IPv6 Proxies: Route based VPN (VTI) from FTD to Azure

I have setup a route based VPN to Azure and not matter what I try only phase 1 will come up (using Ikev2)

I have multiple Azure accounts in my company so I setup another VPN with the exact same settings to a different account and the VPN comes up immediately with no issues. The Azure and FTD configs are exactly the same fot both vpns apart from different tunnel IPs and vnets etc.

For Phase1 I am using:

AES256/SHA256 PRF SHA256 DHG14

Phase2:

AES256/SHA256/No PFS

Below are the logs.. I just keep getting no proposals chosen no matter what I try. It works fine on the second Azure account.

I'm debugging at max level but no details are show:

debug crypto ikev2 protocol enabled at level 255

Can anybody see anything I'm missing here?

IKEv2-PROTO-4: (2424): Received Packet [From 20.101.121.179:500/To 221.23.29.58:500/VRF i0:f0]

(2424): Initiator SPI : B107C8FB8BD06F8D - Responder SPI : B61763775F0F7B1F Message id: 1

(2424): IKEv2 IKE_AUTH Exchange REQUESTIKEv2-PROTO-5: (2424): Next payload: ENCR, version: 2.0 (2424): Exchange type: IKE_AUTH, flags: INITIATOR (2424): Message id: 1, length: 224(2424):

Payload contents:

(2424):

(2424): Decrypted packet:(2424): Data: 224 bytes

(2424): REAL Decrypted packet:(2424): Data: 144 bytes

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_RECV_AUTH

IKEv2-PROTO-4: (2424): Stopping timer to wait for auth message

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_CHK_NAT_T

IKEv2-PROTO-4: (2424): Checking NAT discovery

IKEv2-PROTO-4: (2424): NAT not found

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_PROC_ID

IKEv2-PROTO-7: (2424): Received valid parameteres in process id

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_CHK_IF_PEER_CERT_NEEDS_TO_BE_FETCHED_FOR_PROF_SEL

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_GET_POLICY_BY_PEERID

IKEv2-PROTO-4: (2424): Searching policy based on peer's identity '20.101.121.179' of type 'IPv4 address'

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_SET_POLICY

IKEv2-PROTO-7: (2424): Setting configured policies

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_VERIFY_POLICY_BY_PEERID

IKEv2-PROTO-4: (2424): Verify peer's policy

IKEv2-PROTO-4: (2424): Peer's policy verified

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_CHK_AUTH4EAP

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_CHK_POLREQEAP

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_CHK_AUTH_TYPE

IKEv2-PROTO-4: (2424): Get peer's authentication method

IKEv2-PROTO-4: (2424): Peer's authentication method is 'PSK'

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_GET_PRESHR_KEY

IKEv2-PROTO-4: (2424): Get peer's preshared key for 20.101.121.179

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_VERIFY_AUTH

IKEv2-PROTO-4: (2424): Verify peer's authentication data

IKEv2-PROTO-4: (2424): Use preshared key for id 20.101.121.179, key len 24

IKEv2-PROTO-4: (2424): Verification of peer's authenctication data PASSED

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_CHK4_IC

IKEv2-PROTO-4: (2424): Processing INITIAL_CONTACT

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_CHK_REDIRECT

IKEv2-PROTO-7: (2424): Redirect check is not needed, skipping it

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_NOTIFY_AUTH_DONE

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_CHK_CONFIG_MODE

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_GET_CONFIG_MODE

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_PROC_SA_TS

IKEv2-PROTO-4: (2424): Processing IKE_AUTH message

IKEv2-PROTO-2: (2424): Failed to find a matching policy

IKEv2-PROTO-2: (2424): Received Policies:

IKEv2-PROTO-2: (2424): Failed to find a matching policy

IKEv2-PROTO-2: (2424): Expected Policies:

IKEv2-PROTO-7: (2424): Failed to verify the proposed policies

IKEv2-PROTO-2: (2424): Failed to find a matching policy

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_NO_PROP_CHOSEN

IKEv2-PROTO-4: (2424): Sending no proposal chosen notify

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_BLD_AUTH Event: EV_MY_AUTH_METHOD

IKEv2-PROTO-4: (2424): Get my authentication method

IKEv2-PROTO-4: (2424): My authentication method is 'PSK'

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_BLD_AUTH Event: EV_GET_PRESHR_KEY

IKEv2-PROTO-4: (2424): Get peer's preshared key for 20.101.121.179

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_BLD_AUTH Event: EV_GEN_AUTH

IKEv2-PROTO-4: (2424): Generate my authentication data

IKEv2-PROTO-4: (2424): Use preshared key for id 221.23.29.58, key len 24

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_BLD_AUTH Event: EV_CHK4_SIGN

IKEv2-PROTO-4: (2424): Get my authentication method

IKEv2-PROTO-4: (2424): My authentication method is 'PSK'

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_BLD_AUTH Event: EV_OK_AUTH_GEN

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_BLD_AUTH Event: EV_SEND_AUTH

IKEv2-PROTO-4: (2424): Generating IKE_AUTH message

IKEv2-PROTO-4: (2424): Constructing IDr payload: '221.23.29.58' of type 'IPv4 address'

IKEv2-PROTO-4: (2424): Building packet for encryption.

(2424):

Payload contents:

(2424): VID(2424): Next payload: IDr, reserved: 0x0, length: 20

(2424):

(2424): b4 17 62 77 4c 38 88 58 c1 8e 27 0b 4d b2 2a b5

(2424): IDr(2424): Next payload: AUTH, reserved: 0x0, length: 12

(2424): Id type: IPv4 address, Reserved: 0x0 0x0

(2424):

(2424): c1 1d 1d 3a

(2424): AUTH(2424): Next payload: NOTIFY, reserved: 0x0, length: 40

(2424): Auth method PSK, reserved: 0x0, reserved 0x0

(2424): Auth data: 32 bytes

(2424): NOTIFY(NO_PROPOSAL_CHOSEN)(2424): Next payload: NONE, reserved: 0x0, length: 8

(2424): Security protocol id: IKE, spi size: 0, type: NO_PROPOSAL_CHOSEN

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_BLD_AUTH Event: EV_ENCRYPT_MSG

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_BLD_AUTH Event: EV_NO_EVENT

IKEv2-PROTO-7: (2900): SM Trace-> SA: I_SPI=233875B27E20D5E8 R_SPI=843CA17A05220010 (I) MsgID = 00000001 CurState: READY Event: EV_DEL_IC_RCVD

IKEv2-PROTO-7: (2900): SM Trace-> SA: I_SPI=233875B27E20D5E8 R_SPI=843CA17A05220010 (I) MsgID = 00000001 CurState: DELETE Event: EV_FREE_SA

IKEv2-PROTO-4: (2900): Deleting SA

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_BLD_AUTH Event: EV_OK_ENCRYPT_RESP

IKEv2-PROTO-7: (2424): Action: Action_Null

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_BLD_AUTH Event: EV_TRYSEND

(2424):

IKEv2-PROTO-4: (2424): Sending Packet [To 20.101.121.179:500/From 221.23.29.58:500/VRF i0:f0]

(2424): Initiator SPI : B107C8FB8BD06F8D - Responder SPI : B61763775F0F7B1F Message id: 1

(2424): IKEv2 IKE_AUTH Exchange RESPONSEIKEv2-PROTO-5: (2424): Next payload: ENCR, version: 2.0 (2424): Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE (2424): Message id: 1, length: 160(2424):

Payload contents:

(2424): ENCR(2424): Next payload: VID, reserved: 0x0, length: 132

(2424): Encrypted data: 128 bytes

(2424):

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_BLD_AUTH Event: EV_CHK_AUTH_FAIL

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_OK

IKEv2-PROTO-7: (2424): Action: Action_Null

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_UPDATE_CAC_STATS

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_INSERT_IKE

IKEv2-PROTO-4: (2424): IKEV2 SA created; inserting SA into database. SA lifetime timer (28800 sec) started

IKEv2-PROTO-4: (2424): Session with IKE ID PAIR (20.101.121.179, 221.23.29.58) is UP

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_REGISTER_SESSION

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_NO_EVENT

IKEv2-PROTO-4: (2424): Initializing DPD, configured for 10 seconds

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_RECD_REGISTER_SESSION_RESP

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHECK_DUPE

IKEv2-PROTO-4: (2424): Checking for duplicate IKEv2 SA

IKEv2-PROTO-4: (2424): No duplicate IKEv2 SA found

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHK4_ROLE

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: READY Event: EV_R_OK

IKEv2-PROTO-4: (2424): Starting timer (8 sec) to delete negotiation context

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: READY Event: EV_NO_EVENT

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: READY Event: EV_DEL_NEG_TMO

IKEv2-PROTO-7: (2424): Deleting negotiation context for peer message ID: 0x1

IPv6 Proxies

Tuesday, June 8, 2021

Route based VPN (VTI) from FTD to Azure

No comments:

Post a Comment

Popular Posts