OpenSWAN to Azure INVALID_PAYLOAD_TYPE problem

horizn · 07-14-2016, 01:46 PM

Hi,
I am trying to set up OpenSWAN link between Linux host located behind NAT and MS Azure. However it won't work and I don't know why.

My config:
/etc/ipsec.conf

Code:

config setup
    nat_traversal=yes
    virtual_private=%v4:10.171.0.0/16,%v4:10.172.0.0/16
    protostack=netkey
    interfaces="ipsec0=eth0"
    oe=off    

conn azure
    authby=secret
    auto=start
    type=tunnel
    left=%defaultroute
    leftsubnets=10.171.0.0/16,10.172.0.0/16
    leftnexthop=%defaultroute
    right=2.2.2.2
    rightsubnet=10.5.0.0/24
    ike=aes256-sha1;modp1024
    esp=aes256-sha1
    ikelifetime=8h
    keylife=1h
    pfs=no
    dpdaction=restart_by_peer
    dpdtimeout=10
    dpddelay=10

/etc/ipsec.secrets

Code:

10.171.0.4 2.2.2.2: PSK "password"

Log:

Code:

Pluto initialized
Jul 14 17:25:19: NSS DB directory: sql:/etc/ipsec.d
Jul 14 17:25:19: NSS initialized
Jul 14 17:25:19: libcap-ng support [enabled]
Jul 14 17:25:19: FIPS HMAC integrity verification test passed
Jul 14 17:25:19: FIPS: pluto daemon NOT running in FIPS mode
Jul 14 17:25:19: Linux audit support [enabled]
Jul 14 17:25:19: Linux audit activated
Jul 14 17:25:19: Starting Pluto (Libreswan Version 3.15 XFRM(netkey) KLIPS NSS DNSSEC FIPS_CHECK LABELED_IPSEC LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS) LDAP(non-NSS)) pid:22036
Jul 14 17:25:19: core dump dir: /var/run/pluto
Jul 14 17:25:19: secrets file: /etc/ipsec.secrets
Jul 14 17:25:19: leak-detective disabled
Jul 14 17:25:19: NSS crypto [enabled]
Jul 14 17:25:19: XAUTH PAM support [enabled]
Jul 14 17:25:19:    NAT-Traversal support  [enabled]
Jul 14 17:25:19: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok
Jul 14 17:25:19: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok
Jul 14 17:25:19: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok
Jul 14 17:25:19: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok
Jul 14 17:25:19: ike_alg_register_enc(): Activating OAKLEY_AES_CTR: Ok
Jul 14 17:25:19: ike_alg_register_enc(): Activating OAKLEY_AES_GCM_A: Ok
Jul 14 17:25:19: ike_alg_register_enc(): Activating OAKLEY_AES_GCM_B: Ok
Jul 14 17:25:19: ike_alg_register_enc(): Activating OAKLEY_AES_GCM_C: Ok
Jul 14 17:25:19: ike_alg_register_hash(): Activating DISABLED-OAKLEY_AES_XCBC: Ok
Jul 14 17:25:19: ike_alg_register_enc(): Activating OAKLEY_CAMELLIA_CBC: Ok
Jul 14 17:25:19: ike_alg_register_enc(): Activating OAKLEY_CAMELLIA_CTR: Ok
Jul 14 17:25:19: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok
Jul 14 17:25:19: ike_alg_register_hash(): Activating OAKLEY_SHA2_384: Ok
Jul 14 17:25:19: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok
Jul 14 17:25:19: starting up 3 crypto helpers
Jul 14 17:25:19: started thread for crypto helper 0 (master fd 9)
Jul 14 17:25:19: started thread for crypto helper 1 (master fd 11)
Jul 14 17:25:19: started thread for crypto helper 2 (master fd 14)
Jul 14 17:25:19: Using Linux XFRM/NETKEY IPsec interface code on 3.10.0-327.22.2.el7.x86_64
Jul 14 17:25:19: ike_alg_register_enc(): Activating aes_ccm_8: Ok
Jul 14 17:25:19: ike_alg_register_enc(): Activating aes_ccm_12: Ok
Jul 14 17:25:19: ike_alg_register_enc(): Activating aes_ccm_16: Ok
Jul 14 17:25:19: | selinux support is NOT enabled.
Jul 14 17:25:20: | certificate not loaded for this end
Jul 14 17:25:20: | certificate not loaded for this end
Jul 14 17:25:20: added connection description "azure/1x0"
Jul 14 17:25:20: | certificate not loaded for this end
Jul 14 17:25:20: | certificate not loaded for this end
Jul 14 17:25:20: added connection description "azure/2x0"
Jul 14 17:25:20: listening for IKE messages
Jul 14 17:25:20: adding interface eth0/eth0 10.171.0.4:500
Jul 14 17:25:20: adding interface eth0/eth0 10.171.0.4:4500
Jul 14 17:25:20: adding interface lo/lo 127.0.0.1:500
Jul 14 17:25:20: adding interface lo/lo 127.0.0.1:4500
Jul 14 17:25:20: adding interface lo/lo ::1:500
Jul 14 17:25:20: | setup callback for interface lo:500 fd 25
Jul 14 17:25:20: | setup callback for interface lo:4500 fd 24
Jul 14 17:25:20: | setup callback for interface lo:500 fd 23
Jul 14 17:25:20: | setup callback for interface eth0:4500 fd 22
Jul 14 17:25:20: | setup callback for interface eth0:500 fd 21
Jul 14 17:25:20: loading secrets from "/etc/ipsec.secrets"
Jul 14 17:25:20: no secrets filename matched "/etc/ipsec.d/*.secrets"
Jul 14 17:25:20: initiating all conns with alias='azure'
Jul 14 17:25:20: "azure/2x0" #1: initiating Main Mode
Jul 14 17:25:20: "azure/2x0" #1: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
Jul 14 17:25:20: "azure/2x0" #1: received Vendor ID payload [RFC 3947]
Jul 14 17:25:20: "azure/2x0" #1: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jul 14 17:25:20: "azure/2x0" #1: received Vendor ID payload [FRAGMENTATION]
Jul 14 17:25:20: "azure/2x0" #1: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Jul 14 17:25:20: "azure/2x0" #1: ignoring Vendor ID payload [IKE CGA version 1]
Jul 14 17:25:20: "azure/2x0" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Jul 14 17:25:20: "azure/2x0" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Jul 14 17:25:20: "azure/2x0" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Jul 14 17:25:21: "azure/2x0" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: I am behind NAT
Jul 14 17:25:21: "azure/2x0" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Jul 14 17:25:21: "azure/2x0" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jul 14 17:25:21: "azure/2x0" #1: Main mode peer ID is ID_IPV4_ADDR: '2.2.2.2'
Jul 14 17:25:21: "azure/2x0" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Jul 14 17:25:21: "azure/2x0" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha group=MODP1024}
Jul 14 17:25:21: "azure/2x0" #1: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
Jul 14 17:25:21: "azure/1x0" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW {using isakmp#1 msgid:cb9a6cb3 proposal=AES(12)_256-SHA1(2)_000 pfsgroup=no-pfs}
Jul 14 17:25:21: "azure/2x0" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW {using isakmp#1 msgid:3c5cb7f9 proposal=AES(12)_256-SHA1(2)_000 pfsgroup=no-pfs}
Jul 14 17:25:21: "azure/1x0" #2: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
Jul 14 17:25:21: "azure/1x0" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 14 17:25:21: "azure/1x0" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0x3197c6b2 <0x86d75c73 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=2.2.2.2:4500 DPD=active}
Jul 14 17:25:21: "azure/2x0" #3: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
Jul 14 17:25:21: "azure/2x0" #3: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 14 17:25:21: "azure/2x0" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0xd55d7802 <0x9e81bfca xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=2.2.2.2:4500 DPD=active}
Jul 14 17:25:21: "azure/1x0" #2: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_HASH)
Jul 14 17:25:21: "azure/1x0" #2: sending encrypted notification INVALID_PAYLOAD_TYPE to 2.2.2.2:4500
Jul 14 17:25:21: "azure/2x0" #3: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_HASH)
Jul 14 17:25:21: "azure/2x0" #3: sending encrypted notification INVALID_PAYLOAD_TYPE to 2.2.2.2:4500
Jul 14 17:25:54: packet from 2.2.2.2:500: ignoring unknown Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
Jul 14 17:25:54: packet from 2.2.2.2:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
Jul 14 17:25:54: packet from 2.2.2.2:500: received Vendor ID payload [RFC 3947]
Jul 14 17:25:54: packet from 2.2.2.2:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jul 14 17:25:54: packet from 2.2.2.2:500: received Vendor ID payload [FRAGMENTATION]
Jul 14 17:25:54: packet from 2.2.2.2:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Jul 14 17:25:54: packet from 2.2.2.2:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Jul 14 17:25:54: packet from 2.2.2.2:500: ignoring Vendor ID payload [IKE CGA version 1]
Jul 14 17:25:54: "azure/1x0" #4: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Jul 14 17:25:54: "azure/1x0" #4: responding to Main Mode
Jul 14 17:25:54: "azure/1x0" #4: Oakley Transform [OAKLEY_AES_CBC (256), OAKLEY_SHA2_256, OAKLEY_GROUP_MODP1024] refused
Jul 14 17:25:54: "azure/1x0" #4: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 14 17:25:54: "azure/1x0" #4: STATE_MAIN_R1: sent MR1, expecting MI2
Jul 14 17:25:55: packet from 2.2.2.2:500: ignoring unknown Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
Jul 14 17:25:55: packet from 2.2.2.2:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
Jul 14 17:25:55: packet from 2.2.2.2:500: received Vendor ID payload [RFC 3947]
Jul 14 17:25:55: packet from 2.2.2.2:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jul 14 17:25:55: packet from 2.2.2.2:500: received Vendor ID payload [FRAGMENTATION]
Jul 14 17:25:55: packet from 2.2.2.2:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Jul 14 17:25:55: packet from 2.2.2.2:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Jul 14 17:25:55: packet from 2.2.2.2:500: ignoring Vendor ID payload [IKE CGA version 1]
Jul 14 17:25:55: "azure/1x0" #5: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Jul 14 17:25:55: "azure/1x0" #5: responding to Main Mode
Jul 14 17:25:55: "azure/1x0" #5: Oakley Transform [OAKLEY_AES_CBC (256), OAKLEY_SHA2_256, OAKLEY_GROUP_MODP1024] refused
Jul 14 17:25:55: "azure/1x0" #5: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 14 17:25:55: "azure/1x0" #5: STATE_MAIN_R1: sent MR1, expecting MI2
Jul 14 17:25:56: packet from 2.2.2.2:500: ignoring unknown Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
Jul 14 17:25:56: packet from 2.2.2.2:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
Jul 14 17:25:56: packet from 2.2.2.2:500: received Vendor ID payload [RFC 3947]
Jul 14 17:25:56: packet from 2.2.2.2:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jul 14 17:25:56: packet from 2.2.2.2:500: received Vendor ID payload [FRAGMENTATION]
Jul 14 17:25:56: packet from 2.2.2.2:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Jul 14 17:25:56: packet from 2.2.2.2:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Jul 14 17:25:56: packet from 2.2.2.2:500: ignoring Vendor ID payload [IKE CGA version 1]
Jul 14 17:25:56: "azure/1x0" #6: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Jul 14 17:25:56: "azure/1x0" #6: responding to Main Mode
Jul 14 17:25:56: "azure/1x0" #6: Oakley Transform [OAKLEY_AES_CBC (256), OAKLEY_SHA2_256, OAKLEY_GROUP_MODP1024] refused
Jul 14 17:25:56: "azure/1x0" #6: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 14 17:25:56: "azure/1x0" #6: STATE_MAIN_R1: sent MR1, expecting MI2
Jul 14 17:25:59: packet from 2.2.2.2:500: ignoring unknown Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
Jul 14 17:25:59: packet from 2.2.2.2:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
Jul 14 17:25:59: packet from 2.2.2.2:500: received Vendor ID payload [RFC 3947]
Jul 14 17:25:59: packet from 2.2.2.2:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jul 14 17:25:59: packet from 2.2.2.2:500: received Vendor ID payload [FRAGMENTATION]
Jul 14 17:25:59: packet from 2.2.2.2:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Jul 14 17:25:59: packet from 2.2.2.2:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Jul 14 17:25:59: packet from 2.2.2.2:500: ignoring Vendor ID payload [IKE CGA version 1]
Jul 14 17:25:59: "azure/1x0" #7: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Jul 14 17:25:59: "azure/1x0" #7: responding to Main Mode
Jul 14 17:25:59: "azure/1x0" #7: Oakley Transform [OAKLEY_AES_CBC (256), OAKLEY_SHA2_256, OAKLEY_GROUP_MODP1024] refused
Jul 14 17:25:59: "azure/1x0" #7: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 14 17:25:59: "azure/1x0" #7: STATE_MAIN_R1: sent MR1, expecting MI2
Jul 14 17:26:58: "azure/1x0" #4: max number of retransmissions (8) reached STATE_MAIN_R1
Jul 14 17:26:58: "azure/1x0" #4: deleting state #4 (STATE_MAIN_R1)
Jul 14 17:26:59: "azure/1x0" #5: max number of retransmissions (8) reached STATE_MAIN_R1
Jul 14 17:26:59: "azure/1x0" #5: deleting state #5 (STATE_MAIN_R1)
Jul 14 17:27:00: "azure/1x0" #6: max number of retransmissions (8) reached STATE_MAIN_R1
Jul 14 17:27:00: "azure/1x0" #6: deleting state #6 (STATE_MAIN_R1)
Jul 14 17:27:03: "azure/1x0" #7: max number of retransmissions (8) reached STATE_MAIN_R1
Jul 14 17:27:03: "azure/1x0" #7: deleting state #7 (STATE_MAIN_R1)
Jul 14 17:27:54: packet from 2.2.2.2:500: ignoring unknown Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
Jul 14 17:27:54: packet from 2.2.2.2:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
Jul 14 17:27:54: packet from 2.2.2.2:500: received Vendor ID payload [RFC 3947]
Jul 14 17:27:54: packet from 2.2.2.2:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jul 14 17:27:54: packet from 2.2.2.2:500: received Vendor ID payload [FRAGMENTATION]
Jul 14 17:27:54: packet from 2.2.2.2:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Jul 14 17:27:54: packet from 2.2.2.2:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Jul 14 17:27:54: packet from 2.2.2.2:500: ignoring Vendor ID payload [IKE CGA version 1]
Jul 14 17:27:54: "azure/1x0" #8: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Jul 14 17:27:54: "azure/1x0" #8: responding to Main Mode
Jul 14 17:27:54: "azure/1x0" #8: Oakley Transform [OAKLEY_AES_CBC (256), OAKLEY_SHA2_256, OAKLEY_GROUP_MODP1024] refused
Jul 14 17:27:54: "azure/1x0" #8: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 14 17:27:54: "azure/1x0" #8: STATE_MAIN_R1: sent MR1, expecting MI2
Jul 14 17:27:55: packet from 2.2.2.2:500: ignoring unknown Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
Jul 14 17:27:55: packet from 2.2.2.2:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
Jul 14 17:27:55: packet from 2.2.2.2:500: received Vendor ID payload [RFC 3947]
Jul 14 17:27:55: packet from 2.2.2.2:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jul 14 17:27:55: packet from 2.2.2.2:500: received Vendor ID payload [FRAGMENTATION]
Jul 14 17:27:55: packet from 2.2.2.2:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Jul 14 17:27:55: packet from 2.2.2.2:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Jul 14 17:27:55: packet from 2.2.2.2:500: ignoring Vendor ID payload [IKE CGA version 1]
Jul 14 17:27:55: "azure/1x0" #9: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Jul 14 17:27:55: "azure/1x0" #9: responding to Main Mode
Jul 14 17:27:55: "azure/1x0" #9: Oakley Transform [OAKLEY_AES_CBC (256), OAKLEY_SHA2_256, OAKLEY_GROUP_MODP1024] refused
Jul 14 17:27:55: "azure/1x0" #9: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 14 17:27:55: "azure/1x0" #9: STATE_MAIN_R1: sent MR1, expecting MI2
Jul 14 17:27:56: packet from 2.2.2.2:500: ignoring unknown Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
Jul 14 17:27:56: packet from 2.2.2.2:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
Jul 14 17:27:56: packet from 2.2.2.2:500: received Vendor ID payload [RFC 3947]
Jul 14 17:27:56: packet from 2.2.2.2:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jul 14 17:27:56: packet from 2.2.2.2:500: received Vendor ID payload [FRAGMENTATION]
Jul 14 17:27:56: packet from 2.2.2.2:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Jul 14 17:27:56: packet from 2.2.2.2:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Jul 14 17:27:56: packet from 2.2.2.2:500: ignoring Vendor ID payload [IKE CGA version 1]
Jul 14 17:27:56: "azure/1x0" #10: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Jul 14 17:27:56: "azure/1x0" #10: responding to Main Mode
Jul 14 17:27:56: "azure/1x0" #10: Oakley Transform [OAKLEY_AES_CBC (256), OAKLEY_SHA2_256, OAKLEY_GROUP_MODP1024] refused
Jul 14 17:27:56: "azure/1x0" #10: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 14 17:27:56: "azure/1x0" #10: STATE_MAIN_R1: sent MR1, expecting MI2
Jul 14 17:27:59: packet from 2.2.2.2:500: ignoring unknown Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
Jul 14 17:27:59: packet from 2.2.2.2:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
Jul 14 17:27:59: packet from 2.2.2.2:500: received Vendor ID payload [RFC 3947]
Jul 14 17:27:59: packet from 2.2.2.2:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jul 14 17:27:59: packet from 2.2.2.2:500: received Vendor ID payload [FRAGMENTATION]
Jul 14 17:27:59: packet from 2.2.2.2:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Jul 14 17:27:59: packet from 2.2.2.2:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Jul 14 17:27:59: packet from 2.2.2.2:500: ignoring Vendor ID payload [IKE CGA version 1]
Jul 14 17:27:59: "azure/1x0" #11: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Jul 14 17:27:59: "azure/1x0" #11: responding to Main Mode
Jul 14 17:27:59: "azure/1x0" #11: Oakley Transform [OAKLEY_AES_CBC (256), OAKLEY_SHA2_256, OAKLEY_GROUP_MODP1024] refused
Jul 14 17:27:59: "azure/1x0" #11: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 14 17:27:59: "azure/1x0" #11: STATE_MAIN_R1: sent MR1, expecting MI2

2.2.2.2 is an Azure IP. Unfortunately I don't have access to Azure side configuration, and currently third party company have configured Watchguard router to test connection. All I've got from them are some screen shots, with following options enebled:

NAT Traversal
Dead peer detection
Phase 1 Transform: SHA1-AES(256-bit)
Key Group: Diffie-Hellman Group2
+ IP addresses

On my Gateway following Iptables rules are applied:

Code:

ACCEPT     udp  --  2.2.2.2        10.171.0.4           udp dpt:500
ACCEPT     udp  --  2.2.2.2        10.171.0.4           udp dpt:4500
ACCEPT     esp  --  2.2.2.2        10.171.0.4          
ACCEPT     esp  --  10.171.0.4           2.2.2.2       
ACCEPT     ah   --  2.2.2.2        10.171.0.4          
ACCEPT     ah   --  10.171.0.4           2.2.2.2

They claim that this Watchguard router works fine with their Azure. Does anyone know what could be a problem?

horizn · 07-15-2016, 05:02 AM

It started auto-magically over the night, so I suspect third party company has changed something on their side.