LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 07-14-2016, 02:46 PM   #1
horizn
Member
 
Registered: Jan 2015
Location: UK and Poland
Distribution: Slackware + Debian + Ubuntu
Posts: 170

Rep: Reputation: Disabled
OpenSWAN to Azure INVALID_PAYLOAD_TYPE problem


Hi,
I am trying to set up OpenSWAN link between Linux host located behind NAT and MS Azure. However it won't work and I don't know why.

My config:
/etc/ipsec.conf
Code:
config setup
    nat_traversal=yes
    virtual_private=%v4:10.171.0.0/16,%v4:10.172.0.0/16
    protostack=netkey
    interfaces="ipsec0=eth0"
    oe=off    

conn azure
    authby=secret
    auto=start
    type=tunnel
    left=%defaultroute
    leftsubnets=10.171.0.0/16,10.172.0.0/16
    leftnexthop=%defaultroute
    right=2.2.2.2
    rightsubnet=10.5.0.0/24
    ike=aes256-sha1;modp1024
    esp=aes256-sha1
    ikelifetime=8h
    keylife=1h
    pfs=no
    dpdaction=restart_by_peer
    dpdtimeout=10
    dpddelay=10
/etc/ipsec.secrets
Code:
10.171.0.4 2.2.2.2: PSK "password"
Log:

Code:
Pluto initialized
Jul 14 17:25:19: NSS DB directory: sql:/etc/ipsec.d
Jul 14 17:25:19: NSS initialized
Jul 14 17:25:19: libcap-ng support [enabled]
Jul 14 17:25:19: FIPS HMAC integrity verification test passed
Jul 14 17:25:19: FIPS: pluto daemon NOT running in FIPS mode
Jul 14 17:25:19: Linux audit support [enabled]
Jul 14 17:25:19: Linux audit activated
Jul 14 17:25:19: Starting Pluto (Libreswan Version 3.15 XFRM(netkey) KLIPS NSS DNSSEC FIPS_CHECK LABELED_IPSEC LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS) LDAP(non-NSS)) pid:22036
Jul 14 17:25:19: core dump dir: /var/run/pluto
Jul 14 17:25:19: secrets file: /etc/ipsec.secrets
Jul 14 17:25:19: leak-detective disabled
Jul 14 17:25:19: NSS crypto [enabled]
Jul 14 17:25:19: XAUTH PAM support [enabled]
Jul 14 17:25:19:    NAT-Traversal support  [enabled]
Jul 14 17:25:19: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok
Jul 14 17:25:19: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok
Jul 14 17:25:19: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok
Jul 14 17:25:19: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok
Jul 14 17:25:19: ike_alg_register_enc(): Activating OAKLEY_AES_CTR: Ok
Jul 14 17:25:19: ike_alg_register_enc(): Activating OAKLEY_AES_GCM_A: Ok
Jul 14 17:25:19: ike_alg_register_enc(): Activating OAKLEY_AES_GCM_B: Ok
Jul 14 17:25:19: ike_alg_register_enc(): Activating OAKLEY_AES_GCM_C: Ok
Jul 14 17:25:19: ike_alg_register_hash(): Activating DISABLED-OAKLEY_AES_XCBC: Ok
Jul 14 17:25:19: ike_alg_register_enc(): Activating OAKLEY_CAMELLIA_CBC: Ok
Jul 14 17:25:19: ike_alg_register_enc(): Activating OAKLEY_CAMELLIA_CTR: Ok
Jul 14 17:25:19: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok
Jul 14 17:25:19: ike_alg_register_hash(): Activating OAKLEY_SHA2_384: Ok
Jul 14 17:25:19: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok
Jul 14 17:25:19: starting up 3 crypto helpers
Jul 14 17:25:19: started thread for crypto helper 0 (master fd 9)
Jul 14 17:25:19: started thread for crypto helper 1 (master fd 11)
Jul 14 17:25:19: started thread for crypto helper 2 (master fd 14)
Jul 14 17:25:19: Using Linux XFRM/NETKEY IPsec interface code on 3.10.0-327.22.2.el7.x86_64
Jul 14 17:25:19: ike_alg_register_enc(): Activating aes_ccm_8: Ok
Jul 14 17:25:19: ike_alg_register_enc(): Activating aes_ccm_12: Ok
Jul 14 17:25:19: ike_alg_register_enc(): Activating aes_ccm_16: Ok
Jul 14 17:25:19: | selinux support is NOT enabled.
Jul 14 17:25:20: | certificate not loaded for this end
Jul 14 17:25:20: | certificate not loaded for this end
Jul 14 17:25:20: added connection description "azure/1x0"
Jul 14 17:25:20: | certificate not loaded for this end
Jul 14 17:25:20: | certificate not loaded for this end
Jul 14 17:25:20: added connection description "azure/2x0"
Jul 14 17:25:20: listening for IKE messages
Jul 14 17:25:20: adding interface eth0/eth0 10.171.0.4:500
Jul 14 17:25:20: adding interface eth0/eth0 10.171.0.4:4500
Jul 14 17:25:20: adding interface lo/lo 127.0.0.1:500
Jul 14 17:25:20: adding interface lo/lo 127.0.0.1:4500
Jul 14 17:25:20: adding interface lo/lo ::1:500
Jul 14 17:25:20: | setup callback for interface lo:500 fd 25
Jul 14 17:25:20: | setup callback for interface lo:4500 fd 24
Jul 14 17:25:20: | setup callback for interface lo:500 fd 23
Jul 14 17:25:20: | setup callback for interface eth0:4500 fd 22
Jul 14 17:25:20: | setup callback for interface eth0:500 fd 21
Jul 14 17:25:20: loading secrets from "/etc/ipsec.secrets"
Jul 14 17:25:20: no secrets filename matched "/etc/ipsec.d/*.secrets"
Jul 14 17:25:20: initiating all conns with alias='azure'
Jul 14 17:25:20: "azure/2x0" #1: initiating Main Mode
Jul 14 17:25:20: "azure/2x0" #1: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
Jul 14 17:25:20: "azure/2x0" #1: received Vendor ID payload [RFC 3947]
Jul 14 17:25:20: "azure/2x0" #1: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jul 14 17:25:20: "azure/2x0" #1: received Vendor ID payload [FRAGMENTATION]
Jul 14 17:25:20: "azure/2x0" #1: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Jul 14 17:25:20: "azure/2x0" #1: ignoring Vendor ID payload [IKE CGA version 1]
Jul 14 17:25:20: "azure/2x0" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Jul 14 17:25:20: "azure/2x0" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Jul 14 17:25:20: "azure/2x0" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Jul 14 17:25:21: "azure/2x0" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: I am behind NAT
Jul 14 17:25:21: "azure/2x0" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Jul 14 17:25:21: "azure/2x0" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jul 14 17:25:21: "azure/2x0" #1: Main mode peer ID is ID_IPV4_ADDR: '2.2.2.2'
Jul 14 17:25:21: "azure/2x0" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Jul 14 17:25:21: "azure/2x0" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha group=MODP1024}
Jul 14 17:25:21: "azure/2x0" #1: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
Jul 14 17:25:21: "azure/1x0" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW {using isakmp#1 msgid:cb9a6cb3 proposal=AES(12)_256-SHA1(2)_000 pfsgroup=no-pfs}
Jul 14 17:25:21: "azure/2x0" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW {using isakmp#1 msgid:3c5cb7f9 proposal=AES(12)_256-SHA1(2)_000 pfsgroup=no-pfs}
Jul 14 17:25:21: "azure/1x0" #2: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
Jul 14 17:25:21: "azure/1x0" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 14 17:25:21: "azure/1x0" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0x3197c6b2 <0x86d75c73 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=2.2.2.2:4500 DPD=active}
Jul 14 17:25:21: "azure/2x0" #3: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
Jul 14 17:25:21: "azure/2x0" #3: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 14 17:25:21: "azure/2x0" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0xd55d7802 <0x9e81bfca xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=2.2.2.2:4500 DPD=active}
Jul 14 17:25:21: "azure/1x0" #2: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_HASH)
Jul 14 17:25:21: "azure/1x0" #2: sending encrypted notification INVALID_PAYLOAD_TYPE to 2.2.2.2:4500
Jul 14 17:25:21: "azure/2x0" #3: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_HASH)
Jul 14 17:25:21: "azure/2x0" #3: sending encrypted notification INVALID_PAYLOAD_TYPE to 2.2.2.2:4500
Jul 14 17:25:54: packet from 2.2.2.2:500: ignoring unknown Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
Jul 14 17:25:54: packet from 2.2.2.2:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
Jul 14 17:25:54: packet from 2.2.2.2:500: received Vendor ID payload [RFC 3947]
Jul 14 17:25:54: packet from 2.2.2.2:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jul 14 17:25:54: packet from 2.2.2.2:500: received Vendor ID payload [FRAGMENTATION]
Jul 14 17:25:54: packet from 2.2.2.2:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Jul 14 17:25:54: packet from 2.2.2.2:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Jul 14 17:25:54: packet from 2.2.2.2:500: ignoring Vendor ID payload [IKE CGA version 1]
Jul 14 17:25:54: "azure/1x0" #4: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Jul 14 17:25:54: "azure/1x0" #4: responding to Main Mode
Jul 14 17:25:54: "azure/1x0" #4: Oakley Transform [OAKLEY_AES_CBC (256), OAKLEY_SHA2_256, OAKLEY_GROUP_MODP1024] refused
Jul 14 17:25:54: "azure/1x0" #4: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 14 17:25:54: "azure/1x0" #4: STATE_MAIN_R1: sent MR1, expecting MI2
Jul 14 17:25:55: packet from 2.2.2.2:500: ignoring unknown Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
Jul 14 17:25:55: packet from 2.2.2.2:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
Jul 14 17:25:55: packet from 2.2.2.2:500: received Vendor ID payload [RFC 3947]
Jul 14 17:25:55: packet from 2.2.2.2:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jul 14 17:25:55: packet from 2.2.2.2:500: received Vendor ID payload [FRAGMENTATION]
Jul 14 17:25:55: packet from 2.2.2.2:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Jul 14 17:25:55: packet from 2.2.2.2:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Jul 14 17:25:55: packet from 2.2.2.2:500: ignoring Vendor ID payload [IKE CGA version 1]
Jul 14 17:25:55: "azure/1x0" #5: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Jul 14 17:25:55: "azure/1x0" #5: responding to Main Mode
Jul 14 17:25:55: "azure/1x0" #5: Oakley Transform [OAKLEY_AES_CBC (256), OAKLEY_SHA2_256, OAKLEY_GROUP_MODP1024] refused
Jul 14 17:25:55: "azure/1x0" #5: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 14 17:25:55: "azure/1x0" #5: STATE_MAIN_R1: sent MR1, expecting MI2
Jul 14 17:25:56: packet from 2.2.2.2:500: ignoring unknown Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
Jul 14 17:25:56: packet from 2.2.2.2:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
Jul 14 17:25:56: packet from 2.2.2.2:500: received Vendor ID payload [RFC 3947]
Jul 14 17:25:56: packet from 2.2.2.2:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jul 14 17:25:56: packet from 2.2.2.2:500: received Vendor ID payload [FRAGMENTATION]
Jul 14 17:25:56: packet from 2.2.2.2:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Jul 14 17:25:56: packet from 2.2.2.2:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Jul 14 17:25:56: packet from 2.2.2.2:500: ignoring Vendor ID payload [IKE CGA version 1]
Jul 14 17:25:56: "azure/1x0" #6: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Jul 14 17:25:56: "azure/1x0" #6: responding to Main Mode
Jul 14 17:25:56: "azure/1x0" #6: Oakley Transform [OAKLEY_AES_CBC (256), OAKLEY_SHA2_256, OAKLEY_GROUP_MODP1024] refused
Jul 14 17:25:56: "azure/1x0" #6: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 14 17:25:56: "azure/1x0" #6: STATE_MAIN_R1: sent MR1, expecting MI2
Jul 14 17:25:59: packet from 2.2.2.2:500: ignoring unknown Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
Jul 14 17:25:59: packet from 2.2.2.2:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
Jul 14 17:25:59: packet from 2.2.2.2:500: received Vendor ID payload [RFC 3947]
Jul 14 17:25:59: packet from 2.2.2.2:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jul 14 17:25:59: packet from 2.2.2.2:500: received Vendor ID payload [FRAGMENTATION]
Jul 14 17:25:59: packet from 2.2.2.2:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Jul 14 17:25:59: packet from 2.2.2.2:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Jul 14 17:25:59: packet from 2.2.2.2:500: ignoring Vendor ID payload [IKE CGA version 1]
Jul 14 17:25:59: "azure/1x0" #7: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Jul 14 17:25:59: "azure/1x0" #7: responding to Main Mode
Jul 14 17:25:59: "azure/1x0" #7: Oakley Transform [OAKLEY_AES_CBC (256), OAKLEY_SHA2_256, OAKLEY_GROUP_MODP1024] refused
Jul 14 17:25:59: "azure/1x0" #7: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 14 17:25:59: "azure/1x0" #7: STATE_MAIN_R1: sent MR1, expecting MI2
Jul 14 17:26:58: "azure/1x0" #4: max number of retransmissions (8) reached STATE_MAIN_R1
Jul 14 17:26:58: "azure/1x0" #4: deleting state #4 (STATE_MAIN_R1)
Jul 14 17:26:59: "azure/1x0" #5: max number of retransmissions (8) reached STATE_MAIN_R1
Jul 14 17:26:59: "azure/1x0" #5: deleting state #5 (STATE_MAIN_R1)
Jul 14 17:27:00: "azure/1x0" #6: max number of retransmissions (8) reached STATE_MAIN_R1
Jul 14 17:27:00: "azure/1x0" #6: deleting state #6 (STATE_MAIN_R1)
Jul 14 17:27:03: "azure/1x0" #7: max number of retransmissions (8) reached STATE_MAIN_R1
Jul 14 17:27:03: "azure/1x0" #7: deleting state #7 (STATE_MAIN_R1)
Jul 14 17:27:54: packet from 2.2.2.2:500: ignoring unknown Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
Jul 14 17:27:54: packet from 2.2.2.2:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
Jul 14 17:27:54: packet from 2.2.2.2:500: received Vendor ID payload [RFC 3947]
Jul 14 17:27:54: packet from 2.2.2.2:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jul 14 17:27:54: packet from 2.2.2.2:500: received Vendor ID payload [FRAGMENTATION]
Jul 14 17:27:54: packet from 2.2.2.2:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Jul 14 17:27:54: packet from 2.2.2.2:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Jul 14 17:27:54: packet from 2.2.2.2:500: ignoring Vendor ID payload [IKE CGA version 1]
Jul 14 17:27:54: "azure/1x0" #8: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Jul 14 17:27:54: "azure/1x0" #8: responding to Main Mode
Jul 14 17:27:54: "azure/1x0" #8: Oakley Transform [OAKLEY_AES_CBC (256), OAKLEY_SHA2_256, OAKLEY_GROUP_MODP1024] refused
Jul 14 17:27:54: "azure/1x0" #8: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 14 17:27:54: "azure/1x0" #8: STATE_MAIN_R1: sent MR1, expecting MI2
Jul 14 17:27:55: packet from 2.2.2.2:500: ignoring unknown Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
Jul 14 17:27:55: packet from 2.2.2.2:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
Jul 14 17:27:55: packet from 2.2.2.2:500: received Vendor ID payload [RFC 3947]
Jul 14 17:27:55: packet from 2.2.2.2:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jul 14 17:27:55: packet from 2.2.2.2:500: received Vendor ID payload [FRAGMENTATION]
Jul 14 17:27:55: packet from 2.2.2.2:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Jul 14 17:27:55: packet from 2.2.2.2:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Jul 14 17:27:55: packet from 2.2.2.2:500: ignoring Vendor ID payload [IKE CGA version 1]
Jul 14 17:27:55: "azure/1x0" #9: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Jul 14 17:27:55: "azure/1x0" #9: responding to Main Mode
Jul 14 17:27:55: "azure/1x0" #9: Oakley Transform [OAKLEY_AES_CBC (256), OAKLEY_SHA2_256, OAKLEY_GROUP_MODP1024] refused
Jul 14 17:27:55: "azure/1x0" #9: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 14 17:27:55: "azure/1x0" #9: STATE_MAIN_R1: sent MR1, expecting MI2
Jul 14 17:27:56: packet from 2.2.2.2:500: ignoring unknown Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
Jul 14 17:27:56: packet from 2.2.2.2:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
Jul 14 17:27:56: packet from 2.2.2.2:500: received Vendor ID payload [RFC 3947]
Jul 14 17:27:56: packet from 2.2.2.2:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jul 14 17:27:56: packet from 2.2.2.2:500: received Vendor ID payload [FRAGMENTATION]
Jul 14 17:27:56: packet from 2.2.2.2:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Jul 14 17:27:56: packet from 2.2.2.2:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Jul 14 17:27:56: packet from 2.2.2.2:500: ignoring Vendor ID payload [IKE CGA version 1]
Jul 14 17:27:56: "azure/1x0" #10: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Jul 14 17:27:56: "azure/1x0" #10: responding to Main Mode
Jul 14 17:27:56: "azure/1x0" #10: Oakley Transform [OAKLEY_AES_CBC (256), OAKLEY_SHA2_256, OAKLEY_GROUP_MODP1024] refused
Jul 14 17:27:56: "azure/1x0" #10: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 14 17:27:56: "azure/1x0" #10: STATE_MAIN_R1: sent MR1, expecting MI2
Jul 14 17:27:59: packet from 2.2.2.2:500: ignoring unknown Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
Jul 14 17:27:59: packet from 2.2.2.2:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
Jul 14 17:27:59: packet from 2.2.2.2:500: received Vendor ID payload [RFC 3947]
Jul 14 17:27:59: packet from 2.2.2.2:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jul 14 17:27:59: packet from 2.2.2.2:500: received Vendor ID payload [FRAGMENTATION]
Jul 14 17:27:59: packet from 2.2.2.2:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Jul 14 17:27:59: packet from 2.2.2.2:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Jul 14 17:27:59: packet from 2.2.2.2:500: ignoring Vendor ID payload [IKE CGA version 1]
Jul 14 17:27:59: "azure/1x0" #11: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Jul 14 17:27:59: "azure/1x0" #11: responding to Main Mode
Jul 14 17:27:59: "azure/1x0" #11: Oakley Transform [OAKLEY_AES_CBC (256), OAKLEY_SHA2_256, OAKLEY_GROUP_MODP1024] refused
Jul 14 17:27:59: "azure/1x0" #11: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 14 17:27:59: "azure/1x0" #11: STATE_MAIN_R1: sent MR1, expecting MI2
2.2.2.2 is an Azure IP. Unfortunately I don't have access to Azure side configuration, and currently third party company have configured Watchguard router to test connection. All I've got from them are some screen shots, with following options enebled:

NAT Traversal
Dead peer detection
Phase 1 Transform: SHA1-AES(256-bit)
Key Group: Diffie-Hellman Group2
+ IP addresses

On my Gateway following Iptables rules are applied:

Code:
ACCEPT     udp  --  2.2.2.2        10.171.0.4           udp dpt:500
ACCEPT     udp  --  2.2.2.2        10.171.0.4           udp dpt:4500
ACCEPT     esp  --  2.2.2.2        10.171.0.4          
ACCEPT     esp  --  10.171.0.4           2.2.2.2       
ACCEPT     ah   --  2.2.2.2        10.171.0.4          
ACCEPT     ah   --  10.171.0.4           2.2.2.2
They claim that this Watchguard router works fine with their Azure. Does anyone know what could be a problem?

Last edited by horizn; 07-14-2016 at 02:49 PM.
 
Old 07-15-2016, 06:02 AM   #2
horizn
Member
 
Registered: Jan 2015
Location: UK and Poland
Distribution: Slackware + Debian + Ubuntu
Posts: 170

Original Poster
Rep: Reputation: Disabled
It started auto-magically over the night, so I suspect third party company has changed something on their side.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
openswan and xl2tpd setup problem? shams Linux - Networking 0 01-25-2013 07:44 PM
openswan ipsec newhostkey problem qwertyjjj Linux - Server 19 03-16-2010 09:13 AM
Problem between OPENSWAN vs IPTABLES ThanhDuongCong Linux - Networking 6 11-07-2008 01:46 AM
CentOS 5.1 with Openswan 2.6 problem aikie Linux - Networking 1 08-05-2008 02:38 AM
problem installing openswan Baracuda Linux - Security 1 11-24-2005 05:46 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 07:43 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration