1

I am trying to get a local Linux VM to connect to our existing Azure point to site VPN.

Windows machines are able to easily connect using the executable provided in the zip. The P2S configuration Tunnel type is set to IKEv2 and SSL VPN (SSTP) and authentication type is Azure certificate.

I started by following the official guide. Generating all the certificates on the Linux machine and adding the base64 to the point to site configuration root certificates.

I then moved on to this guide to set up the VPN connection but I am getting an error:

initiating IKE_SA azure[1] to [IP ADDRESS]
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 10.0.0.4[500] to [IP ADDRESS][500] (894 bytes)
retransmit 1 of request with message ID 0
sending packet: from 10.0.0.4[500] to [IP ADDRESS][500] (894 bytes)
...
retransmit 5 of request with message ID 0
sending packet: from 10.0.0.4[500] to [IP ADDRESS][500] (894 bytes)
giving up after 5 retransmits
establishing IKE_SA failed, peer not responding
establishing connection 'azure' failed

My /etc/ipsec.conf file content is:

conn azure
        keyexchange=ikev2
        type=tunnel
        leftfirewall=yes
        left=%any
        leftauth=eap-tls
        leftid=%client
        right=azuregateway-[GUID].cloudapp.net
        rightid=%azuregateway-[GUID].cloudapp.net
        rightsubnet=0.0.0.0/0
        leftsourceip=%config
        auto=add

The commands I have used to get to this point in order:

apt-get install strongswan-ikev2 strongswan-plugin-eap-tls -- Failed to find
apt-get install strongswan-swanctl && libcharon-extra-plugins && strongswan && libstrongswan-standard-plugins && strongswan-pki
ipsec pki --gen --outform pem > caKey.pem
ipsec pki --self --in caKey.pem --dn "CN=VPN CA" --ca --outform pem > caCert.pem
openssl x509 -in caCert.pem -outform der | base64 -w0 ; echo
(copy / pasted the output of this to the Azure portal as a P2S root certificate)
export USERNAME="client"
export PASSWORD="Password1"
ipsec pki --gen --outform pem > "${USERNAME}Key.pem"
ipsec pki --pub --in "${USERNAME}Key.pem" | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "CN=${USERNAME}" --san "${USERNAME}" --flag clientA                                 uth --outform pem > "${USERNAME}Cert.pem"
openssl pkcs12 -in "${USERNAME}Cert.pem" -inkey "${USERNAME}Key.pem" -certfile caCert.pem -export -out "${USERNAME}.p12" -password "pass:${PASSWORD}"
cp VPN/VpnServerRoot.cer /etc/ipsec.d/cacerts/
cp client.p12 to /etc/ipsec.d/private/
Modified the ipsec.conf (see above)
Added the line
: P12 client.p12 'Password1'
to the /etc/ipsec.secrets file
ipsec restart
ipsec up azure
Jake
  • 205
  • 1
  • 9
  • This setup uses IKEv2. Did you enable IKEv2 in the [Azure portal](https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal#tunneltype)? – Michael Hampton Dec 04 '18 at 03:34
  • Updated the OP, but Yes, in the portal the Tunnel type is `IKEv2 and SSL VPN (SSTP)` – Jake Dec 04 '18 at 03:38
  • Well, no response is coming back from your outgoing packets. That usually indicates a firewall issue. (Or not having enabled IKEv2 in the portal.) Check for firewalls between you and Azure. You must allow UDP ports 500 and 4500 and protocol 51. – Michael Hampton Dec 04 '18 at 03:42

0 Answers0