I played a bit with an ikev2 to connection to Azure. It wouldn't connect until I changed the childsa to aes-256-gcm. Here is a iked.conf config that will connect. It didn't pass traffic and I stopped playing with it, so this may not be that useful.
ikev2 passive esp \ from 10.0.0.0/24 to 192.168.1.0/24 \ peer 1.2.3.4 local 5.6.7.8 \ ikesa enc aes-256 auth hmac-sha1 group modp1024 \ childsa enc aes-256-gcm \ srcid 5.6.7.8 \ dstid 1.2.3.4 \ psk "terriblepassword" On Thu, Feb 16, 2017 at 5:59 AM, Stuart Henderson <s...@spacehopper.org> wrote: > On 2017-02-16, oBSD Nub <obsd...@gmail.com> wrote: > > I am struggling to setup an ipsec vpn to azure. > > Following the azure IPSec parameters in the doc below: > > https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn- > gateway-about-vpn-devices > > > > Getting the below errors in isakmpd, and am stumped where to look next: > > Default exchange_run: exchange_validate failed > > Default dropped message from 2.2.2.2 port 500 due to notification type > > PAYLOAD_MALFORMED > > > > Can anyone point me in the right direction, as my google-fu isn't > > feeling strong. > > Adding -D7=90 -D2=70 to your isakmpd command line might give a better clue. > > > Thanks! > > > > OpenBSD6.0/AMD64 MP vm on esxi 6.5 > > > > # cat /etc/ipsec.conf > > WAN1 = "carp901001" #Interface address 1.1.1.1 > > localNets = "{10.10.0.0/24}" > > remoteGW = "2.2.2.2" #AzureGateway > > remoteNets = "{10.20.2.0/24}" #remote azure networks > > > > ike esp from $localNets to $remoteNets \ > > peer $remoteGW \ > > main auth hmac-sha1 enc aes-256 group modp1024 lifetime 28800 \ > > quick auth hmac-sha1 enc aes-256 group none lifetime 3600 \ > > psk somekey > > > > # isakmpd -dvvvK > > 073538.301968 Default isakmpd: starting [priv] > > 073548.958802 Default isakmpd: phase 1 done: initiator id 1.1.1.1, > > responder id 2.2.2.2, src: 1.1.1.1 dst: 2.2.2.2 > > 073548.993564 Default isakmpd: quick mode done: src: 1.1.1.1 dst: 2.2.2.2 > > 073549.027410 Default exchange_run: exchange_validate failed > > 073549.027425 Default dropped message from 2.2.2.2 port 500 due to > > notification type PAYLOAD_MALFORMED > > ^C073612.581088 Default isakmpd: shutting down... > > # 073612.581509 Default isakmpd: exit > > > > # ipsecctl -s all > > FLOWS: > > flow esp in from 10.20.2.0/24 to 10.10.0.0/24 peer 2.2.2.2 srcid > > 1.1.1.1/32 dstid 2.2.2.2/32 type use > > flow esp out from 10.10.0.0/24 to 10.20.2.0/24 peer 2.2.2.2 srcid > > 1.1.1.1/32 dstid 2.2.2.2/32 type require > > > > SAD: > > esp tunnel from 2.2.2.2 to 1.1.1.1 spi 0x44461664 auth hmac-sha1 enc > aes-256 > > esp tunnel from 1.1.1.1 to 2.2.2.2 spi 0x55f07894 auth hmac-sha1 enc > aes-256 > > > > 07:29:44.949102 0.0.0.0.isakmp > 2.2.2.2.isakmp: [udp sum ok] isakmp > > v1.0 exchange ID_PROT > > cookie: e3ee87821c134d03->0000000000000000 msgid: 00000000 len: > 184 > > payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY > > payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: > > 0 xforms: 1 > > payload: TRANSFORM len: 36 > > transform: 0 ID: ISAKMP > > attribute ENCRYPTION_ALGORITHM = AES_CBC > > attribute HASH_ALGORITHM = SHA > > attribute AUTHENTICATION_METHOD = PRE_SHARED > > attribute GROUP_DESCRIPTION = MODP_1024 > > attribute LIFE_TYPE = SECONDS > > attribute LIFE_DURATION = 28800 > > attribute KEY_LENGTH = 256 > > payload: VENDOR len: 20 > > payload: VENDOR len: 20 (supports v2 NAT-T, > > draft-ietf-ipsec-nat-t-ike-02) > > payload: VENDOR len: 20 (supports v3 NAT-T, > > draft-ietf-ipsec-nat-t-ike-03) > > payload: VENDOR len: 20 (supports NAT-T, RFC 3947) > > payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len > 212) > > 07:29:44.992169 2.2.2.2.isakmp > 1.1.1.1.isakmp: [udp sum ok] isakmp > > v1.0 exchange ID_PROT > > cookie: e3ee87821c134d03->5e09a5d35142c2d9 msgid: 00000000 len: > 212 > > payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY > > payload: PROPOSAL len: 48 proposal: 1 proto: ISAKMP spisz: > > 0 xforms: 1 > > payload: TRANSFORM len: 40 > > transform: 0 ID: ISAKMP > > attribute ENCRYPTION_ALGORITHM = AES_CBC > > attribute KEY_LENGTH = 256 > > attribute HASH_ALGORITHM = SHA > > attribute GROUP_DESCRIPTION = MODP_1024 > > attribute AUTHENTICATION_METHOD = PRE_SHARED > > attribute LIFE_TYPE = SECONDS > > attribute LIFE_DURATION = 00007080 > > payload: VENDOR len: 24 > > payload: VENDOR len: 20 (supports NAT-T, RFC 3947) > > payload: VENDOR len: 20 (supports v2 NAT-T, > > draft-ietf-ipsec-nat-t-ike-02) > > payload: VENDOR len: 20 > > payload: VENDOR len: 20 > > payload: VENDOR len: 20 [ttl 0] (id 1, len 240) > > 07:29:44.993067 1.1.1.1.isakmp > 2.2.2.2.isakmp: [udp sum ok] isakmp > > v1.0 exchange ID_PROT > > cookie: e3ee87821c134d03->5e09a5d35142c2d9 msgid: 00000000 len: > 228 > > payload: KEY_EXCH len: 132 > > payload: NONCE len: 20 > > payload: NAT-D len: 24 > > payload: NAT-D len: 24 [ttl 0] (id 1, len 256) > > 07:29:45.036032 2.2.2.2.isakmp > 1.1.1.1.isakmp: [udp sum ok] isakmp > > v1.0 exchange ID_PROT > > cookie: e3ee87821c134d03->5e09a5d35142c2d9 msgid: 00000000 len: > 260 > > payload: KEY_EXCH len: 132 > > payload: NONCE len: 52 > > payload: NAT-D len: 24 > > payload: NAT-D len: 24 [ttl 0] (id 1, len 288) > > 07:29:45.036815 1.1.1.1.isakmp > 2.2.2.2.isakmp: [udp sum ok] isakmp > > v1.0 exchange ID_PROT > > cookie: e3ee87821c134d03->5e09a5d35142c2d9 msgid: 00000000 len: > 92 > > payload: ID len: 12 type: IPV4_ADDR = 1.1.1.1 > > payload: HASH len: 24 > > payload: NOTIFICATION len: 28 > > notification: INITIAL CONTACT > > (e3ee87821c134d03->5e09a5d35142c2d9) [ttl 0] (id 1, len 120) > > 07:29:45.096249 2.2.2.2.isakmp > 1.1.1.1.isakmp: [udp sum ok] isakmp > > v1.0 exchange ID_PROT > > cookie: e3ee87821c134d03->5e09a5d35142c2d9 msgid: 00000000 len: > 76 > > payload: ID len: 12 type: IPV4_ADDR = 2.2.2.2 > > payload: HASH len: 24 [ttl 0] (id 1, len 104) > > 07:29:45.096471 1.1.1.1.isakmp > 2.2.2.2.isakmp: [udp sum ok] isakmp > > v1.0 exchange QUICK_MODE > > cookie: e3ee87821c134d03->5e09a5d35142c2d9 msgid: 74d44758 len: > 156 > > payload: HASH len: 24 > > payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY > > payload: PROPOSAL len: 40 proposal: 1 proto: IPSEC_ESP > > spisz: 4 xforms: 1 SPI: 0x9444a03c > > payload: TRANSFORM len: 28 > > transform: 1 ID: AES > > attribute LIFE_TYPE = SECONDS > > attribute LIFE_DURATION = 3600 > > attribute ENCAPSULATION_MODE = TUNNEL > > attribute AUTHENTICATION_ALGORITHM = HMAC_SHA > > attribute KEY_LENGTH = 256 > > payload: NONCE len: 20 > > payload: ID len: 16 type: IPV4_ADDR_SUBNET = > 10.10.0.0/255.255.255.0 > > payload: ID len: 16 type: IPV4_ADDR_SUBNET = > > 10.20.2.0/255.255.255.0 [ttl 0] (id 1, len 184) > > 07:29:45.130791 2.2.2.2.isakmp > 1.1.1.1.isakmp: [udp sum ok] isakmp > > v1.0 exchange QUICK_MODE commit > > cookie: e3ee87821c134d03->5e09a5d35142c2d9 msgid: 74d44758 len: > 204 > > payload: HASH len: 24 > > payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY > > payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP > > spisz: 4 xforms: 1 SPI: 0x86ec6b36 > > payload: TRANSFORM len: 32 > > transform: 1 ID: AES > > attribute ENCAPSULATION_MODE = TUNNEL > > attribute KEY_LENGTH = 256 > > attribute AUTHENTICATION_ALGORITHM = HMAC_SHA > > attribute LIFE_TYPE = SECONDS > > attribute LIFE_DURATION = 00000e10 > > payload: NONCE len: 52 > > payload: ID len: 16 type: IPV4_ADDR_SUBNET = > 10.10.0.0/255.255.255.0 > > payload: ID len: 16 type: IPV4_ADDR_SUBNET = > > 10.20.2.0/255.255.255.0 [ttl 0] (id 1, len 232) > > 07:29:45.130835 1.1.1.1.isakmp > 2.2.2.2.isakmp: [udp sum ok] isakmp > > v1.0 exchange QUICK_MODE > > cookie: e3ee87821c134d03->5e09a5d35142c2d9 msgid: 74d44758 len: > 52 > > payload: HASH len: 24 [ttl 0] (id 1, len 80) > > 07:29:45.164471 2.2.2.2.isakmp > 1.1.1.1.isakmp: [udp sum ok] isakmp > > v1.0 exchange QUICK_MODE commit > > cookie: e3ee87821c134d03->5e09a5d35142c2d9 msgid: 74d44758 len: > 76 > > payload: HASH len: 24 > > payload: NOTIFICATION len: 16 > > notification: 16384 (unknown) [ttl 0] (id 1, len 104) > > 07:29:45.164524 1.1.1.1.isakmp > 2.2.2.2.isakmp: [udp sum ok] isakmp > > v1.0 exchange INFO > > cookie: e3ee87821c134d03->5e09a5d35142c2d9 msgid: a260b82d len: > 64 > > payload: HASH len: 24 > > payload: NOTIFICATION len: 12 > > notification: PAYLOAD MALFORMED [ttl 0] (id 1, len 92) > > 07:29:49.885574 1.1.1.1.isakmp > 2.2.2.2.isakmp: [udp sum ok] isakmp > > v1.0 exchange INFO > > cookie: e3ee87821c134d03->5e09a5d35142c2d9 msgid: 044e1bd6 len: > 68 > > payload: HASH len: 24 > > payload: DELETE len: 16 DOI: 1(IPSEC) proto: IPSEC_ESP nspis: 1 > > SPI: 0x9444a03c [ttl 0] (id 1, len 96) > > 07:29:49.885752 1.1.1.1.isakmp > 2.2.2.2.isakmp: [udp sum ok] isakmp > > v1.0 exchange INFO > > cookie: e3ee87821c134d03->5e09a5d35142c2d9 msgid: 2079b3c2 len: > 80 > > payload: HASH len: 24 > > payload: DELETE len: 28 DOI: 1(IPSEC) proto: ISAKMP nspis: 1 > > cookie: e3ee87821c134d03->5e09a5d35142c2d9 [ttl 0] (id 1, > len 108)
