Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 38 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 107103 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site-to-Site VPN to Windows Azure

dsidler
Hi all

Wondering if anyone successfully created a site-to-site VPN to Azure's new Virtual Network. 

Tried several options based on the Cisco and Juniper configs provided by MSFT, but to no avail. Usually stuck with a "no connection has been authorized with policy=PSK" message.

Running 8.3 on a UTM-120. 

Cheers,
Dan


This thread was automatically locked due to age.
  • 0
    Digging around a bit, I found About VPN Devices for Virtual Network.  What are your policy settings on the Astaro?
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
  • 0
    hello, i have the same problem.

    these are my policy settings:

    2012:07:03-11:03:38 asg-2 pluto[8702]: packet from 168.63.13.46:1024: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
    2012:07:03-11:03:38 asg-2 pluto[8702]: packet from 168.63.13.46:1024: received Vendor ID payload [RFC 3947]
    2012:07:03-11:03:38 asg-2 pluto[8702]: packet from 168.63.13.46:1024: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    2012:07:03-11:03:38 asg-2 pluto[8702]: packet from 168.63.13.46:1024: ignoring Vendor ID payload [FRAGMENTATION]
    2012:07:03-11:03:38 asg-2 pluto[8702]: packet from 168.63.13.46:1024: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
    2012:07:03-11:03:38 asg-2 pluto[8702]: packet from 168.63.13.46:1024: ignoring Vendor ID payload [Vid-Initial-Contact]
    2012:07:03-11:03:38 asg-2 pluto[8702]: packet from 168.63.13.46:1024: ignoring Vendor ID payload [IKE CGA version 1]
    2012:07:03-11:03:38 asg-2 pluto[8702]: packet from 168.63.13.46:1024: initial Main Mode message received on 194.208.34.253:500 but no connection has been authorized with policy=PSK 


    policy settings:

    Policy_Azure
    Compression off, not using strict policy.
    IKE Settings: AES 128 / SHA1 / Group 2: MODP 1024   Lifetime: 28800 seconds
    IPSec Settings: AES 128 / SHA1 / Null (None)   Lifetime: 3600 seconds

    any ideas?
  • 0 in reply to sebastian.mair
    Has anyone had any success with this?  I am attempting to set this up without any luck.
  • 0
    Hi, Dan and corehealth, and welcome to the User BB!

    Sebastian, try with:

    IKE Settings: AES 128 / SHA1 / Group 2: MODP 1024 Lifetime: 28800 seconds
    IPSec Settings: AES 128 / SHA1 / Group 2: MODP 1024 Lifetime: 3600 seconds



    Did that work?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    I believe I have everything set up as described.  This is the message that seems relavent in the log:

    2012:07:10-09:39:32 astaro-1 pluto[7667]: "S_for VPN Users"[360] [AzureGatewayIP]:1024 #1133: next payload type of ISAKMP Identification Payload has an unknown value: 73
     
    2012:07:10-09:39:32 astaro-1 pluto[7667]: "S_for VPN Users"[360] [AzureGatewayIP]:1024 #1133: malformed payload in packet. Probable authentication failure (mismatch of preshared secrets?)
     
    2012:07:10-09:39:32 astaro-1 pluto[7667]: "S_for VPN Users"[360] [AzureGatewayIP]:1024 #1133: sending encrypted notification PAYLOAD_MALFORMED to [AzureGatewayIP]:1024
  • 0
    That looks like a different problem - your Pre-Shared Key doesn't match.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    I've double check my pre-shared key and it's the same one that is provided.  Is there anything else that I should be looking at?
  • 0
    Try again with a very simple PSK.  You can make a complex one when the simple one works.  If it doesn't, then please post all of the log lines for a single connection attempt.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Unfortunately we don't have control over the format of the key as it's generated by Azure.  The key looks something like this: 3gciwsoC1Ww9UxOQK9iFfLdFJZrq3riKPmncaE6NJaN0Nffd5P.

    The only option available is to regenerate it.
  • 0
    What about that space at the end?  You might check to be certain you have the exact number of characters.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML