This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Azure help

It would be nice if there was an Azure option like there is AWS.

I've downloaded the scripts from Azure for Cisco and Juniper so I can try and match their settings.
I've gotten close but I keep getting this NO_PROPOSAL_CHOSEN.

I have tried respond only and initiate.

2015:02:20-11:13:04 router pluto[1962]: | *received 616 bytes from AzureIP:500 on eth1.20

2015:02:20-11:13:05 router pluto[1962]: | 

2015:02:20-11:13:05 router pluto[1962]: | *received 616 bytes from AzureIP:500 on eth1.20

2015:02:20-11:13:06 router pluto[1962]: | 

2015:02:20-11:13:06 router pluto[1962]: | *received 56 bytes from AzureIP:500 on eth1.20

2015:02:20-11:13:06 router pluto[1962]: | **parse ISAKMP Message:

2015:02:20-11:13:06 router pluto[1962]: |    initiator cookie:

2015:02:20-11:13:06 router pluto[1962]: |   f6 e0 cf a9  de 40 43 70

2015:02:20-11:13:06 router pluto[1962]: |    responder cookie:

2015:02:20-11:13:06 router pluto[1962]: |   02 e3 ba c6  58 95 95 eb

2015:02:20-11:13:06 router pluto[1962]: |    next payload type: ISAKMP_NEXT_N

2015:02:20-11:13:06 router pluto[1962]: |    ISAKMP version: ISAKMP Version 1.0

2015:02:20-11:13:06 router pluto[1962]: |    exchange type: ISAKMP_XCHG_INFO

2015:02:20-11:13:06 router pluto[1962]: |    flags: none

2015:02:20-11:13:06 router pluto[1962]: |    message ID:  d1 a2 3a 1f

2015:02:20-11:13:06 router pluto[1962]: |    length: 56

2015:02:20-11:13:06 router pluto[1962]: | ***parse ISAKMP Notification Payload:

2015:02:20-11:13:06 router pluto[1962]: |    next payload type: ISAKMP_NEXT_NONE

2015:02:20-11:13:06 router pluto[1962]: |    length: 28

2015:02:20-11:13:06 router pluto[1962]: |    DOI: ISAKMP_DOI_IPSEC

2015:02:20-11:13:06 router pluto[1962]: |    protocol ID: 1

2015:02:20-11:13:06 router pluto[1962]: |    SPI size: 16

2015:02:20-11:13:06 router pluto[1962]: |    Notify Message Type: NO_PROPOSAL_CHOSEN

2015:02:20-11:13:06 router pluto[1962]: packet from AzureIP:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN

2015:02:20-11:13:06 router pluto[1962]: | info:  f6 e0 cf a9  de 40 43 70  02 e3 ba c6  58 95 95 eb

2015:02:20-11:13:46 router pluto[1962]: | 

2015:02:20-11:13:46 router pluto[1962]: | *received 56 bytes from AzureIP:500 on eth1.20

2015:02:20-11:13:46 router pluto[1962]: | **parse ISAKMP Message:

2015:02:20-11:13:46 router pluto[1962]: |    initiator cookie:

2015:02:20-11:13:46 router pluto[1962]: |   f6 e0 cf a9  de 40 43 70

2015:02:20-11:13:46 router pluto[1962]: |    responder cookie:

2015:02:20-11:13:46 router pluto[1962]: |   98 57 bd 47  21 10 b6 01

2015:02:20-11:13:46 router pluto[1962]: |    next payload type: ISAKMP_NEXT_N

2015:02:20-11:13:46 router pluto[1962]: |    ISAKMP version: ISAKMP Version 1.0

2015:02:20-11:13:46 router pluto[1962]: |    exchange type: ISAKMP_XCHG_INFO

2015:02:20-11:13:46 router pluto[1962]: |    flags: none

2015:02:20-11:13:46 router pluto[1962]: |    message ID:  98 34 87 c8

2015:02:20-11:13:46 router pluto[1962]: |    length: 56

2015:02:20-11:13:46 router pluto[1962]: | ***parse ISAKMP Notification Payload:

2015:02:20-11:13:46 router pluto[1962]: |    next payload type: ISAKMP_NEXT_NONE

2015:02:20-11:13:46 router pluto[1962]: |    length: 28

2015:02:20-11:13:46 router pluto[1962]: |    DOI: ISAKMP_DOI_IPSEC

2015:02:20-11:13:46 router pluto[1962]: |    protocol ID: 1

2015:02:20-11:13:46 router pluto[1962]: |    SPI size: 16

2015:02:20-11:13:46 router pluto[1962]: |    Notify Message Type: NO_PROPOSAL_CHOSEN

2015:02:20-11:13:46 router pluto[1962]: packet from AzureIP:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN

2015:02:20-11:13:46 router pluto[1962]: | info:  f6 e0 cf a9  de 40 43 70  98 57 bd 47  21 10 b6 01

2015:02:20-11:13:51 router pluto[1962]: | 

2015:02:20-11:13:51 router pluto[1962]: | *received 616 bytes from AzureIP:500 on eth1.20

2015:02:20-11:13:52 router pluto[1962]: | 

2015:02:20-11:13:52 router pluto[1962]: | *received 616 bytes from AzureIP:500 on eth1.20

2015:02:20-11:13:53 router pluto[1962]: | 

2015:02:20-11:13:53 router pluto[1962]: | *received 616 bytes from AzureIP:500 on eth1.20

2015:02:20-11:13:57 router pluto[1962]: | 

2015:02:20-11:13:57 router pluto[1962]: | *received 616 bytes from AzureIP:500 on eth1.20

2015:02:20-11:13:58 router pluto[1962]: | 

2015:02:20-11:13:58 router pluto[1962]: | *received 616 bytes from AzureIP:500 on eth1.20

Here is a sample config from their script

set security ike proposal azure-proposal authentication-method pre-shared-keys

set security ike proposal azure-proposal authentication-algorithm sha1

set security ike proposal azure-proposal encryption-algorithm aes-256-cbc

set security ike proposal azure-proposal lifetime-seconds 28800

set security ike proposal azure-proposal dh-group group2

set security ike policy azure-policy mode main

set security ike policy azure-policy proposals azure-proposal

set security ike policy azure-policy pre-shared-key ascii-text 

set security ike gateway azure-gateway ike-policy azure-policy

set security ike gateway azure-gateway address 

set security ike gateway azure-gateway external-interface 



# ---------------------------------------------------------------------------------------------------------------------

# IPSec configuration

# 

# This section specifies encryption, authentication, and lifetime properties for the Phase 2 negotiation and the quick

# mode security association.

set security ipsec proposal azure-ipsec-proposal protocol esp

set security ipsec proposal azure-ipsec-proposal authentication-algorithm hmac-sha1-96

set security ipsec proposal azure-ipsec-proposal encryption-algorithm aes-256-cbc

set security ipsec proposal azure-ipsec-proposal lifetime-seconds 3600

set security ipsec policy azure-vpn-policy proposals azure-ipsec-proposal

set security ipsec vpn azure-ipsec-vpn ike gateway azure-gateway

set security ipsec vpn azure-ipsec-vpn ike ipsec-policy azure-vpn-policy

Here are my settings.

Azure 1.PNGAzure 2.PNGAzure 3.PNGAzure 4.PNG

Not sure what else to set.

This thread was automatically locked due to age.

Parents

0 Scott_Klassen over 10 years ago

NO_PROPOSAL_CHOSEN is indicating that there is a difference in the setting between the two sides. First thing that jumps out at me is no PFS group set in the IPSec configuration. I'm also seeing a difference in authentication-algorithm between IKE and IPSEC configs, sha1 for IKE and hmac-sha1-96 for IPSEC. The "trick" is that everything must be set exactly the same between the two sides.

__________________
ACE v8/SCA v9.3

...still have a v5 install disk in a box somewhere.

http://xkcd.com
http://www.tedgoff.com/mb
http://www.projectcartoon.com/cartoon/1
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Scott_Klassen over 10 years ago

NO_PROPOSAL_CHOSEN is indicating that there is a difference in the setting between the two sides. First thing that jumps out at me is no PFS group set in the IPSec configuration. I'm also seeing a difference in authentication-algorithm between IKE and IPSEC configs, sha1 for IKE and hmac-sha1-96 for IPSEC. The "trick" is that everything must be set exactly the same between the two sides.

__________________
ACE v8/SCA v9.3

...still have a v5 install disk in a box somewhere.

http://xkcd.com
http://www.tedgoff.com/mb
http://www.projectcartoon.com/cartoon/1
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data