Solved
Hey everyone,
Trying to set up a VPN from my MX60 (14.40 firmware) to Azure & AWS, and it seems like I'm hitting every possible roadblock with Azure. Here's a topology of what I'm trying to achieve (don't mind the poor design from a networking n00b):
https://www.lucidchart.com/invitations/accept/4624f655-72b1-49b7-9a97-6ab6254be063
Since MX appliances aren't compatible with Azure Virtual Network Gateways, I basically followed the instruction set here (http://www.ifm.net.nz/cookbooks/meraki-vpn-to-azure.html), and am trying to connect to a StrongSwan instance that's in its own Azure VNet (which is paired with my main Azure VNet) policies.
Support seems to think there's a Phase 1 lifetime mismatch, so I figured I'd post my settings here to see if anyone with a better eye can point out what I might be doing wrong:
StrongSwan ipsec.conf file:
conn %default
ikelifetime=28800s
rekeymargin=3600s
keyingtries=%forever
keyexchange=ikev1
aggressive=no
authby=psk
dpdaction=restart
dpddelay=30
conn remote-site
left=%defaultroute
leftsubnet=10.1.0.0/24 (Azure's encryption domain)
leftid=**.***.***.*** (StrongSwan VM public IP)
leftfirewall=yes
right=%any
rightsubnet=192.168.1.0/24 (My network's encryption domain)
rightid=***.**.***.** (MX60 public IP)
auto=add
ike=aes256-sha1-modp1024
esp=aes256-sha1
StrongSwan ipsec.secrets file:
%any %any : PSK "presharedkey"
Azure Route table
StrongSwan syslog:
Aug 22 22:31:36 StrongSwan charon: 13[IKE] remote host is behind NAT
Aug 22 22:31:36 StrongSwan charon: 13[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Aug 22 22:31:36 StrongSwan charon: 13[NET] sending packet: from 10.1.0.4[500] to ***.**.***.**[500] (244 bytes)
Aug 22 22:31:36 StrongSwan charon: 05[NET] received packet: from ***.**.***.**[4500] to 10.1.0.4[4500] (76 bytes)
Aug 22 22:31:36 StrongSwan charon: 05[ENC] parsed ID_PROT request 0 [ ID HASH ]
Aug 22 22:31:36 StrongSwan charon: 05[CFG] looking for pre-shared key peer configs matching 10.1.0.4...***.**.***.**[192.168.1.140]
Aug 22 22:31:36 StrongSwan charon: 05[IKE] no peer config found
Aug 22 22:31:36 StrongSwan charon: 05[ENC] generating INFORMATIONAL_V1 request 1626992101 [ HASH N(AUTH_FAILED) ]
Aug 22 22:31:36 StrongSwan charon: 05[NET] sending packet: from 10.1.0.4[4500] to ***.**.***.**[4500] (92 bytes)
Meraki Event log:
Troubleshooting steps taken:
All address spaces have internet access
Port forwarding configured for 4500 and 500
172.16 (AWS VPC), 10.0 (Azure Main VNet), and 10.1 (Azure VPN VNet) can all ping each other and pass all traffic
192.168 (Corporate Network) and 172.16 (AWS VPC) can ping each other and pass all traffic
192.168 can't reach anything in the 10.* space - no ping and not unique traffic
Double-checked ipsec.conf to match MX IPSec policies
Tried different PSKs, including super simple ones
Changed ipsec.conf 'authby' parameter to 'secret'
Rebooted MX and StrongSwan instance
Nothing seems to work. Any idea here?
The MX is at the very edge of my network (except the actual cable modem). My modem isn't doing any NAT, and I don't have any NAT or port forwarding configured on the MX.
It's odd because my WAN 1 is displaying both is public and private IPs, so I'm not sure which one to use for rightid
EDIT: I ended up using the Public IP of my MX for the rightid, and changing the destination to the private IP of my WAN1 in ipsec.secrets. It looks like it's recognizing the public-private IP pairing, but it's still a similar set of errors:
Aug 23 20:15:36 StrongSwan charon: 11[IKE] local host is behind NAT, sending keep alives
Aug 23 20:15:36 StrongSwan charon: 11[IKE] remote host is behind NAT
Aug 23 20:15:36 StrongSwan charon: 11[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Aug 23 20:15:36 StrongSwan charon: 11[NET] sending packet: from 10.1.0.4[500] to 136.49.171.24[500] (244 bytes)
Aug 23 20:15:37 StrongSwan charon: 12[NET] received packet: from 136.49.171.24[4500] to 10.1.0.4[4500] (76 bytes)
Aug 23 20:15:37 StrongSwan charon: 12[ENC] parsed ID_PROT request 0 [ ID HASH ]
Aug 23 20:15:37 StrongSwan charon: 12[CFG] looking for pre-shared key peer configs matching 10.1.0.4...136.49.171.24[192.168.1.140]
Aug 23 20:15:37 StrongSwan charon: 12[IKE] no peer config found
Aug 23 20:15:37 StrongSwan charon: 12[ENC] generating INFORMATIONAL_V1 request 2461985670 [ HASH N(AUTH_FAILED) ]
Aug 23 20:15:37 StrongSwan charon: 12[NET] sending packet: from 10.1.0.4[4500] to 136.49.171.24[4500] (92 bytes)
Ah, gotcha.
Revised the settings on ipsec.conf to what you recommended:
conn %default
ikelifetime=28800s
rekeymargin=3600s
keyingtries=%forever
keyexchange=ikev1
aggressive=no
authby=psk
dpdaction=restart
dpddelay=30
conn remote-site
left=%defaultroute
leftsubnet=10.1.0.0/24
leftid=40.84.188.110
leftfirewall=yes
right=136.49.171.24
rightsubnet=192.168.1.0/24
rightid=192.168.1.140
auto=add
ike=aes256-sha1-md5-modp1024
esp=aes256-sha1
In addition to enabling port forwarding on my modem:
That seems to have established a preliminary connection (according to Meraki):
Meraki Packet Capture:
--- Start Of Stream ---
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wan0_sniff, link-type EN10MB (Ethernet), capture size 262144 bytes
17:31:36.670840 IP 192.168.1.140.4500 > 40.84.188.110.4500: isakmp-nat-keep-alive
17:31:36.935180 IP 192.168.1.140.4500 > 40.84.188.110.4500: NONESP-encap: isakmp: phase 2/others ? inf[E]
17:31:36.965831 IP 40.84.188.110.4500 > 192.168.1.140.4500: NONESP-encap: isakmp: phase 2/others ? inf[E]
17:31:46.971176 IP 192.168.1.140.4500 > 40.84.188.110.4500: NONESP-encap: isakmp: phase 2/others ? inf[E]
17:31:47.001674 IP 40.84.188.110.4500 > 192.168.1.140.4500: NONESP-encap: isakmp: phase 2/others ? inf[E]
17:31:56.682817 IP 192.168.1.140.4500 > 40.84.188.110.4500: isakmp-nat-keep-alive
17:31:57.007180 IP 192.168.1.140.4500 > 40.84.188.110.4500: NONESP-encap: isakmp: phase 2/others ? inf[E]
17:31:57.038460 IP 40.84.188.110.4500 > 192.168.1.140.4500: NONESP-encap: isakmp: phase 2/others ? inf[E]
17:32:07.051187 IP 192.168.1.140.4500 > 40.84.188.110.4500: NONESP-encap: isakmp: phase 2/others ? inf[E]
17:32:07.081895 IP 40.84.188.110.4500 > 192.168.1.140.4500: NONESP-encap: isakmp: phase 2/others ? inf[E]
17:32:16.694814 IP 192.168.1.140.4500 > 40.84.188.110.4500: isakmp-nat-keep-alive
17:32:17.087190 IP 192.168.1.140.4500 > 40.84.188.110.4500: NONESP-encap: isakmp: phase 2/others ? inf[E]
17:32:17.118141 IP 40.84.188.110.4500 > 192.168.1.140.4500: NONESP-encap: isakmp: phase 2/others ? inf[E]
--- End Of Stream ---
Problem is I still can't pass traffic across the tunnel. I can't ping anything in my 192.168 subnet from my Azure Windows VM or even my StrongSwan instance
Aug 26 17:27:36 StrongSwan charon: 12[ENC] generating INFORMATIONAL_V1 request 2091158197 [ HASH N(DPD_ACK) ]
Aug 26 17:27:36 StrongSwan charon: 12[NET] sending packet: from 10.1.0.4[4500] to 136.49.171.24[4500] (92 bytes)
Aug 26 17:27:46 StrongSwan charon: 13[NET] received packet: from 136.49.171.24[4500] to 10.1.0.4[4500] (92 bytes)
Aug 26 17:27:46 StrongSwan charon: 13[ENC] parsed INFORMATIONAL_V1 request 3753890785 [ HASH N(DPD) ]
Aug 26 17:27:46 StrongSwan charon: 13[ENC] generating INFORMATIONAL_V1 request 3777594473 [ HASH N(DPD_ACK) ]
Aug 26 17:27:46 StrongSwan charon: 13[NET] sending packet: from 10.1.0.4[4500] to 136.49.171.24[4500] (92 bytes)
Aug 26 17:27:56 StrongSwan charon: 16[NET] received packet: from 136.49.171.24[4500] to 10.1.0.4[4500] (92 bytes)
Aug 26 17:27:56 StrongSwan charon: 16[ENC] parsed INFORMATIONAL_V1 request 2834277021 [ HASH N(DPD) ]
Aug 26 17:27:56 StrongSwan charon: 16[ENC] generating INFORMATIONAL_V1 request 4104792313 [ HASH N(DPD_ACK) ]
Aug 26 17:27:56 StrongSwan charon: 16[NET] sending packet: from 10.1.0.4[4500] to 136.49.171.24[4500] (92 bytes)
