Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 5 subscribers
  • Views 30989 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos with azure

marlonrivera
hi everybody, am trying to configure my sophos utm 9.2 with azure, trying to connect with the vpn, somebody have an script, or an step-by-step to do it?

thanks alot community


This thread was automatically locked due to age.
Parents
  • 0
    Hi, Marlon, and welcome to the User BB!

    I don't remember if anyone gave a step-by-step, but there are some tricks.  Try a google on site:astaro.org azure and you will find previous discussions here.

    Cheers - Bob
  • 0 in reply to BAlfson
    thanks bob i hope find something [:)]
  • 0 in reply to marlonrivera
    1. Configure AZURE S2S network as static gatway (dynamic will not work, as UTM does not support IKEv2) and get public IP of AZURE GW (you will need your static IP to configure the Azure side)
    2. Create a Remote GW in UTM: S2S VPN -> IPSEC -> Remote GW
    3. Create a new IPSecConnection in S2S VPN -> IPSEC -> Connections (Chose your created GW in 2. and AES-256 as Policy, maybe you have to adjust the parameters of AES-256 Policy). Check Automatic FW Rules and Tunnel, makes live easier. uncheck strict routing 
    4. Also create NAT rule if reauired (Azure to internal)
    5. and Firewall rules (if not set automatic)
    6. have fun ;-) and send screenshots of your config it it does not work...

    M.
  • 0 in reply to t14u

    Sorry for warming this up.

    I created a s2s to Azure. Connection is established.

    Ping to a Server in the Azure network is working. 

    Also from the Azure Site to my local network.

    But RDP or SMB (\\server-ip\share) doesn work.

    Any Ideas what it can be?

    Thanks

    Thomas

    here is the log from the Azure side:

    Comments

    Details

     

    QM-LIFETIME-TYPE: 1

     

    QM-LIFETIME-SEC: 3600

     

    QM-ESP-INTEGRITY: HMAC-SHA1-96 (2)

     

    QM-KEY-LENGTH: 256

    On-prem device sent invalid payload.

    IkeProcessQMSA failed with HRESULT 0x80073613(ERROR_IPSEC_IKE_INVALID_PAYLOAD)

    On-prem device sent invalid payload.

    IkeHandlePayloadQMSA failed with HRESULT 0x80073613(ERROR_IPSEC_IKE_INVALID_PAYLOAD)

    On-prem device sent invalid payload.

    IkeProcessPayloadQM failed with HRESULT 0x80073613(ERROR_IPSEC_IKE_INVALID_PAYLOAD)

    On-prem device sent invalid payload.

    IkeProcessPayloadGroup failed with HRESULT 0x80073613(ERROR_IPSEC_IKE_INVALID_PAYLOAD)

    On-prem device sent invalid payload.

    IkeProcessPayloadsInPacket failed with HRESULT 0x80073613(ERROR_IPSEC_IKE_INVALID_PAYLOAD)

    On-prem device sent invalid payload.

    IkeHandleOakQMPacket failed with HRESULT 0x80073613(ERROR_IPSEC_IKE_INVALID_PAYLOAD)

    On-prem device sent invalid payload.

    IkeHandleOakQMPacketDispatch failed with HRESULT 0x80073613(ERROR_IPSEC_IKE_INVALID_PAYLOAD)

    On-prem device sent invalid payload.

    QM done. Cleaning up qmSa 0000001AEF43BC00.  Error 13843(ERROR_IPSEC_IKE_INVALID_PAYLOAD)

    On-prem is the QM initiator.

    IKE diagnostic event:, Failure type: IKE/Authip Quick Mode Failure, Failure error code:0x00003613, Invalid payload received, , Failure point: Local, Keying module type: Ike, QM State: State corresponding to first roundtrip, QM SA role: Responder, Mode: Transport Mode
  • 0 in reply to ThomasLichtenstern1

    Thomas, you might ask about that Azure report on the appropriate Microsoft site, too.

    First, confirm that you're not using Azure "Dynamic" as the UTM's IPsec won't work with that.  If you're not, then try #1 in Rulz to eliminate the simple things.  If you have no luck with that, be sure debug is not active and show us 50-to-100 lines from the IPsec Live Log when you attempt this.

    Cheers - Bob

  • 0 in reply to BAlfson

    Hi, attached in my first post was the report from the Azure site.

    And here is the IPSEC log. (xx by me)

     

    I figured out the http from azure site to local network is working....

     

    Fullscreen sophos_log.txt Download 
    2016:10:26-00:03:33 astaro pluto[25138]: "S_REF_IpsSitAzure_0" #1: received Delete SA payload: replace IPSEC State #2 in 10 seconds
2016:10:26-00:03:43 astaro pluto[25138]: "S_REF_IpsSitAzure_0" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #2 {using isakmp#1}
2016:10:26-00:03:43 astaro pluto[25138]: "S_REF_IpsSitAzure_0" #3: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag
2016:10:26-00:03:43 astaro pluto[25138]: "S_REF_IpsSitAzure_0" #3: sent QI2, IPsec SA established {ESP=>0x14c963ba <0x2066751a}
2016:10:26-00:03:43 astaro pluto[25138]: "S_REF_IpsSitAzure_0" #3: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag
2016:10:26-00:03:43 astaro pluto[25138]: "S_REF_IpsSitAzure_0" #3: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_HASH)
2016:10:26-00:03:43 astaro pluto[25138]: "S_REF_IpsSitAzure_0" #3: sending encrypted notification INVALID_PAYLOAD_TYPE to 52.166.xx.xx:500
2016:10:26-00:08:44 astaro pluto[25138]: "S_REF_IpsSitAzure_0" #1: received Delete SA payload: replace IPSEC State #3 in 10 seconds
2016:10:26-00:08:54 astaro pluto[25138]: "S_REF_IpsSitAzure_0" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #3 {using isakmp#1}
2016:10:26-00:08:54 astaro pluto[25138]: "S_REF_IpsSitAzure_0" #4: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag
2016:10:26-00:08:54 astaro pluto[25138]: "S_REF_IpsSitAzure_0" #4: sent QI2, IPsec SA established {ESP=>0x3b9fdc08 <0xf8db0475}
2016:10:26-00:08:54 astaro pluto[25138]: "S_REF_IpsSitAzure_0" #4: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag
2016:10:26-00:08:54 astaro pluto[25138]: "S_REF_IpsSitAzure_0" #4: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_HASH)
2016:10:26-00:08:54 astaro pluto[25138]: "S_REF_IpsSitAzure_0" #4: sending encrypted notification INVALID_PAYLOAD_TYPE to 52.166.xx.xx:500
2016:10:26-00:13:55 astaro pluto[25138]: "S_REF_IpsSitAzure_0" #1: received Delete SA payload: replace IPSEC State #4 in 10 seconds
2016:10:26-00:14:01 astaro pluto[25138]: "S_REF_IpsSitAzure_0" #5: responding to Quick Mode
2016:10:26-00:14:01 astaro pluto[25138]: "S_REF_IpsSitAzure_0" #5: IPsec SA established {ESP=>0x98704d16 <0x1d63bb01}
2016:10:26-00:15:18 astaro pluto[25138]: forgetting secrets
2016:10:26-00:15:18 astaro pluto[25138]: loading secrets from "/etc/ipsec.secrets"
2016:10:26-00:15:18 astaro pluto[25138]:   loaded PSK secret for 178.26.xx.xx 52.166.xx.xx 
2016:10:26-00:15:18 astaro pluto[25138]: listening for IKE messages
2016:10:26-00:15:18 astaro pluto[25138]: forgetting secrets
2016:10:26-00:15:18 astaro pluto[25138]: loading secrets from "/etc/ipsec.secrets"
2016:10:26-00:15:18 astaro pluto[25138]:   loaded PSK secret for 178.26.xx.xx 52.166.xx.xx 
2016:10:26-00:15:18 astaro pluto[25138]: loading ca certificates from '/etc/ipsec.d/cacerts'
2016:10:26-00:15:18 astaro pluto[25138]:   loaded ca certificate from '/etc/ipsec.d/cacerts/REF_CaSigVpnSigniCa.pem'
2016:10:26-00:15:18 astaro pluto[25138]: loading aa certificates from '/etc/ipsec.d/aacerts'
2016:10:26-00:15:18 astaro pluto[25138]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
2016:10:26-00:15:18 astaro pluto[25138]: loading attribute certificates from '/etc/ipsec.d/acerts'
2016:10:26-00:15:18 astaro pluto[25138]: Changing to directory '/etc/ipsec.d/crls'
2016:10:26-00:15:18 astaro ipsec_starter[25132]: no default route - cannot cope with %defaultroute!!!
2016:10:26-00:15:18 astaro pluto[25138]: "S_REF_IpsSitAzure_0": deleting connection
2016:10:26-00:15:18 astaro pluto[25138]: "S_REF_IpsSitAzure_0" #5: deleting state (STATE_QUICK_R2)
2016:10:26-00:15:18 astaro pluto[25138]: id="2204" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN down" variant="ipsec" connection="REF_IpsSitAzure" address="178.26.xx.xx" local_net="10.0.0.0/8" remote_net="172.17.0.0/16"
2016:10:26-00:15:18 astaro pluto[25138]: "S_REF_IpsSitAzure_0" #1: deleting state (STATE_MAIN_I4)
2016:10:26-00:15:19 astaro pluto[25138]: added connection description "S_REF_IpsSitAzure_0"
2016:10:26-00:15:19 astaro pluto[25138]: "S_REF_IpsSitAzure_0" #6: initiating Main Mode
2016:10:26-00:15:19 astaro pluto[25138]: "S_REF_IpsSitAzure_0" #6: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
2016:10:26-00:15:19 astaro pluto[25138]: "S_REF_IpsSitAzure_0" #6: ignoring Vendor ID payload [RFC 3947]
2016:10:26-00:15:19 astaro pluto[25138]: "S_REF_IpsSitAzure_0" #6: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2016:10:26-00:15:19 astaro pluto[25138]: "S_REF_IpsSitAzure_0" #6: ignoring Vendor ID payload [FRAGMENTATION]
2016:10:26-00:15:19 astaro pluto[25138]: "S_REF_IpsSitAzure_0" #6: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
2016:10:26-00:15:19 astaro pluto[25138]: "S_REF_IpsSitAzure_0" #6: ignoring Vendor ID payload [IKE CGA version 1]
2016:10:26-00:15:19 astaro pluto[25138]: "S_REF_IpsSitAzure_0" #6: Peer ID is ID_IPV4_ADDR: '52.166.xx.xx'
2016:10:26-00:15:19 astaro pluto[25138]: "S_REF_IpsSitAzure_0" #6: ISAKMP SA established
2016:10:26-00:15:19 astaro pluto[25138]: "S_REF_IpsSitAzure_0" #7: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#6}
2016:10:26-00:15:19 astaro pluto[25138]: "S_REF_IpsSitAzure_0" #7: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag
2016:10:26-00:15:19 astaro pluto[25138]: id="2203" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN up" variant="ipsec" connection="REF_IpsSitAzure" address="178.26.xx.xx" local_net="10.0.0.0/8" remote_net="172.17.0.0/16"
2016:10:26-00:15:19 astaro pluto[25138]: "S_REF_IpsSitAzure_0" #7: sent QI2, IPsec SA established {ESP=>0xa5634952 <0x31fb70be}
2016:10:26-00:15:19 astaro pluto[25138]: "S_REF_IpsSitAzure_0" #7: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag
2016:10:26-00:15:19 astaro pluto[25138]: "S_REF_IpsSitAzure_0" #7: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_HASH)
2016:10:26-00:15:19 astaro pluto[25138]: "S_REF_IpsSitAzure_0" #7: sending encrypted notification INVALID_PAYLOAD_TYPE to 52.166.xx.xx:500
2016:10:26-00:32:26 astaro pluto[25138]: shutting down
2016:10:26-00:32:26 astaro pluto[25138]: forgetting secrets
2016:10:26-00:32:26 astaro pluto[25138]: "S_REF_IpsSitAzure_0": deleting connection
2016:10:26-00:32:26 astaro pluto[25138]: "S_REF_IpsSitAzure_0" #7: deleting state (STATE_QUICK_I2)
2016:10:26-00:32:26 astaro pluto[25138]: id="2204" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN down" variant="ipsec" connection="REF_IpsSitAzure" address="178.26.xx.xx" local_net="10.0.0.0/8" remote_net="172.17.0.0/16"
2016:10:26-00:32:26 astaro pluto[25138]: "S_REF_IpsSitAzure_0" #6: deleting state (STATE_MAIN_I4)
2016:10:26-00:32:26 astaro pluto[25138]: shutting down interface lo/lo ::1
2016:10:26-00:32:26 astaro pluto[25138]: shutting down interface lo/lo 127.0.0.1
2016:10:26-00:32:26 astaro pluto[25138]: shutting down interface eth0/eth0 10.1.1.1
2016:10:26-00:32:26 astaro pluto[25138]: shutting down interface eth1/eth1 192.168.179.29
2016:10:26-00:32:26 astaro pluto[25138]: shutting down interface eth2/eth2 192.168.0.13
2016:10:26-00:32:26 astaro pluto[25138]: shutting down interface eth3/eth3 178.26.xx.xx
2016:10:26-00:32:26 astaro pluto[25138]: shutting down interface wlan0/wlan0 172.16.28.1
2016:10:26-00:32:26 astaro ipsec_starter[25132]: pluto stopped after 60 ms
2016:10:26-00:32:26 astaro ipsec_starter[25132]: ipsec starter stopped
2016:10:26-00:45:08 astaro ipsec_starter[32161]: Starting strongSwan 4.4.1git20100610 IPsec [starter]...
2016:10:26-00:45:08 astaro ipsec_starter[32161]: no default route - cannot cope with %defaultroute!!!
2016:10:26-00:45:08 astaro pluto[32173]: Starting IKEv1 pluto daemon (strongSwan 4.4.1git20100610) THREADS VENDORID CISCO_QUIRKS
2016:10:26-00:45:08 astaro pluto[32173]: loaded plugins: curl ldap aes des blowfish serpent twofish sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem sqlite hmac gmp xauth attr attr-sql resolve 
2016:10:26-00:45:08 astaro pluto[32173]:   including NAT-Traversal patch (Version 0.6c) [disabled]
2016:10:26-00:45:08 astaro pluto[32173]: Using Linux 2.6 IPsec interface code
2016:10:26-00:45:08 astaro ipsec_starter[32167]: pluto (32173) started after 20 ms
2016:10:26-00:45:08 astaro pluto[32173]: loading ca certificates from '/etc/ipsec.d/cacerts'
2016:10:26-00:45:08 astaro pluto[32173]:   loaded ca certificate from '/etc/ipsec.d/cacerts/REF_CaSigVpnSigniCa.pem'
2016:10:26-00:45:08 astaro pluto[32173]: loading aa certificates from '/etc/ipsec.d/aacerts'
2016:10:26-00:45:08 astaro pluto[32173]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
2016:10:26-00:45:08 astaro pluto[32173]: Changing to directory '/etc/ipsec.d/crls'
2016:10:26-00:45:08 astaro pluto[32173]: loading attribute certificates from '/etc/ipsec.d/acerts'
2016:10:26-00:45:08 astaro pluto[32173]: adding interface wlan0/wlan0 172.16.28.1:500
2016:10:26-00:45:08 astaro pluto[32173]: adding interface eth3/eth3 178.26.xx.xx:500
2016:10:26-00:45:08 astaro pluto[32173]: adding interface eth2/eth2 192.168.0.13:500
2016:10:26-00:45:08 astaro pluto[32173]: adding interface eth1/eth1 192.168.179.29:500
2016:10:26-00:45:08 astaro pluto[32173]: adding interface eth0/eth0 10.1.1.1:500
2016:10:26-00:45:08 astaro pluto[32173]: adding interface lo/lo 127.0.0.1:500
2016:10:26-00:45:08 astaro pluto[32173]: adding interface lo/lo ::1:500
2016:10:26-00:45:08 astaro pluto[32173]: loading secrets from "/etc/ipsec.secrets"
2016:10:26-00:45:08 astaro pluto[32173]:   loaded PSK secret for 178.26.xx.xx 52.166.xx.xx 
2016:10:26-00:45:08 astaro pluto[32173]: listening for IKE messages
2016:10:26-00:45:08 astaro pluto[32173]: added connection description "S_REF_IpsSitAzure_0"
2016:10:26-00:45:08 astaro pluto[32173]: "S_REF_IpsSitAzure_0" #1: initiating Main Mode
2016:10:26-00:45:08 astaro pluto[32173]: ERROR: "S_REF_IpsSitAzure_0" #1: sendto on eth3 to 52.166.xx.xx:500 failed in main_outI1. Errno 1: Operation not permitted
2016:10:26-00:45:19 astaro pluto[32173]: "S_REF_IpsSitAzure_0" #1: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
2016:10:26-00:45:19 astaro pluto[32173]: "S_REF_IpsSitAzure_0" #1: ignoring Vendor ID payload [RFC 3947]
2016:10:26-00:45:19 astaro pluto[32173]: "S_REF_IpsSitAzure_0" #1: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2016:10:26-00:45:19 astaro pluto[32173]: "S_REF_IpsSitAzure_0" #1: ignoring Vendor ID payload [FRAGMENTATION]
2016:10:26-00:45:19 astaro pluto[32173]: "S_REF_IpsSitAzure_0" #1: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
2016:10:26-00:45:19 astaro pluto[32173]: "S_REF_IpsSitAzure_0" #1: ignoring Vendor ID payload [IKE CGA version 1]
2016:10:26-00:45:19 astaro pluto[32173]: "S_REF_IpsSitAzure_0" #1: Peer ID is ID_IPV4_ADDR: '52.166.xx.xx'
2016:10:26-00:45:19 astaro pluto[32173]: "S_REF_IpsSitAzure_0" #1: ISAKMP SA established
2016:10:26-00:45:19 astaro pluto[32173]: "S_REF_IpsSitAzure_0" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
2016:10:26-00:45:19 astaro pluto[32173]: "S_REF_IpsSitAzure_0" #2: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag
2016:10:26-00:45:19 astaro pluto[32173]: id="2203" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN up" variant="ipsec" connection="REF_IpsSitAzure" address="178.26.xx.xx" local_net="10.0.0.0/8" remote_net="172.17.0.0/16"
2016:10:26-00:45:19 astaro pluto[32173]: "S_REF_IpsSitAzure_0" #2: sent QI2, IPsec SA established {ESP=>0xcc70125e <0x3465681b}
2016:10:26-00:45:19 astaro pluto[32173]: "S_REF_IpsSitAzure_0" #2: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag
2016:10:26-00:45:19 astaro pluto[32173]: "S_REF_IpsSitAzure_0" #2: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_HASH)
2016:10:26-00:45:19 astaro pluto[32173]: "S_REF_IpsSitAzure_0" #2: sending encrypted notification INVALID_PAYLOAD_TYPE to 52.166.xx.xx:500
2016:10:26-00:50:36 astaro pluto[32173]: forgetting secrets
2016:10:26-00:50:36 astaro pluto[32173]: loading secrets from "/etc/ipsec.secrets"
2016:10:26-00:50:36 astaro pluto[32173]:   loaded PSK secret for 178.26.xx.xx 52.166.xx.xx 
2016:10:26-00:50:36 astaro pluto[32173]: listening for IKE messages
2016:10:26-00:50:36 astaro pluto[32173]: forgetting secrets
2016:10:26-00:50:36 astaro pluto[32173]: loading secrets from "/etc/ipsec.secrets"
2016:10:26-00:50:36 astaro pluto[32173]:   loaded PSK secret for 178.26.xx.xx 52.166.xx.xx 
2016:10:26-00:50:36 astaro pluto[32173]: loading ca certificates from '/etc/ipsec.d/cacerts'
2016:10:26-00:50:36 astaro pluto[32173]:   loaded ca certificate from '/etc/ipsec.d/cacerts/REF_CaSigVpnSigniCa.pem'
2016:10:26-00:50:36 astaro pluto[32173]: loading aa certificates from '/etc/ipsec.d/aacerts'
2016:10:26-00:50:36 astaro pluto[32173]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
2016:10:26-00:50:36 astaro pluto[32173]: loading attribute certificates from '/etc/ipsec.d/acerts'
2016:10:26-00:50:36 astaro pluto[32173]: Changing to directory '/etc/ipsec.d/crls'
2016:10:26-00:50:36 astaro ipsec_starter[32167]: no default route - cannot cope with %defaultroute!!!
2016:10:26-00:50:36 astaro pluto[32173]: "S_REF_IpsSitAzure_0": deleting connection
2016:10:26-00:50:36 astaro pluto[32173]: "S_REF_IpsSitAzure_0" #2: deleting state (STATE_QUICK_I2)
2016:10:26-00:50:36 astaro pluto[32173]: id="2204" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN down" variant="ipsec" connection="REF_IpsSitAzure" address="178.26.xx.xx" local_net="10.0.0.0/8" remote_net="172.17.0.0/16"
2016:10:26-00:50:36 astaro pluto[32173]: "S_REF_IpsSitAzure_0" #1: deleting state (STATE_MAIN_I4)
2016:10:26-00:50:36 astaro pluto[32173]: added connection description "S_REF_IpsSitAzure_0"
2016:10:26-00:50:36 astaro pluto[32173]: "S_REF_IpsSitAzure_0" #3: initiating Main Mode
2016:10:26-00:50:36 astaro pluto[32173]: "S_REF_IpsSitAzure_0" #3: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
2016:10:26-00:50:36 astaro pluto[32173]: "S_REF_IpsSitAzure_0" #3: ignoring Vendor ID payload [RFC 3947]
2016:10:26-00:50:36 astaro pluto[32173]: "S_REF_IpsSitAzure_0" #3: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2016:10:26-00:50:36 astaro pluto[32173]: "S_REF_IpsSitAzure_0" #3: ignoring Vendor ID payload [FRAGMENTATION]
2016:10:26-00:50:36 astaro pluto[32173]: "S_REF_IpsSitAzure_0" #3: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
2016:10:26-00:50:36 astaro pluto[32173]: "S_REF_IpsSitAzure_0" #3: ignoring Vendor ID payload [IKE CGA version 1]
2016:10:26-00:50:36 astaro pluto[32173]: "S_REF_IpsSitAzure_0" #3: Peer ID is ID_IPV4_ADDR: '52.166.xx.xx'
2016:10:26-00:50:36 astaro pluto[32173]: "S_REF_IpsSitAzure_0" #3: ISAKMP SA established
2016:10:26-00:50:36 astaro pluto[32173]: "S_REF_IpsSitAzure_0" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#3}
2016:10:26-00:50:36 astaro pluto[32173]: "S_REF_IpsSitAzure_0" #4: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag
2016:10:26-00:50:36 astaro pluto[32173]: id="2203" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN up" variant="ipsec" connection="REF_IpsSitAzure" address="178.26.xx.xx" local_net="10.0.0.0/8" remote_net="172.17.0.0/16"
2016:10:26-00:50:36 astaro pluto[32173]: "S_REF_IpsSitAzure_0" #4: sent QI2, IPsec SA established {ESP=>0x3408ba06 <0xe1b403a6}
2016:10:26-00:50:36 astaro pluto[32173]: "S_REF_IpsSitAzure_0" #4: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag
2016:10:26-00:50:36 astaro pluto[32173]: "S_REF_IpsSitAzure_0" #4: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_HASH)
2016:10:26-00:50:36 astaro pluto[32173]: "S_REF_IpsSitAzure_0" #4: sending encrypted notification INVALID_PAYLOAD_TYPE to 52.166.xx.xx:500
0Tracker

  • 0 in reply to ThomasLichtenstern1

    Please reread my post above, Thomas, as it anticipated this exact result in the IPsec log.

    Cheers - Bob

  • 0 in reply to BAlfson

    Hi Bob,

    so I checked

    I am not using Azure "Dynamic" Gateway

    f you're not, then try #1 in Rulz to eliminate the simple things. Done (already disables IPS and so on)

     and debug is not active 

     I see this in Firewall log when I try to RDP a machine in Azure:

      Default DROP TCP  
    10.1.1.2 : 61717
    172.17.0.4 : 3389
    		 
    [SYN] len=52 ttl=127 tos=0x00 srcmac=f0:de:f1:f9:45:fc dstmac=00:60:e0:63:45:36

    So no Idea what to do next

    Thomas

  • 0 in reply to ThomasLichtenstern1

    Alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly.  Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file.  Please post the line corresponding to the one above.

    Cheers - Bob

  • 0 in reply to BAlfson

    Sorry to bring a post back from the dead but we too have this same issue.  Any idea's where this went with getting the IPSEC tunnel to work correctly from Sophos UTM to Azure?

  • 0 in reply to Dave1

    Dave, please post a relevant line from the full Firewall log file.

    Cheers - Bob

  • 0 in reply to BAlfson

    Bob,  Glad to see you are still around here.  It's been nice over the years to read your comments and suggestions on fixes!  Actually, after I wrote this it appeared to start working.. I believe it's because we have two subnets setup for the site-to-site vpn with Azure and one of the subnets wasn't configure on-prem yet which ended up throwing the decrypted error in the logs.  Thanks for responding!

Reply
  • 0 in reply to BAlfson

    Bob,  Glad to see you are still around here.  It's been nice over the years to read your comments and suggestions on fixes!  Actually, after I wrote this it appeared to start working.. I believe it's because we have two subnets setup for the site-to-site vpn with Azure and one of the subnets wasn't configure on-prem yet which ended up throwing the decrypted error in the logs.  Thanks for responding!

Children
No Data