This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM Azure Site to Site VPN not working, connection is made but no data passes through

I am hoping somebody can help with this issue. I have an Azure Site to Site VPN that has connected fine. However when I try to ping or use RDP on the remote network. It doesn't work. I am behind a firewall at my college that allows no ports through. Does UDP/500 need to be open. I am getting errors like "sending encrypted notification INVALID_PAYLOAD_TYPE to xx:500" and "message ignored because it contains an unexpected payload type (ISAKMP_NEXT_HASH)". I have attached my configuration and a snippet of a log file from my UTM.

Fullscreen LogFile.txt Download

{\rtf1\ansi\ansicpg1252\cocoartf1671\cocoasubrtf100
{\fonttbl\f0\fmodern\fcharset0 Courier;}
{\colortbl;\red255\green255\blue255;\red0\green0\blue0;\red224\green223\blue220;}
{\*\expandedcolortbl;;\cssrgb\c0\c0\c0;\cssrgb\c90196\c89804\c89020;}
\margl1440\margr1440\vieww28600\viewh15460\viewkind0
\deftab720
\pard\pardeftab720\sl280\partightenfactor0

\f0\fs24 \cf2 \cb3 \expnd0\expndtw0\kerning0
\outl0\strokewidth0 \strokec2 2018:12:12-23:10:47 krohtofw pluto[26798]: "S_Dorm-to-Azure" #250: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag\
2018:12:12-23:10:47 krohtofw pluto[26798]: id="2203" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN up" variant="ipsec" connection="Dorm-to-Azure" address=\'93xx\'94 local_net="10.80.1.0/24" remote_net="10.20.1.0/24"\
2018:12:12-23:10:47 krohtofw pluto[26798]: "S_Dorm-to-Azure" #250: sent QI2, IPsec SA established \{ESP=>0x8f86e1c8 <0x1faa1fb4\}\
2018:12:12-23:10:47 krohtofw pluto[26798]: packet from xx:500: Informational Exchange is for an unknown (expired?) SA\
2018:12:12-23:10:47 krohtofw pluto[26798]: "S_Dorm-to-Azure" #249: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag\
2018:12:12-23:10:47 krohtofw pluto[26798]: "S_Dorm-to-Azure" #249: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_HASH)\
2018:12:12-23:10:47 krohtofw pluto[26798]: "S_Dorm-to-Azure" #249: sending encrypted notification INVALID_PAYLOAD_TYPE to xx:500\
2018:12:12-23:10:47 krohtofw pluto[26798]: "S_Dorm-to-Azure" #250: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag\
2018:12:12-23:10:47 krohtofw pluto[26798]: "S_Dorm-to-Azure" #250: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_HASH)\
2018:12:12-23:10:47 krohtofw pluto[26798]: "S_Dorm-to-Azure" #250: sending encrypted notification INVALID_PAYLOAD_TYPE to xx:500\
}

This thread was automatically locked due to age.

Parents

0 DKKDG over 5 years ago

Hi Alec,

my first guess by VPN problems like this are the policies.
Are the policies on both vpn gateways the same, especially phase 2 (IPSec)?

Best Regards
DKKDG
Cancel
Vote Up 0 Vote Down

Cancel
0 Alec Krohto1 over 5 years ago in reply to DKKDG

Yes they are. I followed the directions on setting up the policies with Azure correctly.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 5 years ago in reply to Alec Krohto1

Alec, it's tricky setting up a IPsec tunnel between a UTM and Azure. Let's try the following:

1. Confirm that Debug is not enabled.
2. Disable the IPsec Connection.
3. Start the IPsec Live Log and wait for it to begin to populate.
4. Enable the IPsec Connection.
5. Show us about 60 lines from enabling through the error.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 5 years ago in reply to Alec Krohto1

Alec, it's tricky setting up a IPsec tunnel between a UTM and Azure. Let's try the following:

1. Confirm that Debug is not enabled.
2. Disable the IPsec Connection.
3. Start the IPsec Live Log and wait for it to begin to populate.
4. Enable the IPsec Connection.
5. Show us about 60 lines from enabling through the error.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Alec Krohto1 over 5 years ago in reply to BAlfson

Here you go. Does this suffice?

4024.LiveLogIPsecS2S.rtf
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 5 years ago in reply to Alec Krohto1

If there's any failure in the IPsec log, Alec, it would be after that, but I guess there won't be.

If you don't get an idea to resolve this issue from The Azure problem, it's time to watch what's going on inside the tunnel.

First, we need the REF_ of the tunnel:

cc get_object_by_name ipsec_connection site_to_site 'Dorm-to-Azure'|grep \'ref

Say that returns REF_IpsSitDormToAzure. To watch the traffic in the tunnel:

espdump -n --conn REF_IpsSitDormToAzure -vv

Any new info from that?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 Alec Krohto1 over 5 years ago in reply to BAlfson

I am getting this error when running the espdump.

krohtofw:/home/login # cc get_object_by_name ipsec_connection site_to_site 'Dorm-to-Azure'|grep \'ref

'ref' => 'REF_IpsSitDormtoazur',

krohtofw:/home/login #

krohtofw:/home/login # espdump -n --conn REF_IpsSitDormtoazur -vv

ERROR: no tunnel found for 'REF_IpsSitDormtoazur'

krohtofw:/home/login # espdump -n --conn REF_IpsSitDormtoazur

ERROR: no tunnel found for 'REF_IpsSitDormtoazur'

krohtofw:/home/login #
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 5 years ago in reply to Alec Krohto1

This indicates that there might be an error further on in the log. Does the 'Site-to-site VPN Tunnel Status' show all IPsec SAs green when you're running the espdump?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 Alec Krohto1 over 5 years ago in reply to BAlfson

Nevermind, I got the espdump to work. The log file is attached below

espdump_dorm_to_azure.rtf
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 5 years ago in reply to Alec Krohto1

Which side is x.y.z.26?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 Alec Krohto1 over 5 years ago in reply to BAlfson

Dorm
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 5 years ago in reply to Alec Krohto1

There's no response from Azure. How is the tunnel defined on Azure? UTM doesn't support IKEv2 (Dynamic).

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 Alec Krohto1 over 5 years ago in reply to BAlfson

Well this is weird. The Azure site to site VPN works fine on my home network with no issue. I am able to RDP into the Azure VM fine. However, it doesn't work on the college network. Do you know why? Is it because UDP/500 needs to be open and at college the port is not open?
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 5 years ago in reply to Alec Krohto1

If you know for a fact that UDP 500 is blocked, Alec, then there's no way to establish an IPsec connection with Azure. You could do it with an XG instance in Azure though.

But, your logs don't indicate that UDP 500 is blocked, more likely that ESP or UDP 4500 is blocked. What do the network people at your university say?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel