1 Reply Latest reply on Mar 17, 2016 8:01 AM by lnurmi

    Route based VPN with Azure (NGFW)

    ibonardo

      Hello,

       

      We are trying to configure a route based vpn with Azure and we are having some problems even negotiating phase 1 in the ipsec tunnel. I have created a tunnel mode route based vpn and this is what I'm getting from vpninfo:

       

      11:59:50|ERROR|ERROR|Tue Mar 01 2016 11:59:50 +0100: ERROR: 0: : xxxxxxx: xxxxxxxxxxxxxx: : : : : : : : 12103: IKEv2 SA responder failed, Remote 13.y.y.y(ipv4), Local auth method: Reserved, Remote auth method: Pre-shared key: xxxxxxx xxxxxxx xxxxxxx xxxxx: Dst 212.x.x.x: Src 13.y.y.y: Dst port 500: Src port 500

       

      My endpoint:212.x.x.x

      Azure's endpoint:13.y.y.y

       

      What it makes me crazy is the "Local auth method: Reserved" parameter passed by the Azure endpoint, it looks like they have another authentication method in the other side, but Azure's side has told me that they've configured with PSK. Do you have any experience in doing route based vpn with Azure (it should be standard but you never know with Microsoft).

       

      I have been reading in Microsoft notes and Stonesoft firewall isn't appear as a supported brand for Azure, here you can see:

       

      https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-about-vpn-d evices/

       

      Thank you!

       

      Regards,

      Ibon

        • 1. Re: Route based VPN with Azure (NGFW)
          lnurmi

          Hi,

           

          maybe you already got this working but for the benefit of anyone else reading, VPN with Azure is feasible. The local auth method I think is always logged as "reserved" and it refers to the method configured on the NGFW, your log tells that Azure is using PSK.

           

          If there are no other messages related to the negotiation failure, enable IPsec diagnostics for the firewall (rightclick fw, options, diagnostics) and then try initiating the tunnel again or wait for other end to initiate it. The other IPsec log messages surrounding the "initiator/responder failed" error would then tell you in more detail why it failed. If there is some kind of error code logged you can find the explanations here (not changed since v5.0): http://help.stonesoft.com/onlinehelp/StoneGate/SMC/5.3.7/SGAG/SG_FWIPS_LogFieldV alues/VPN_Error_Codes.htm

           

          BR,

          Lauri