I tried to connect from Linux to Azure VPN Gateway but it failed.
Please let me know if there are any deficiencies in my settings.
Environment information
- Client
- VirtualBox 6.1.26 on Windows 10
- Vagrant 2.2.18
- Ubuntu 20.04.3 LTS (Ubuntu box)
- pppd + sstp-client ( cf. https://blog.nigelsim.org/2019-09-21-azure-point-to-site-vpn-on-linux/ )
- self-signed CA certificate and client certificate
- Server
- Azure VPN Gateway (SKU = VpnGW1, SSTP)
- NOTE: I cannot change this setting because I'm not an administrator.
- Azure VPN Gateway (SKU = VpnGW1, SSTP)
Result
After making the settings described below, executing sudo pon azure-vpn gave the following result (excerpted log).
Nov 17 01:59:46 azurevpn pppd[12004]: Initializing SSL BIOs
Nov 17 01:59:46 azurevpn pppd[12004]: -> SSL/TLS Header: TLS 1.0
Nov 17 01:59:46 azurevpn pppd[12004]: -> Handshake: Client Hello
(snip)
Nov 17 01:59:46 azurevpn pppd[12004]: <- SSL/TLS Header: TLS 1.2
Nov 17 01:59:46 azurevpn pppd[12004]: <- Handshake: Server Hello
Nov 17 01:59:46 azurevpn pppd[12004]: <- Handshake: Certificate
(snip)
Nov 17 01:59:46 azurevpn pppd[12004]: -> Handshake: Finished: TLS 1.2 <=== *** the connection established with TLS 1.2 ***
(snip)
Nov 17 01:59:46 azurevpn pppd[12004]: rcvd [EAP Request id=0x6 TLS L-- ...]
Nov 17 01:59:46 azurevpn pppd[12004]: <- SSL/TLS Header: TLS 1.0 <=== *** Why TLS version is downgraded??? ***
Nov 17 01:59:46 azurevpn pppd[12004]: -> SSL/TLS Header: TLS 1.2
Nov 17 01:59:46 azurevpn pppd[12004]: -> Alert: protocol version
Nov 17 01:59:46 azurevpn pppd[12004]: sent [EAP Response id=0x6 TLS --- ...]
Nov 17 01:59:46 azurevpn pppd[12004]: rcvd [EAP Failure id=0x6]
Nov 17 01:59:46 azurevpn pppd[12004]: EAP: peer reports authentication failure
Configuration details
- Changed
/etc/ssl/openssl.cnfto avoid "ca md too weak"
@@ -15,6 +15,9 @@
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
+# fixup connection error (1)
+openssl_conf = default_conf
+
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
@@ -348,3 +351,19 @@
# (optional, default: no)
ess_cert_id_alg = sha1 # algorithm to compute certificate
# identifier (optional, default: sha1)
+
+# fixup connection error (2)
+
+[default_conf]
+
+ssl_conf = ssl_sect
+
+[ssl_sect]
+
+system_default = system_default_sect
+
+[system_default_sect]
+
+MinProtocol = TLSv1
+# MinProtocol = TLSv1.2
+CipherString = DEFAULT:@SECLEVEL=1
/etc/ppp/peers/azure-vpn(NOTE:ca.pemis a combination ofGeneric/VpnServerRoot.cerand self-signed CA certificate converted to PEM format)
remotename ********-****-****-****-************.cloudapp.net
linkname azure-vpn
ipparam azure-vpn
pty "sstpc --log-level 4 --ipparam azure-vpn --nolaunchpppd --ca-cert /etc/ppp/certs/ca.pem azuregateway-********-****-****-****-************-************.cloudapp.net"
name ********SelfRootCertificate
plugin sstp-pppd-plugin.so
sstp-sock /var/run/sstpc/sstpc-azure-vpn
require-mppe
require-eap
refuse-mschap-v2
refuse-pap
refuse-chap
refuse-mschap
nobsdcomp
nodeflate
noauth
# password KEY_PASSWORD
ca /etc/ppp/certs/ca.pem
cert /etc/ppp/certs/user_cert.pem
key /etc/ppp/certs/user_priv.key
debug
- All logs on azure-vpn connection
Nov 17 01:59:45 azurevpn pppd[12003]: Plugin sstp-pppd-plugin.so loaded.
Nov 17 01:59:45 azurevpn pppd[12004]: pppd 2.4.7 started by vagrant, uid 0
Nov 17 01:59:45 azurevpn pppd[12004]: using channel 9
Nov 17 01:59:45 azurevpn pppd[12004]: Using interface ppp0
Nov 17 01:59:45 azurevpn pppd[12004]: Connect: ppp0 <--> /dev/pts/2
Nov 17 01:59:45 azurevpn systemd-udevd[12006]: ethtool: autonegotiation is unset or enabled, the speed and duplex are not writable.
Nov 17 01:59:45 azurevpn networkd-dispatcher[620]: WARNING:Unknown index 11 seen, reloading interface list
Nov 17 01:59:45 azurevpn sstpc[12008]: Waiting for sstp-plugin to connect on: /var/run/sstpc/sstpc-azure-vpn
Nov 17 01:59:45 azurevpn NetworkManager[614]: <info> [1637114385.4448] manager: (ppp0): new Ppp device (/org/freedesktop/NetworkManager/Devices/11)
Nov 17 01:59:45 azurevpn sstpc[12008]: Resolved azuregateway-********-****-****-****-************-************.cloudapp.net to ***.***.***.***
Nov 17 01:59:45 azurevpn sstpc[12008]: Connected to azuregateway-********-****-****-****-************-************.cloudapp.net
Nov 17 01:59:45 azurevpn sstpc[12008]: Sending Connect-Request Message
Nov 17 01:59:45 azurevpn sstpc[12008]: SEND SSTP CRTL PKT(14)
Nov 17 01:59:45 azurevpn sstpc[12008]: TYPE(1): CONNECT REQUEST, ATTR(1):
Nov 17 01:59:45 azurevpn sstpc[12008]: ENCAP PROTO(1): 6
Nov 17 01:59:45 azurevpn sstpc[12008]: RECV SSTP CRTL PKT(48)
Nov 17 01:59:45 azurevpn sstpc[12008]: TYPE(2): CONNECT ACK, ATTR(1):
Nov 17 01:59:45 azurevpn sstpc[12008]: CRYPTO BIND REQ(4): 40
Nov 17 01:59:45 azurevpn sstpc[12008]: Started PPP Link Negotiation
Nov 17 01:59:46 azurevpn pppd[12004]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xcd8828e0> <pcomp> <accomp>]
Nov 17 01:59:46 azurevpn pppd[12004]: rcvd [LCP ConfReq id=0x0 <mru 4091> <auth eap> <magic 0x333246e9> <pcomp> <accomp> <callback CBCP> <mrru 1614> <endpoint [local:********]>]
Nov 17 01:59:46 azurevpn pppd[12004]: sent [LCP ConfRej id=0x0 <callback CBCP> <mrru 1614>]
Nov 17 01:59:46 azurevpn pppd[12004]: rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x********> <pcomp> <accomp>]
Nov 17 01:59:46 azurevpn pppd[12004]: rcvd [LCP ConfReq id=0x1 <mru 4091> <auth eap> <magic 0x********> <pcomp> <accomp> <endpoint [local:********]>]
Nov 17 01:59:46 azurevpn pppd[12004]: sent [LCP ConfAck id=0x1 <mru 4091> <auth eap> <magic 0x333246e9> <pcomp> <accomp> <endpoint [local:********]>]
Nov 17 01:59:46 azurevpn pppd[12004]: sent [LCP EchoReq id=0x0 magic=0x********]
Nov 17 01:59:46 azurevpn pppd[12004]: rcvd [EAP Request id=0x0 Identity <No message>]
Nov 17 01:59:46 azurevpn pppd[12004]: sent [EAP Response id=0x0 Identity <Name "***SelfRootCertificate">]
Nov 17 01:59:46 azurevpn pppd[12004]: rcvd [LCP EchoRep id=0x0 magic=0x********]
Nov 17 01:59:46 azurevpn pppd[12004]: rcvd [EAP Request id=0x1 TLS --S]
Nov 17 01:59:46 azurevpn pppd[12004]: MTU = 1486
Nov 17 01:59:46 azurevpn pppd[12004]: calling get_eaptls_secret
Nov 17 01:59:46 azurevpn pppd[12004]: calling eaptls_init_ssl
Nov 17 01:59:46 azurevpn pppd[12004]: Initializing SSL BIOs
Nov 17 01:59:46 azurevpn pppd[12004]: -> SSL/TLS Header: TLS 1.0
Nov 17 01:59:46 azurevpn pppd[12004]: -> Handshake: Client Hello
Nov 17 01:59:46 azurevpn pppd[12004]: sent [EAP Response id=0x1 TLS --- ...]
Nov 17 01:59:46 azurevpn pppd[12004]: rcvd [EAP Request id=0x2 TLS LM- ...]
Nov 17 01:59:46 azurevpn pppd[12004]: sent [EAP Response id=0x2 TLS Ack]
Nov 17 01:59:46 azurevpn pppd[12004]: rcvd [EAP Request id=0x3 TLS -M- ...]
Nov 17 01:59:46 azurevpn pppd[12004]: sent [EAP Response id=0x3 TLS Ack]
Nov 17 01:59:46 azurevpn pppd[12004]: rcvd [EAP Request id=0x4 TLS --- ...]
Nov 17 01:59:46 azurevpn pppd[12004]: <- SSL/TLS Header: TLS 1.2
Nov 17 01:59:46 azurevpn pppd[12004]: <- Handshake: Server Hello
Nov 17 01:59:46 azurevpn pppd[12004]: <- Handshake: Certificate
Nov 17 01:59:46 azurevpn pppd[12004]: certificate verify depth: 2
Nov 17 01:59:46 azurevpn pppd[12004]: certificate verify depth: 1
Nov 17 01:59:46 azurevpn pppd[12004]: certificate verify depth: 0
Nov 17 01:59:46 azurevpn pppd[12004]: Certificate CN: ********-****-****-****-************.cloudapp.net , peer name ********-****-****-****-************.cloudapp.net
Nov 17 01:59:46 azurevpn pppd[12004]: <- Handshake: Server Key Exchange
Nov 17 01:59:46 azurevpn pppd[12004]: <- Handshake: Certificate Request
Nov 17 01:59:46 azurevpn pppd[12004]: <- Handshake: Server Hello Done
Nov 17 01:59:46 azurevpn pppd[12004]: -> SSL/TLS Header: TLS 1.2
Nov 17 01:59:46 azurevpn pppd[12004]: -> Handshake: Certificate
Nov 17 01:59:46 azurevpn pppd[12004]: -> SSL/TLS Header: TLS 1.2
Nov 17 01:59:46 azurevpn pppd[12004]: -> Handshake: Client Key Exchange
Nov 17 01:59:46 azurevpn pppd[12004]: -> SSL/TLS Header: TLS 1.2
Nov 17 01:59:46 azurevpn pppd[12004]: -> Handshake: Certificate Verify
Nov 17 01:59:46 azurevpn pppd[12004]: -> SSL/TLS Header: TLS 1.2
Nov 17 01:59:46 azurevpn pppd[12004]: -> ChangeCipherSpec
Nov 17 01:59:46 azurevpn pppd[12004]: -> SSL/TLS Header: TLS 1.2
Nov 17 01:59:46 azurevpn pppd[12004]: -> Handshake: Finished: TLS 1.2
Nov 17 01:59:46 azurevpn pppd[12004]: sent [EAP Response id=0x4 TLS LM- ...]
Nov 17 01:59:46 azurevpn pppd[12004]: rcvd [EAP Request id=0x5 TLS Ack]
Nov 17 01:59:46 azurevpn pppd[12004]: sent [EAP Response id=0x5 TLS --- ...]
Nov 17 01:59:46 azurevpn pppd[12004]: rcvd [EAP Request id=0x6 TLS L-- ...]
Nov 17 01:59:46 azurevpn pppd[12004]: <- SSL/TLS Header: TLS 1.0
Nov 17 01:59:46 azurevpn pppd[12004]: -> SSL/TLS Header: TLS 1.2
Nov 17 01:59:46 azurevpn pppd[12004]: -> Alert: protocol version
Nov 17 01:59:46 azurevpn pppd[12004]: sent [EAP Response id=0x6 TLS --- ...]
Nov 17 01:59:46 azurevpn pppd[12004]: rcvd [EAP Failure id=0x6]
Nov 17 01:59:46 azurevpn pppd[12004]: EAP: peer reports authentication failure
Nov 17 01:59:46 azurevpn pppd[12004]: sent [LCP TermReq id=0x2 "Failed to authenticate ourselves to peer"]
Nov 17 01:59:46 azurevpn pppd[12004]: rcvd [LCP TermReq id=0x9 "32F\351\000<\315t\000\000\002\263"]
Nov 17 01:59:46 azurevpn pppd[12004]: sent [LCP TermAck id=0x9]
Nov 17 01:59:46 azurevpn pppd[12004]: rcvd [LCP TermAck id=0x2 "Failed to authenticate ourselves to peer"]
Nov 17 01:59:46 azurevpn pppd[12004]: Connection terminated.
Nov 17 01:59:46 azurevpn sstpc[12008]: RECV SSTP CRTL PKT(20)
Nov 17 01:59:46 azurevpn pppd[12004]: Waiting for 1 child processes...
Nov 17 01:59:46 azurevpn pppd[12004]: script sstpc --log-level 4 --ipparam azure-vpn --nolaunchpppd --ca-cert /etc/ppp/certs/ca.pem azuregateway-********-****-****-****-************-************.cloudapp.net, pid 12005
Nov 17 01:59:46 azurevpn sstpc[12008]: TYPE(6): DISCONNECT, ATTR(1):
Nov 17 01:59:46 azurevpn sstpc[12008]: STATUS INFO(2): 12
Nov 17 01:59:46 azurevpn sstpc[12008]: Sending Disconnect Ack Message
Nov 17 01:59:46 azurevpn sstpc[12008]: SEND SSTP CRTL PKT(8)
Nov 17 01:59:46 azurevpn sstpc[12008]: TYPE(7): DISCONNECT ACK, ATTR(0):
Nov 17 01:59:46 azurevpn sstpc[12008]: Connection was aborted, Reason was not known
Nov 17 01:59:46 azurevpn pppd[12004]: Script sstpc --log-level 4 --ipparam azure-vpn --nolaunchpppd --ca-cert /etc/ppp/certs/ca.pem azuregateway-********-****-****-****-************-************.cloudapp.net finished (pid 12005), status = 0xff
Nov 17 01:59:46 azurevpn pppd[12004]: Exit.
