Looks like it just took time for the SA to form. I can ping private IPs on the Azure side in the 10.1 subnet. Now to figure out how to ping private IPs in the 10.0 subnet. Thanks! ... View more

Tried to ping both private IPs of my Azure VMs and the public IP of the StrongSwan instance from the MX appliance and got a 100% loss rate.   I checked the ACLs and Security Groups in Azure, and I explicitly allowed traffic from my network, so that shouldn't be the issue. ... View more

Ah, gotcha.   Revised the settings on ipsec.conf to what you recommended: conn %default ikelifetime=28800s rekeymargin=3600s keyingtries=%forever keyexchange=ikev1 aggressive=no authby=psk dpdaction=restart dpddelay=30 conn remote-site left=%defaultroute leftsubnet=10.1.0.0/24 leftid=40.84.188.110 leftfirewall=yes right=136.49.171.24 rightsubnet=192.168.1.0/24 rightid=192.168.1.140 auto=add ike=aes256-sha1-md5-modp1024 esp=aes256-sha1   In addition to enabling port forwarding on my modem:   That seems to have established a preliminary connection (according to Meraki):   Meraki Packet Capture: --- Start Of Stream --- tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on wan0_sniff, link-type EN10MB (Ethernet), capture size 262144 bytes 17:31:36.670840 IP 192.168.1.140.4500 > 40.84.188.110.4500: isakmp-nat-keep-alive 17:31:36.935180 IP 192.168.1.140.4500 > 40.84.188.110.4500: NONESP-encap: isakmp: phase 2/others ? inf[E] 17:31:36.965831 IP 40.84.188.110.4500 > 192.168.1.140.4500: NONESP-encap: isakmp: phase 2/others ? inf[E] 17:31:46.971176 IP 192.168.1.140.4500 > 40.84.188.110.4500: NONESP-encap: isakmp: phase 2/others ? inf[E] 17:31:47.001674 IP 40.84.188.110.4500 > 192.168.1.140.4500: NONESP-encap: isakmp: phase 2/others ? inf[E] 17:31:56.682817 IP 192.168.1.140.4500 > 40.84.188.110.4500: isakmp-nat-keep-alive 17:31:57.007180 IP 192.168.1.140.4500 > 40.84.188.110.4500: NONESP-encap: isakmp: phase 2/others ? inf[E] 17:31:57.038460 IP 40.84.188.110.4500 > 192.168.1.140.4500: NONESP-encap: isakmp: phase 2/others ? inf[E] 17:32:07.051187 IP 192.168.1.140.4500 > 40.84.188.110.4500: NONESP-encap: isakmp: phase 2/others ? inf[E] 17:32:07.081895 IP 40.84.188.110.4500 > 192.168.1.140.4500: NONESP-encap: isakmp: phase 2/others ? inf[E] 17:32:16.694814 IP 192.168.1.140.4500 > 40.84.188.110.4500: isakmp-nat-keep-alive 17:32:17.087190 IP 192.168.1.140.4500 > 40.84.188.110.4500: NONESP-encap: isakmp: phase 2/others ? inf[E] 17:32:17.118141 IP 40.84.188.110.4500 > 192.168.1.140.4500: NONESP-encap: isakmp: phase 2/others ? inf[E] --- End Of Stream ---     Problem is I still can't pass traffic across the tunnel. I can't ping anything in my 192.168 subnet from my Azure Windows VM or even my StrongSwan instance   Aug 26 17:27:36 StrongSwan charon: 12[ENC] generating INFORMATIONAL_V1 request 2091158197 [ HASH N(DPD_ACK) ] Aug 26 17:27:36 StrongSwan charon: 12[NET] sending packet: from 10.1.0.4[4500] to 136.49.171.24[4500] (92 bytes) Aug 26 17:27:46 StrongSwan charon: 13[NET] received packet: from 136.49.171.24[4500] to 10.1.0.4[4500] (92 bytes) Aug 26 17:27:46 StrongSwan charon: 13[ENC] parsed INFORMATIONAL_V1 request 3753890785 [ HASH N(DPD) ] Aug 26 17:27:46 StrongSwan charon: 13[ENC] generating INFORMATIONAL_V1 request 3777594473 [ HASH N(DPD_ACK) ] Aug 26 17:27:46 StrongSwan charon: 13[NET] sending packet: from 10.1.0.4[4500] to 136.49.171.24[4500] (92 bytes) Aug 26 17:27:56 StrongSwan charon: 16[NET] received packet: from 136.49.171.24[4500] to 10.1.0.4[4500] (92 bytes) Aug 26 17:27:56 StrongSwan charon: 16[ENC] parsed INFORMATIONAL_V1 request 2834277021 [ HASH N(DPD) ] Aug 26 17:27:56 StrongSwan charon: 16[ENC] generating INFORMATIONAL_V1 request 4104792313 [ HASH N(DPD_ACK) ] Aug 26 17:27:56 StrongSwan charon: 16[NET] sending packet: from 10.1.0.4[4500] to 136.49.171.24[4500] (92 bytes) ... View more

I think I know what you mean, though I'm a bit confused on how StrongSwan will know to hit my network across the internet without a public IP (even with NAT). ... View more

The MX is at the very edge of my network (except the actual cable modem). My modem isn't doing any NAT, and I don't have any NAT or port forwarding configured on the MX.   It's odd because my WAN 1 is displaying both is public and private IPs, so I'm not sure which one to use for rightid   EDIT: I ended up using the Public IP of my MX for the rightid, and changing the destination to the private IP of my WAN1 in ipsec.secrets. It looks like it's recognizing the public-private IP pairing, but it's still a similar set of errors: Aug 23 20:15:36 StrongSwan charon: 11[IKE] local host is behind NAT, sending keep alives Aug 23 20:15:36 StrongSwan charon: 11[IKE] remote host is behind NAT Aug 23 20:15:36 StrongSwan charon: 11[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ] Aug 23 20:15:36 StrongSwan charon: 11[NET] sending packet: from 10.1.0.4[500] to 136.49.171.24[500] (244 bytes) Aug 23 20:15:37 StrongSwan charon: 12[NET] received packet: from 136.49.171.24[4500] to 10.1.0.4[4500] (76 bytes) Aug 23 20:15:37 StrongSwan charon: 12[ENC] parsed ID_PROT request 0 [ ID HASH ] Aug 23 20:15:37 StrongSwan charon: 12[CFG] looking for pre-shared key peer configs matching 10.1.0.4...136.49.171.24[192.168.1.140] Aug 23 20:15:37 StrongSwan charon: 12[IKE] no peer config found Aug 23 20:15:37 StrongSwan charon: 12[ENC] generating INFORMATIONAL_V1 request 2461985670 [ HASH N(AUTH_FAILED) ] Aug 23 20:15:37 StrongSwan charon: 12[NET] sending packet: from 10.1.0.4[4500] to 136.49.171.24[4500] (92 bytes) ... View more