This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM Azure Site to Site VPN not working, connection is made but no data passes through

I am hoping somebody can help with this issue. I have an Azure Site to Site VPN that has connected fine. However when I try to ping or use RDP on the remote network. It doesn't work. I am behind a firewall at my college that allows no ports through. Does UDP/500 need to be open. I am getting errors like "sending encrypted notification INVALID_PAYLOAD_TYPE to xx:500" and "message ignored because it contains an unexpected payload type (ISAKMP_NEXT_HASH)". I have attached my configuration and a snippet of a log file from my UTM. 

{\rtf1\ansi\ansicpg1252\cocoartf1671\cocoasubrtf100
{\fonttbl\f0\fmodern\fcharset0 Courier;}
{\colortbl;\red255\green255\blue255;\red0\green0\blue0;\red224\green223\blue220;}
{\*\expandedcolortbl;;\cssrgb\c0\c0\c0;\cssrgb\c90196\c89804\c89020;}
\margl1440\margr1440\vieww28600\viewh15460\viewkind0
\deftab720
\pard\pardeftab720\sl280\partightenfactor0

\f0\fs24 \cf2 \cb3 \expnd0\expndtw0\kerning0
\outl0\strokewidth0 \strokec2 2018:12:12-23:10:47 krohtofw pluto[26798]: "S_Dorm-to-Azure" #250: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag\
2018:12:12-23:10:47 krohtofw pluto[26798]: id="2203" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN up" variant="ipsec" connection="Dorm-to-Azure" address=\'93xx\'94 local_net="10.80.1.0/24" remote_net="10.20.1.0/24"\
2018:12:12-23:10:47 krohtofw pluto[26798]: "S_Dorm-to-Azure" #250: sent QI2, IPsec SA established \{ESP=>0x8f86e1c8 <0x1faa1fb4\}\
2018:12:12-23:10:47 krohtofw pluto[26798]: packet from xx:500: Informational Exchange is for an unknown (expired?) SA\
2018:12:12-23:10:47 krohtofw pluto[26798]: "S_Dorm-to-Azure" #249: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag\
2018:12:12-23:10:47 krohtofw pluto[26798]: "S_Dorm-to-Azure" #249: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_HASH)\
2018:12:12-23:10:47 krohtofw pluto[26798]: "S_Dorm-to-Azure" #249: sending encrypted notification INVALID_PAYLOAD_TYPE to xx:500\
2018:12:12-23:10:47 krohtofw pluto[26798]: "S_Dorm-to-Azure" #250: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag\
2018:12:12-23:10:47 krohtofw pluto[26798]: "S_Dorm-to-Azure" #250: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_HASH)\
2018:12:12-23:10:47 krohtofw pluto[26798]: "S_Dorm-to-Azure" #250: sending encrypted notification INVALID_PAYLOAD_TYPE to xx:500\
}



This thread was automatically locked due to age.
Parents Reply Children
  • If there's any failure in the IPsec log, Alec, it would be after that, but I guess there won't be.

    If you don't get an idea to resolve this issue from The Azure problem, it's time to watch what's going on inside the tunnel.

    First, we need the REF_ of the tunnel:

    cc get_object_by_name ipsec_connection site_to_site 'Dorm-to-Azure'|grep \'ref

    Say that returns REF_IpsSitDormToAzure.  To watch the traffic in the tunnel:

    espdump -n --conn REF_IpsSitDormToAzure -vv

    Any new info from that?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I am getting this error when running the espdump.

    krohtofw:/home/login # cc get_object_by_name ipsec_connection site_to_site 'Dorm-to-Azure'|grep \'ref

              'ref' => 'REF_IpsSitDormtoazur',

    krohtofw:/home/login #

    krohtofw:/home/login # espdump -n --conn REF_IpsSitDormtoazur -vv

    ERROR: no tunnel found for 'REF_IpsSitDormtoazur'

    krohtofw:/home/login # espdump -n --conn REF_IpsSitDormtoazur

    ERROR: no tunnel found for 'REF_IpsSitDormtoazur'

    krohtofw:/home/login #

  • This indicates that there might be an error further on in the log.  Does the 'Site-to-site VPN Tunnel Status' show all IPsec SAs green when you're running the espdump?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Nevermind, I got the espdump to work. The log file is attached below

    espdump_dorm_to_azure.rtf

  • Which side is x.y.z.26?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • There's no response from Azure.  How is the tunnel defined on Azure?  UTM doesn't support IKEv2 (Dynamic).

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Well this is weird. The Azure site to site VPN works fine on my home network with no issue. I am able to RDP into the Azure VM fine. However, it doesn't work on the college network. Do you know why? Is it because UDP/500 needs to be open and at college the port is not open?

  • If you know for a fact that UDP 500 is blocked, Alec, then there's no way to establish an IPsec connection with Azure.  You could do it with an XG instance in Azure though.

    But, your logs don't indicate that UDP 500 is blocked, more likely that ESP or UDP 4500 is blocked.  What do the network people at your university say?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA