I am struggling to setup an ipsec vpn to azure.
Following the azure IPSec parameters in the doc below:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices
Getting the below errors in isakmpd, and am stumped where to look next:
Default exchange_run: exchange_validate failed
Default dropped message from 2.2.2.2 port 500 due to notification type
PAYLOAD_MALFORMED
Can anyone point me in the right direction, as my google-fu isn't
feeling strong.
Thanks!
OpenBSD6.0/AMD64 MP vm on esxi 6.5
# cat /etc/ipsec.conf
WAN1 = "carp901001" #Interface address 1.1.1.1
localNets = "{10.10.0.0/24}"
remoteGW = "2.2.2.2" #AzureGateway
remoteNets = "{10.20.2.0/24}" #remote azure networks
ike esp from $localNets to $remoteNets \
peer $remoteGW \
main auth hmac-sha1 enc aes-256 group modp1024 lifetime 28800 \
quick auth hmac-sha1 enc aes-256 group none lifetime 3600 \
psk somekey
# isakmpd -dvvvK
073538.301968 Default isakmpd: starting [priv]
073548.958802 Default isakmpd: phase 1 done: initiator id 1.1.1.1,
responder id 2.2.2.2, src: 1.1.1.1 dst: 2.2.2.2
073548.993564 Default isakmpd: quick mode done: src: 1.1.1.1 dst: 2.2.2.2
073549.027410 Default exchange_run: exchange_validate failed
073549.027425 Default dropped message from 2.2.2.2 port 500 due to
notification type PAYLOAD_MALFORMED
^C073612.581088 Default isakmpd: shutting down...
# 073612.581509 Default isakmpd: exit
# ipsecctl -s all
FLOWS:
flow esp in from 10.20.2.0/24 to 10.10.0.0/24 peer 2.2.2.2 srcid
1.1.1.1/32 dstid 2.2.2.2/32 type use
flow esp out from 10.10.0.0/24 to 10.20.2.0/24 peer 2.2.2.2 srcid
1.1.1.1/32 dstid 2.2.2.2/32 type require
SAD:
esp tunnel from 2.2.2.2 to 1.1.1.1 spi 0x44461664 auth hmac-sha1 enc aes-256
esp tunnel from 1.1.1.1 to 2.2.2.2 spi 0x55f07894 auth hmac-sha1 enc aes-256
07:29:44.949102 0.0.0.0.isakmp > 2.2.2.2.isakmp: [udp sum ok] isakmp
v1.0 exchange ID_PROT
cookie: e3ee87821c134d03->0000000000000000 msgid: 00000000 len: 184
payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz:
0 xforms: 1
payload: TRANSFORM len: 36
transform: 0 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = AES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 28800
attribute KEY_LENGTH = 256
payload: VENDOR len: 20
payload: VENDOR len: 20 (supports v2 NAT-T,
draft-ietf-ipsec-nat-t-ike-02)
payload: VENDOR len: 20 (supports v3 NAT-T,
draft-ietf-ipsec-nat-t-ike-03)
payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 212)
07:29:44.992169 2.2.2.2.isakmp > 1.1.1.1.isakmp: [udp sum ok] isakmp
v1.0 exchange ID_PROT
cookie: e3ee87821c134d03->5e09a5d35142c2d9 msgid: 00000000 len: 212
payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 48 proposal: 1 proto: ISAKMP spisz:
0 xforms: 1
payload: TRANSFORM len: 40
transform: 0 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = AES_CBC
attribute KEY_LENGTH = 256
attribute HASH_ALGORITHM = SHA
attribute GROUP_DESCRIPTION = MODP_1024
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 00007080
payload: VENDOR len: 24
payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
payload: VENDOR len: 20 (supports v2 NAT-T,
draft-ietf-ipsec-nat-t-ike-02)
payload: VENDOR len: 20
payload: VENDOR len: 20
payload: VENDOR len: 20 [ttl 0] (id 1, len 240)
07:29:44.993067 1.1.1.1.isakmp > 2.2.2.2.isakmp: [udp sum ok] isakmp
v1.0 exchange ID_PROT
cookie: e3ee87821c134d03->5e09a5d35142c2d9 msgid: 00000000 len: 228
payload: KEY_EXCH len: 132
payload: NONCE len: 20
payload: NAT-D len: 24
payload: NAT-D len: 24 [ttl 0] (id 1, len 256)
07:29:45.036032 2.2.2.2.isakmp > 1.1.1.1.isakmp: [udp sum ok] isakmp
v1.0 exchange ID_PROT
cookie: e3ee87821c134d03->5e09a5d35142c2d9 msgid: 00000000 len: 260
payload: KEY_EXCH len: 132
payload: NONCE len: 52
payload: NAT-D len: 24
payload: NAT-D len: 24 [ttl 0] (id 1, len 288)
07:29:45.036815 1.1.1.1.isakmp > 2.2.2.2.isakmp: [udp sum ok] isakmp
v1.0 exchange ID_PROT
cookie: e3ee87821c134d03->5e09a5d35142c2d9 msgid: 00000000 len: 92
payload: ID len: 12 type: IPV4_ADDR = 1.1.1.1
payload: HASH len: 24
payload: NOTIFICATION len: 28
notification: INITIAL CONTACT
(e3ee87821c134d03->5e09a5d35142c2d9) [ttl 0] (id 1, len 120)
07:29:45.096249 2.2.2.2.isakmp > 1.1.1.1.isakmp: [udp sum ok] isakmp
v1.0 exchange ID_PROT
cookie: e3ee87821c134d03->5e09a5d35142c2d9 msgid: 00000000 len: 76
payload: ID len: 12 type: IPV4_ADDR = 2.2.2.2
payload: HASH len: 24 [ttl 0] (id 1, len 104)
07:29:45.096471 1.1.1.1.isakmp > 2.2.2.2.isakmp: [udp sum ok] isakmp
v1.0 exchange QUICK_MODE
cookie: e3ee87821c134d03->5e09a5d35142c2d9 msgid: 74d44758 len: 156
payload: HASH len: 24
payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 40 proposal: 1 proto: IPSEC_ESP
spisz: 4 xforms: 1 SPI: 0x9444a03c
payload: TRANSFORM len: 28
transform: 1 ID: AES
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600
attribute ENCAPSULATION_MODE = TUNNEL
attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
attribute KEY_LENGTH = 256
payload: NONCE len: 20
payload: ID len: 16 type: IPV4_ADDR_SUBNET = 10.10.0.0/255.255.255.0
payload: ID len: 16 type: IPV4_ADDR_SUBNET =
10.20.2.0/255.255.255.0 [ttl 0] (id 1, len 184)
07:29:45.130791 2.2.2.2.isakmp > 1.1.1.1.isakmp: [udp sum ok] isakmp
v1.0 exchange QUICK_MODE commit
cookie: e3ee87821c134d03->5e09a5d35142c2d9 msgid: 74d44758 len: 204
payload: HASH len: 24
payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP
spisz: 4 xforms: 1 SPI: 0x86ec6b36
payload: TRANSFORM len: 32
transform: 1 ID: AES
attribute ENCAPSULATION_MODE = TUNNEL
attribute KEY_LENGTH = 256
attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 00000e10
payload: NONCE len: 52
payload: ID len: 16 type: IPV4_ADDR_SUBNET = 10.10.0.0/255.255.255.0
payload: ID len: 16 type: IPV4_ADDR_SUBNET =
10.20.2.0/255.255.255.0 [ttl 0] (id 1, len 232)
07:29:45.130835 1.1.1.1.isakmp > 2.2.2.2.isakmp: [udp sum ok] isakmp
v1.0 exchange QUICK_MODE
cookie: e3ee87821c134d03->5e09a5d35142c2d9 msgid: 74d44758 len: 52
payload: HASH len: 24 [ttl 0] (id 1, len 80)
07:29:45.164471 2.2.2.2.isakmp > 1.1.1.1.isakmp: [udp sum ok] isakmp
v1.0 exchange QUICK_MODE commit
cookie: e3ee87821c134d03->5e09a5d35142c2d9 msgid: 74d44758 len: 76
payload: HASH len: 24
payload: NOTIFICATION len: 16
notification: 16384 (unknown) [ttl 0] (id 1, len 104)
07:29:45.164524 1.1.1.1.isakmp > 2.2.2.2.isakmp: [udp sum ok] isakmp
v1.0 exchange INFO
cookie: e3ee87821c134d03->5e09a5d35142c2d9 msgid: a260b82d len: 64
payload: HASH len: 24
payload: NOTIFICATION len: 12
notification: PAYLOAD MALFORMED [ttl 0] (id 1, len 92)
07:29:49.885574 1.1.1.1.isakmp > 2.2.2.2.isakmp: [udp sum ok] isakmp
v1.0 exchange INFO
cookie: e3ee87821c134d03->5e09a5d35142c2d9 msgid: 044e1bd6 len: 68
payload: HASH len: 24
payload: DELETE len: 16 DOI: 1(IPSEC) proto: IPSEC_ESP nspis: 1
SPI: 0x9444a03c [ttl 0] (id 1, len 96)
07:29:49.885752 1.1.1.1.isakmp > 2.2.2.2.isakmp: [udp sum ok] isakmp
v1.0 exchange INFO
cookie: e3ee87821c134d03->5e09a5d35142c2d9 msgid: 2079b3c2 len: 80
payload: HASH len: 24
payload: DELETE len: 28 DOI: 1(IPSEC) proto: ISAKMP nspis: 1
cookie: e3ee87821c134d03->5e09a5d35142c2d9 [ttl 0] (id 1, len 108)
