S2S VPN connection between on-prem landing server and Azure VM not working

fortunemyambo · November 23, 2023, 1:02pm

I am trying to establish S2S VPN connection between a server on-prem and another on Azure cloud. I have configured the below parameters for IKE Phase 1

Key Exchange Encryption Method—AES-256
Data Integrity Method —SHA-1
Diffie-Hellman Groups for IKE(phase-1) SA—Group 2
Renegotiate IKE (phase-1) SA (minutes)—3600
Support Aggressive Mode—Main Mode

For IKE Phase2 I configured the below parameters

Encapsulation—ESP
Encryption Algorithm—AES-256
Data Integrity—SHA-1
Compression Method—None
Perfect Forward Secrecy (PFS)—PFS2
Use Diffie Hellmen Group—Group 2
Renegotiate IPSec (IKE phase-2) SA (seconds)—3600 sec
Renegotiate IPSec (IKE phase-2) SA (kbytes)—4.608.000

Phase1 is up but I cannot figure out why phase2 cannot come up. Azure support tells me that phase2 is not coming up because my FW has stopped responding but I don’t know why my FW is not responding. However I see that my FW is sending multiple QM packets which I suggested to the Azure support that maybe it’s because I am receiving wrong response. But the Azure support guy dismissed this and I couldn’t ague because honestly I don’t know how the call flow should be. Below is the log that the Azure support guy sent to me and I need help to figure out which side might be having a problem

*** 11-20-2023 17:21:01 Remote xxx.xxx.xxx.xxx:500: Local yyy.yyy.yyy.yyy:500: [RECEIVED][SA_INIT] Received SA INIT iCookie 0x34CDB6368EED5132 rCookie 0x0**
*** 11-20-2023 17:21:01Remote xxx.xxx.xxx.xxx:500: Local yyy.yyy.yyy.yyy:500: [LOCAL_MSG][SA_INIT] Received SA INIT iCookie 0x34CDB6368EED5132 and Generated new rCookie 0x59B663115D2DC7BD**
*** 11-20-2023 17:21:01Remote xxx.xxx.xxx.xxx:500: Local yyy.yyy.yyy.yyy:500: [RECEIVED] Receiving MM Packet for tunnel Id 0x0 iCookie 0x34CDB6368EED5132 and rCookie 0x59B663115D2DC7BD: Policy1:Cipher=AES-CBC-128 Integrity=SHA256 DhGroup=DhGroup2 LifeTimeSeconds=3600 Policy2:Cipher=AES-CBC-256 Integrity=SHA256 DhGroup=DhGroup2 LifeTimeSeconds=3600 Policy3:Cipher=AES-CBC-128 Integrity=SHA1 DhGroup=DhGroup2 LifeTimeSeconds=3600 Policy4:Cipher=AES-CBC-256 Integrity=SHA1 DhGroup=DhGroup2 LifeTimeSeconds=3600**
*** 11-20-2023 17:21:01Remote xxx.xxx.xxx.xxx:500: Local yyy.yyy.yyy.yyy:500: [SEND] Sending MM Packet for tunnel Id 0x0 iCookie 0x34CDB6368EED5132 and rCookie 0x59B663115D2DC7BD: PolicyCipher=AES-CBC-256 Integrity=SHA1 DhGroup=DhGroup2 LifeTime 3600**
*** 11-20-2023 17:21:01Remote xxx.xxx.xxx.xxx:500: Local yyy.yyy.yyy.yyy:500: [RECEIVED] Receiving MM Packet for tunnel Id 0x0 iCookie 0x34CDB6368EED5132 and rCookie 0x59B663115D2DC7BD: Receiving MM Nonce**
*** 11-20-2023 17:21:01Remote xxx.xxx.xxx.xxx:500: Local yyy.yyy.yyy.yyy:500: [SEND] Sending MM Packet for tunnel Id 0x0 iCookie 0x34CDB6368EED5132 and rCookie 0x59B663115D2DC7BD: Sending MM Nonce**
*** 11-20-2023 17:21:01Remote xxx.xxx.xxx.xxx:500: Local yyy.yyy.yyy.yyy:500: [RECEIVED] Receiving MM Packet for tunnel Id 0x0 iCookie 0x34CDB6368EED5132 and rCookie 0x59B663115D2DC7BD: Receiving MM Hash**
*** 11-20-2023 17:21:01Remote xxx.xxx.xxx.xxx:500: Local yyy.yyy.yyy.yyy:500: [LOCAL_MSG] IKE Tunnel created for tunnelId 0x4**
*** 11-20-2023 17:21:01Remote xxx.xxx.xxx.xxx:500: Local yyy.yyy.yyy.yyy:500: [SEND] Sending MM Packet for tunnel Id 0x4 iCookie 0x34CDB6368EED5132 and rCookie 0x59B663115D2DC7BD: Sending Final MM message**
*** 11-20-2023 17:21:01Remote xxx.xxx.xxx.xxx:500: Local yyy.yyy.yyy.yyy:500:[RECEIVED] Receiving QM Packet for tunnel Id 0x0 and tsId 0x0: SA lifetime 3600Cipher=AES-CBC-256 Integrity=Md5 Integrity=SHA1 PfsGroup=PfsGroup2**
*** 11-20-2023 17:21:01Remote xxx.xxx.xxx.xxx:500: Local yyy.yyy.yyy.yyy:500: [SEND] Sending QM Packet for tunnel Id 0x4 and tsId 0xDD4: Integrity=SHA1 Cipher=AES-CBC-256 PfsGroup=PfsGroup2 LifeTimeSeconds=3600 LifeTimeKB=0**
*** 11-20-2023 17:21:01Remote xxx.xxx.xxx.xxx:500: Local yyy.yyy.yyy.yyy:500:[RECEIVED] Receiving QM Packet for tunnel Id 0x0 and tsId 0x0: SA lifetime 3600Cipher=AES-CBC-256 Integrity=Md5Integrity=SHA1 PfsGroup=PfsGroup2**
*** 11-20-2023 17:21:01Remote xxx.xxx.xxx.xxx:500: Local yyy.yyy.yyy.yyy:500: [SEND] Sending QM Packet for tunnel Id 0x4 and tsId 0xDD5: Integrity=SHA1 Cipher=AES-CBC-256 PfsGroup=PfsGroup2 LifeTimeSeconds=3600 LifeTimeKB=0**
*** 11-20-2023 17:21:01Remote xxx.xxx.xxx.xxx:500: Local yyy.yyy.yyy.yyy:500:[RECEIVED] Receiving QM Packet for tunnel Id 0x0 and tsId 0x0: SA lifetime 3600Cipher=AES-CBC-256 Integrity=Md5Integrity=SHA1 PfsGroup=PfsGroup2**
*** 11-20-2023 17:21:01Remote xxx.xxx.xxx.xxx:500: Local yyy.yyy.yyy.yyy:500: [SEND] Sending QM Packet for tunnel Id 0x4 and tsId 0xDD6: Integrity=SHA1 Cipher=AES-CBC-256 PfsGroup=PfsGroup2 LifeTimeSeconds=3600 LifeTimeKB=0**
*** 11-20-2023 17:21:01Remote xxx.xxx.xxx.xxx:500: Local yyy.yyy.yyy.yyy:500: [SEND] (Final Negotiated) IKEv1 Traffic Selector payload will be- Number of TSIs 1: StartAddress 10.1.0.128 EndAddress 10.1.0.143 PortStart 0 PortEnd 65535 Protocol 0 Number of TSRs 1:StartAddress :: EndAddress :: PortStart 0 PortEnd 0 Protocol 0**
*** 11-20-2023 18:15:59Remote xxx.xxx.xxx.xxx:500: Local yyy.yyy.yyy.yyy:500:[RECEIVED] Receiving QM Packet for tunnel Id 0x0 and tsId 0x0: SA lifetime 3600Cipher=AES-CBC-256 Integrity=Md5Integrity=SHA1 PfsGroup=PfsGroup2**
*** 11-20-2023 18:15:59Remote xxx.xxx.xxx.xxx:500: Local yyy.yyy.yyy.yyy:500: [SEND] Sending QM Packet for tunnel Id 0x4 and tsId 0xDD7: Integrity=SHA1 Cipher=AES-CBC-256 PfsGroup=PfsGroup2 LifeTimeSeconds=3600 LifeTimeKB=0**
*** 11-20-2023 18:15:59Remote xxx.xxx.xxx.xxx:500: Local yyy.yyy.yyy.yyy:500: [SEND] (Final Negotiated) IKEv1 Traffic Selector payload will be- Number of TSIs 1: StartAddress 10.1.0.128 EndAddress 10.1.0.143 PortStart 0 PortEnd 65535 Protocol 0 Number of TSRs 1:StartAddress :: EndAddress :: PortStart 0 PortEnd 0 Protocol 0**
*** 11-20-2023 18:16:00Remote xxx.xxx.xxx.xxx:500: Local yyy.yyy.yyy.yyy:500:[RECEIVED] Receiving QM Packet for tunnel Id 0x0 and tsId 0x0: SA lifetime 3600Cipher=AES-CBC-256 Integrity=Md5Integrity=SHA1 PfsGroup=PfsGroup2**
*** 11-20-2023 18:16:00Remote xxx.xxx.xxx.xxx:500: Local yyy.yyy.yyy.yyy:500: [SEND] Sending QM Packet for tunnel Id 0x4 and tsId 0xDD8: Integrity=SHA1 Cipher=AES-CBC-256 PfsGroup=PfsGroup2 LifeTimeSeconds=3600 LifeTimeKB=0**
*** 11-20-2023 18:16:00Remote xxx.xxx.xxx.xxx:500: Local yyy.yyy.yyy.yyy:500: [SEND] (Final Negotiated) IKEv1 Traffic Selector payload will be- Number of TSIs 1: StartAddress 10.1.0.128 EndAddress 10.1.0.143 PortStart 0 PortEnd 65535 Protocol 0 Number of TSRs 1:StartAddress :: EndAddress :: PortStart 0 PortEnd 0 Protocol 0**
*** 11-20-2023 18:18:01Remote xxx.xxx.xxx.xxx:500: Local yyy.yyy.yyy.yyy:500: [SEND][SA_DELETE] Sending IKE SA delete for icookie 0x34CDB6368EED5132 and rCookie 0x59B663115D2DC7BD**

ReneMolenaar · November 23, 2023, 7:15pm

Hello @fortunemyambo ,

This is something you might want to check:

It shows multiple policy proposals for phase 2. You might want to get rid of those that you don’t intent to use such as the ones with AES-CBC-128 and SHA256.

You also might want to consider using something else than SHA-1 and DH group 2 since those are considered insecure. Here is a good document:

https://sec.cloudapps.cisco.com/security/center/resources/next_generation_cryptography

Rene