I have setup a route based VPN to Azure and not matter what I try only phase 1 will come up (using Ikev2)
I have multiple Azure accounts in my company so I setup another VPN with the exact same settings to a different account and the VPN comes up immediately with no issues. The Azure and FTD configs are exactly the same fot both vpns apart from different tunnel IPs and vnets etc.
For Phase1 I am using:
AES256/SHA256 PRF SHA256 DHG14
Phase2:
AES256/SHA256/No PFS
Below are the logs.. I just keep getting no proposals chosen no matter what I try. It works fine on the second Azure account.
I'm debugging at max level but no details are show:
debug crypto ikev2 protocol enabled at level 255
Can anybody see anything I'm missing here?
IKEv2-PROTO-4: (2424): Received Packet [From 20.101.121.179:500/To 221.23.29.58:500/VRF i0:f0]
(2424): Initiator SPI : B107C8FB8BD06F8D - Responder SPI : B61763775F0F7B1F Message id: 1
(2424): IKEv2 IKE_AUTH Exchange REQUESTIKEv2-PROTO-5: (2424): Next payload: ENCR, version: 2.0 (2424): Exchange type: IKE_AUTH, flags: INITIATOR (2424): Message id: 1, length: 224(2424):
Payload contents:
(2424):
(2424): Decrypted packet:(2424): Data: 224 bytes
(2424): REAL Decrypted packet:(2424): Data: 144 bytes
IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_RECV_AUTH
IKEv2-PROTO-4: (2424): Stopping timer to wait for auth message
IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_CHK_NAT_T
IKEv2-PROTO-4: (2424): Checking NAT discovery
IKEv2-PROTO-4: (2424): NAT not found
IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_PROC_ID
IKEv2-PROTO-7: (2424): Received valid parameteres in process id
IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_CHK_IF_PEER_CERT_NEEDS_TO_BE_FETCHED_FOR_PROF_SEL
IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_GET_POLICY_BY_PEERID
IKEv2-PROTO-4: (2424): Searching policy based on peer's identity '20.101.121.179' of type 'IPv4 address'
IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_SET_POLICY
IKEv2-PROTO-7: (2424): Setting configured policies
IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_VERIFY_POLICY_BY_PEERID
IKEv2-PROTO-4: (2424): Verify peer's policy
IKEv2-PROTO-4: (2424): Peer's policy verified
IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_CHK_AUTH4EAP
IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_CHK_POLREQEAP
IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-4: (2424): Get peer's authentication method
IKEv2-PROTO-4: (2424): Peer's authentication method is 'PSK'
IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_GET_PRESHR_KEY
IKEv2-PROTO-4: (2424): Get peer's preshared key for 20.101.121.179
IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_VERIFY_AUTH
IKEv2-PROTO-4: (2424): Verify peer's authentication data
IKEv2-PROTO-4: (2424): Use preshared key for id 20.101.121.179, key len 24
IKEv2-PROTO-4: (2424): Verification of peer's authenctication data PASSED
IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_CHK4_IC
IKEv2-PROTO-4: (2424): Processing INITIAL_CONTACT
IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_CHK_REDIRECT
IKEv2-PROTO-7: (2424): Redirect check is not needed, skipping it
IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_NOTIFY_AUTH_DONE
IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_PROC_SA_TS
IKEv2-PROTO-4: (2424): Processing IKE_AUTH message
IKEv2-PROTO-2: (2424): Failed to find a matching policy
IKEv2-PROTO-2: (2424): Received Policies:
IKEv2-PROTO-2: (2424): Failed to find a matching policy
IKEv2-PROTO-2: (2424): Expected Policies:
IKEv2-PROTO-7: (2424): Failed to verify the proposed policies
IKEv2-PROTO-2: (2424): Failed to find a matching policy
IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_NO_PROP_CHOSEN
IKEv2-PROTO-4: (2424): Sending no proposal chosen notify
IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_BLD_AUTH Event: EV_MY_AUTH_METHOD
IKEv2-PROTO-4: (2424): Get my authentication method
IKEv2-PROTO-4: (2424): My authentication method is 'PSK'
IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_BLD_AUTH Event: EV_GET_PRESHR_KEY
IKEv2-PROTO-4: (2424): Get peer's preshared key for 20.101.121.179
IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_BLD_AUTH Event: EV_GEN_AUTH
IKEv2-PROTO-4: (2424): Generate my authentication data
IKEv2-PROTO-4: (2424): Use preshared key for id 221.23.29.58, key len 24
IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_BLD_AUTH Event: EV_CHK4_SIGN
IKEv2-PROTO-4: (2424): Get my authentication method
IKEv2-PROTO-4: (2424): My authentication method is 'PSK'
IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_BLD_AUTH Event: EV_OK_AUTH_GEN
IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_BLD_AUTH Event: EV_SEND_AUTH
IKEv2-PROTO-4: (2424): Generating IKE_AUTH message
IKEv2-PROTO-4: (2424): Constructing IDr payload: '221.23.29.58' of type 'IPv4 address'
IKEv2-PROTO-4: (2424): Building packet for encryption.
(2424):
Payload contents:
(2424): VID(2424): Next payload: IDr, reserved: 0x0, length: 20
(2424):
(2424): b4 17 62 77 4c 38 88 58 c1 8e 27 0b 4d b2 2a b5
(2424): IDr(2424): Next payload: AUTH, reserved: 0x0, length: 12
(2424): Id type: IPv4 address, Reserved: 0x0 0x0
(2424):
(2424): c1 1d 1d 3a
(2424): AUTH(2424): Next payload: NOTIFY, reserved: 0x0, length: 40
(2424): Auth method PSK, reserved: 0x0, reserved 0x0
(2424): Auth data: 32 bytes
(2424): NOTIFY(NO_PROPOSAL_CHOSEN)(2424): Next payload: NONE, reserved: 0x0, length: 8
(2424): Security protocol id: IKE, spi size: 0, type: NO_PROPOSAL_CHOSEN
IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_BLD_AUTH Event: EV_ENCRYPT_MSG
IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_BLD_AUTH Event: EV_NO_EVENT
IKEv2-PROTO-7: (2900): SM Trace-> SA: I_SPI=233875B27E20D5E8 R_SPI=843CA17A05220010 (I) MsgID = 00000001 CurState: READY Event: EV_DEL_IC_RCVD
IKEv2-PROTO-7: (2900): SM Trace-> SA: I_SPI=233875B27E20D5E8 R_SPI=843CA17A05220010 (I) MsgID = 00000001 CurState: DELETE Event: EV_FREE_SA
IKEv2-PROTO-4: (2900): Deleting SA
IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_BLD_AUTH Event: EV_OK_ENCRYPT_RESP
IKEv2-PROTO-7: (2424): Action: Action_Null
IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_BLD_AUTH Event: EV_TRYSEND
(2424):
IKEv2-PROTO-4: (2424): Sending Packet [To 20.101.121.179:500/From 221.23.29.58:500/VRF i0:f0]
(2424): Initiator SPI : B107C8FB8BD06F8D - Responder SPI : B61763775F0F7B1F Message id: 1
(2424): IKEv2 IKE_AUTH Exchange RESPONSEIKEv2-PROTO-5: (2424): Next payload: ENCR, version: 2.0 (2424): Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE (2424): Message id: 1, length: 160(2424):
Payload contents:
(2424): ENCR(2424): Next payload: VID, reserved: 0x0, length: 132
(2424): Encrypted data: 128 bytes
(2424):
IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_BLD_AUTH Event: EV_CHK_AUTH_FAIL
IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_OK
IKEv2-PROTO-7: (2424): Action: Action_Null
IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_UPDATE_CAC_STATS
IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_INSERT_IKE
IKEv2-PROTO-4: (2424): IKEV2 SA created; inserting SA into database. SA lifetime timer (28800 sec) started
IKEv2-PROTO-4: (2424): Session with IKE ID PAIR (20.101.121.179, 221.23.29.58) is UP
IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_REGISTER_SESSION
IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_NO_EVENT
IKEv2-PROTO-4: (2424): Initializing DPD, configured for 10 seconds
IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_RECD_REGISTER_SESSION_RESP
IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHECK_DUPE
IKEv2-PROTO-4: (2424): Checking for duplicate IKEv2 SA
IKEv2-PROTO-4: (2424): No duplicate IKEv2 SA found
IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: READY Event: EV_R_OK
IKEv2-PROTO-4: (2424): Starting timer (8 sec) to delete negotiation context
IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: READY Event: EV_NO_EVENT
IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: READY Event: EV_DEL_NEG_TMO
IKEv2-PROTO-7: (2424): Deleting negotiation context for peer message ID: 0x1