Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2291
Views
0
Helpful
8
Replies

Site-to-Site VPN - FTD (6.2) x Azure

Go to solution
caiobomani
Level 1
Level 1

‎11-28-2018 04:58 AM

Has anyone successfully created a VPN with Azure from within FTD devices?

 

I'm attempting to establish the tunnel (which can only be IKEv2) and the Phase 2 flow is not establishing.

 

Attaching the debug logs from the connection.

 

Any suggestions?

 

Obs.: I've masked my end of the tunnel IP with an *.*.*.*

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
caiobomani
Level 1
Level 1

‎01-14-2019 09:51 AM

Azure side was indeed not specifying the encryption domain on both ends. That needed to be done via shellscript.

 

After that got fixed, the tunnel came up and the communication started to flow.

 

Thanks everyone for the assistance.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Rob Ingram
VIP
VIP

‎11-28-2018 05:23 AM

Hi, you don't appeared to have uploaded the debug logs.
0 Helpful

Go to solution
caiobomani
Level 1
Level 1
In response to Rob Ingram

‎11-28-2018 05:25 AM

My apologies.

 

Here you go.

Preview file
62 KB
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to caiobomani

‎11-28-2018 06:01 AM

Hi,

The following errors are repeated a few times:-

 

IKEv2-PLAT-2: (582): Crypto map CSM_inet_map seq 1 is incomplete
IKEv2-PLAT-2: (582): Crypto map CSM_inet_map seq 2 is incomplete
IKEv2-PLAT-2: (582): Crypto map CSM_inet_map seq 3 is incomplete
IKEv2-PLAT-2: (582): Crypto map CSM_inet_map seq 5 is incomplete
IKEv2-PLAT-2: (582): Crypto Map: No proxy match on map CSM_inet_map seq 6
IKEv2-PROTO-1: (582): Failed to find a matching policy
IKEv2-PROTO-1: (582): Received Policies:
IKEv2-PROTO-1: (582): Failed to find a matching policy
IKEv2-PROTO-1: (582): Expected Policies:
IKEv2-PROTO-5: (582): Failed to verify the proposed policies
IKEv2-PROTO-1: (582): Failed to find a matching policy

I'd check your protected networks on both ends and make sure you've defined exactly the same networks/subnet mask etc. Also I'd check the IKEv2 Policy on both ends to ensure the same algorithms are defined.

 

HTH

 

0 Helpful

Go to solution
caiobomani
Level 1
Level 1
In response to Rob Ingram

‎12-03-2018 04:49 AM

Indeed with a more detailed capture (attached) it confirmed that Azure side is attempting to send all networks.

 

Payload IKEV2 TSi PAYLOAD
Next Payload: IKEV2 TSr PAYLOAD
Critical Bit: OFF
Reserved: 00
Payload Length: 24
Num TSs: 1
Reserved: 000000
Protocol ID: 0
Selector Length: 16
Port Range: 0 - 65535
Type: TS_IPV4_ADDR_RANGE
0.0.0.0 -> 255.255.255.255
Payload IKEV2 TSr PAYLOAD
Next Payload: None
Critical Bit: OFF
Reserved: 00
Payload Length: 24
Num TSs: 1
Reserved: 000000
Protocol ID: 0
Selector Length: 16
Port Range: 0 - 65535
Type: TS_IPV4_ADDR_RANGE
0.0.0.0 -> 255.255.255.255

 

 

 

As soon as I get it fixed in the partner side, I'll let you guys know how it goes.

Preview file
91 KB
0 Helpful

Go to solution
caiobomani
Level 1
Level 1

‎01-14-2019 09:51 AM

Azure side was indeed not specifying the encryption domain on both ends. That needed to be done via shellscript.

 

After that got fixed, the tunnel came up and the communication started to flow.

 

Thanks everyone for the assistance.

0 Helpful

Go to solution
sanmi
Level 1
Level 1
In response to caiobomani

‎02-10-2019 01:36 AM

Any chance that you explain here how to specify the encryption domain on the Azure endpoint (shellscript)?

 

Best,

0 Helpful

Go to solution
caiobomani
Level 1
Level 1
In response to sanmi

‎02-11-2019 08:46 AM

I've requested that script from my partner and he gave me this:

 

1) Create (via web interface) the ResourceGroup, Virtual Network and VPN Gateway.

 

2) Script

Login-AzureRmAccount

 

Select-AzureRmSubscription -SubscriptionID *ID*

 

$vnet1gw = Get-AzureRmVirtualNetworkGateway -Name *Virtual Network Azure* -ResourceGroupName *Resource Group Name*

 

$lng6 = Get-AzureRmLocalNetworkGateway -Name *NAME* -ResourceGroupName *Resource Group Name*

 

$ipsecpolicy6 = New-AzureRmIpsecPolicy -IkeEncryption AES256 -IkeIntegrity SHA1 -DhGroup DHGroup2 -IpsecEncryption AES256 -IpsecIntegrity SHA1 -PfsGroup None -SALifeTimeSeconds 3600 -SADataSizeKilobytes 102400000

 

New-AzureRmVirtualNetworkGatewayConnection -Name *NAME* -ResourceGroupName *Resource Group Name* -VirtualNetworkGateway1 $vnet1gw -LocalNetworkGateway2 $lng6 -Location *where the resource will be hosted* -ConnectionType IPsec -UsePolicyBasedTrafficSelectors $True -IpsecPolicies $ipsecpolicy6 -SharedKey ‘*PSK*’

0 Helpful

Go to solution
sanmi
Level 1
Level 1
In response to caiobomani

‎02-12-2019 04:19 AM

Hi caiobomani

Please check that what the script is doing is create a policy based traffic Gateway, thus parting ways with route based configuration. This way you won't be able to use the Azure Basic Gateway SKU, instead you will be forced to use a more expensive SKU.

-UsePolicyBasedTrafficSelectors $True 

 

I just opened a case with Azure support. I will let you know if they can fix the offered acl.

 

Best,

sanmi

 

0 Helpful
Customers Also Viewed These Support Documents