168.1.2 proto esp reqid 1 mode tunnel src 10.155.4.0/23 dst 10.155.233.2/32 dir in priority 2855 tmpl src 13.66.111.222 dst 192.168.1.2 proto esp reqid 1 mode tunnel src 10.155.233.2/32 dst 10.155.4.0/23 dir out priority 2855 tmpl src 192.168.1.2 dst 13.66.111.222 proto esp reqid 1 mode tunnel src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src ::/0 dst ::/0 socket in priority 0 src ::/0 dst ::/0 socket out priority 0 src ::/0 dst ::/0 socket in priority 0 src ::/0 dst ::/0 socket out priority 0
Full connection to Europe - strongSwan U5.6.2, Ubuntu 18.04
Full connection to Europe from Vbox with NAT 10.0.2.15 interface - Linux strongSwan U5.6.2/K4.15.0-43-generic
vagrant@u18gui-1:~/az-cert$ sudo ipsec up sandbox_infra_euw1 initiating IKE_SA sandbox_infra_euw1[1] to 23.99.111.222 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] sending packet: from 10.0.2.15[500] to 23.99.111.222[500] (1116 bytes) received packet: from 23.99.111.222[500] to 10.0.2.15[500] (38 bytes) parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ] peer didn't accept DH group ECP_256, it requested ECP_384 initiating IKE_SA sandbox_infra_euw1[1] to 23.99.111.222 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] sending packet: from 10.0.2.15[500] to 23.99.111.222[500] (1148 bytes) received packet: from 23.99.111.222[500] to 10.0.2.15[500] (417 bytes) parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V CERTREQ ] received MS NT5 ISAKMPOAKLEY v9 vendor ID received MS-Negotiation Discovery Capable vendor ID local host is behind NAT, sending keep alives received cert request for "CN=p2s-vpn-root-g1" received 3 cert requests for an unknown ca sending cert request for "CN=p2s-vpn-root-g1" sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA" establishing CHILD_SA sandbox_infra_euw1{1} generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] sending packet: from 10.0.2.15[4500] to 23.99.111.222[4500] (360 bytes) received packet: from 23.99.111.222[4500] to 10.0.2.15[4500] (3544 bytes) parsed IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ] received end entity cert "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=AAAAAAA-e0a2-4201-bf22-CCCCCCCCCCCC.vpn.azure.com" received issuer cert "C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA" using certificate "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=AAAAAAA-e0a2-4201-bf22-CCCCCCCCCCCC.vpn.azure.com" using untrusted intermediate certificate "C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA" checking certificate status of "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=AAAAAAA-e0a2-4201-bf22-CCCCCCCCCCCC.vpn.azure.com" requesting ocsp status from 'http://ocsp.digicert.com' ... ocsp response correctly signed by "C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA" ocsp response is valid: until Jan 05 10:26:55 2019 certificate status is good using trusted ca certificate "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA" checking certificate status of "C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA" ocsp response verification failed, no signer certificate '0f:80:61:1c:82:31:61:d5:2f:28:e7:8d:46:38:b4:2c:e1:c6:d9:e2' found requesting ocsp status from 'http://ocsp.digicert.com' ... ocsp response correctly signed by "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA" ocsp response is valid: until Jan 04 18:11:40 2019 certificate status is good certificate policy 2.16.840.1.114412.1.1 for 'C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=AAAAAAA-e0a2-4201-bf22-CCCCCCCCCCCC.vpn.azure.com' not allowed by trustchain, ignored certificate policy 2.23.140.1.2.2 for 'C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=AAAAAAA-e0a2-4201-bf22-CCCCCCCCCCCC.vpn.azure.com' not allowed by trustchain, ignored reached self-signed root ca with a path length of 1 authentication of 'C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=AAAAAAA-e0a2-4201-bf22-CCCCCCCCCCCC.vpn.azure.com' with RSA signature successful server requested EAP_IDENTITY (id 0x00), sending 'p2s-vpn-client-generic-g2' generating IKE_AUTH request 2 [ EAP/RES/ID ] sending packet: from 10.0.2.15[4500] to 23.99.111.222[4500] (120 bytes) received packet: from 23.99.111.222[4500] to 10.0.2.15[4500] (88 bytes) parsed IKE_AUTH response 2 [ EAP/REQ/TLS ] server requested EAP_TLS authentication (id 0x01) generating IKE_AUTH request 3 [ EAP/RES/TLS ] sending packet: from 10.0.2.15[4500] to 23.99.111.222[4500] (280 bytes) received packet: from 23.99.111.222[4500] to 10.0.2.15[4500] (1384 bytes) parsed IKE_AUTH response 3 [ EAP/REQ/TLS ] generating IKE_AUTH request 4 [ EAP/RES/TLS ] sending packet: from 10.0.2.15[4500] to 23.99.111.222[4500] (88 bytes) received packet: from 23.99.111.222[4500] to 10.0.2.15[4500] (1384 bytes) parsed IKE_AUTH response 4 [ EAP/REQ/TLS ] generating IKE_AUTH request 5 [ EAP/RES/TLS ] sending packet: from 10.0.2.15[4500] to 23.99.111.222[4500] (88 bytes) received packet: from 23.99.111.222[4500] to 10.0.2.15[4500] (1000 bytes) parsed IKE_AUTH response 5 [ EAP/REQ/TLS ] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 received TLS server certificate 'C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=AAAAAAA-e0a2-4201-bf22-CCCCCCCCCCCC.vpn.azure.com' received TLS intermediate certificate 'C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA' using certificate "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=AAAAAAA-e0a2-4201-bf22-CCCCCCCCCCCC.vpn.azure.com" using untrusted intermediate certificate "C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA" checking certificate status of "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=AAAAAAA-e0a2-4201-bf22-CCCCCCCCCCCC.vpn.azure.com" ocsp response correctly signed by "C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA" ocsp response is valid: until Jan 05 10:26:55 2019 using cached ocsp response certificate status is good using trusted ca certificate "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA" checking certificate status of "C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA" ocsp response verification failed, no signer certificate '0f:80:61:1c:82:31:61:d5:2f:28:e7:8d:46:38:b4:2c:e1:c6:d9:e2' found ocsp response correctly signed by "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA" ocsp response is valid: until Jan 04 18:11:40 2019 using cached ocsp response certificate status is good certificate policy 2.16.840.1.114412.1.1 for 'C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=AAAAAAA-e0a2-4201-bf22-CCCCCCCCCCCC.vpn.azure.com' not allowed by trustchain, ignored certificate policy 2.23.140.1.2.2 for 'C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=AAAAAAA-e0a2-4201-bf22-CCCCCCCCCCCC.vpn.azure.com' not allowed by trustchain, ignored reached self-signed root ca with a path length of 1 sending TLS peer certificate 'CN=p2s-vpn-client-generic-g2' generating IKE_AUTH request 6 [ EAP/RES/TLS ] sending packet: from 10.0.2.15[4500] to 23.99.111.222[4500] (1112 bytes) received packet: from 23.99.111.222[4500] to 10.0.2.15[4500] (88 bytes) parsed IKE_AUTH response 6 [ EAP/REQ/TLS ] generating IKE_AUTH request 7 [ EAP/RES/TLS ] sending packet: from 10.0.2.15[4500] to 23.99.111.222[4500] (1080 bytes) received packet: from 23.99.111.222[4500] to 10.0.2.15[4500] (184 bytes) parsed IKE_AUTH response 7 [ EAP/REQ/TLS ] generating IKE_AUTH request 8 [ EAP/RES/TLS ] sending packet: from 10.0.2.15[4500] to 23.99.111.222[4500] (88 bytes) received packet: from 23.99.111.222[4500] to 10.0.2.15[4500] (88 bytes) parsed IKE_AUTH response 8 [ EAP/SUCC ] EAP method EAP_TLS succeeded, MSK established authentication of 'p2s-vpn-client-generic-g2' (myself) with EAP generating IKE_AUTH request 9 [ AUTH ] sending packet: from 10.0.2.15[4500] to 23.99.111.222[4500] (136 bytes) received packet: from 23.99.111.222[4500] to 10.0.2.15[4500] (312 bytes) parsed IKE_AUTH response 9 [ AUTH CPRP(ADDR) SA TSi TSr ] authentication of 'C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=AAAAAAA-e0a2-4201-bf22-CCCCCCCCCCCC.vpn.azure.com' with EAP successful IKE_SA sandbox_infra_euw1[1] established between 10.0.2.15[p2s-vpn-client-generic-g2]...23.99.111.222[C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=AAAAAAA-e0a2-4201-bf22-CCCCCCCCCCCC.vpn.azure.com] scheduling reauthentication in 10074s maximum IKE_SA lifetime 10614s installing new virtual IP 10.155.232.1 CHILD_SA sandbox_infra_euw1{1} established with SPIs cce53e95_i 47ad6640_o and TS 10.155.232.1/32 === 10.155.2.0/23 10.155.24.0/22 10.155.232.0/25 connection 'sandbox_infra_euw1' established successfully
Errors
unexpected KEYWORD, expecting $end [type]
When service ipsec restart
failed to start openswan IKE daemon - the following error occured:
can not load config '/etc/ipsec.conf': /etc/ipsec.conf:25: syntax error, unexpected KEYWORD, expecting $end [type]
Solution: Make sure that all the parameters inside ipsec.conf except 'conn', 'version' and 'config' are started after a TAB, eg
conn azure
type=tunnel left=10.10.10.134
no TLS peer certificate found
no TLS peer certificate found for 'p2s-vpn-client-g5', skipping client authentication ... parsed IKE_AUTH response 6 [ N(MS_STATUS(1244)) ] <- this response from a AzGwServer indicates ~wrong authentication received MS_NOTIFY_STATUS notify error <- this stops the process establishing connection 'azure' failed
Solution: This means client authentication has been skipped because the certificate was not found. One of a reasons is wrong password to .p12 file, also ipsec.secure should contan full file name eg client.p12, if the .p12 has no password double quotes "" should be used.
Resources
- ipsec.conf Man page ipsec.conf.5.gz
- [https://serverfault.com/questions/840920/how-connect-a-linux-box-to-an-azure-point-to-site-gateway How connect a linux box to an azure point-to-site gateway?
] Stackoverflow
Official Microsoft Documentation