RRAS to pfSense on Azure VM. no virtual IP found for %any
-
Hello everyone,
I'm new to setting up VPNs. I have pfSense installed on Azure VM and I'm trying to setup a site to site VPN connection between the pfSense (AzureVM) and my local server (RRAS). I have configured Site to Site IPSEC IKEV2. RRAS receive "Invalid payload received" and pfSense logs say:
. . . . Feb 24 21:07:43 charon 15[IKE] <2> remote host is behind NAT Feb 24 21:07:43 charon 15[ENC] <2> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] Feb 24 21:07:43 charon 15[NET] <2> sending packet: from 10.1.1.19[500] to 64.xx.xx.xx[500] (312 bytes) Feb 24 21:07:43 charon 15[NET] <2> received packet: from 64.xx.xx.xx[4500] to 10.1.1.19[4500] (352 bytes) Feb 24 21:07:43 charon 15[ENC] <2> parsed IKE_AUTH request 1 [ IDi AUTH CPRQ(ADDR DNS NBNS SRV) SA TSi TSr ] Feb 24 21:07:43 charon 15[CFG] <2> looking for peer configs matching 10.1.1.19[%any]...64.xx.xx.xx[192.168.1.35] Feb 24 21:07:43 charon 15[CFG] <2> candidate "con1000", match: 1/20/3100 (me/other/ike) Feb 24 21:07:43 charon 15[CFG] <con1000|2> selected peer config 'con1000' Feb 24 21:07:43 charon 15[IKE] <con1000|2> authentication of '192.168.1.35' with pre-shared key successful Feb 24 21:07:43 charon 15[IKE] <con1000|2> processing INTERNAL_IP4_ADDRESS attribute Feb 24 21:07:43 charon 15[IKE] <con1000|2> processing INTERNAL_IP4_DNS attribute Feb 24 21:07:43 charon 15[IKE] <con1000|2> processing INTERNAL_IP4_NBNS attribute Feb 24 21:07:43 charon 15[IKE] <con1000|2> processing INTERNAL_IP4_SERVER attribute Feb 24 21:07:43 charon 15[IKE] <con1000|2> authentication of '10.1.1.19' (myself) with pre-shared key Feb 24 21:07:43 charon 15[IKE] <con1000|2> successfully created shared key MAC Feb 24 21:07:43 charon 15[IKE] <con1000|2> IKE_SA con1000[2] established between 10.1.1.19[10.1.1.19]...64.xx.xx.xx[192.168.1.35] Feb 24 21:07:43 charon 15[IKE] <con1000|2> IKE_SA con1000[2] state change: CONNECTING => ESTABLISHED Feb 24 21:07:43 charon 15[IKE] <con1000|2> scheduling reauthentication in 28051s Feb 24 21:07:43 charon 15[IKE] <con1000|2> maximum IKE_SA lifetime 28591s Feb 24 21:07:43 charon 15[IKE] <con1000|2> peer requested virtual IP %any Feb 24 21:07:43 charon 15[IKE] <con1000|2> no virtual IP found for %any requested by '192.168.1.35' Feb 24 21:07:43 charon 15[IKE] <con1000|2> no virtual IP found, sending INTERNAL_ADDRESS_FAILURE Feb 24 21:07:43 charon 15[CFG] <con1000|2> looking for a child config for 0.0.0.0/0|/0 ::/0|/0 === 0.0.0.0/0|/0 ::/0|/0 Feb 24 21:07:43 charon 15[CFG] <con1000|2> proposing traffic selectors for us: Feb 24 21:07:43 charon 15[CFG] <con1000|2> 10.0.0.0/8|/0 Feb 24 21:07:43 charon 15[CFG] <con1000|2> proposing traffic selectors for other: Feb 24 21:07:43 charon 15[CFG] <con1000|2> 192.168.1.0/24|/0 Feb 24 21:07:43 charon 15[CFG] <con1000|2> candidate "con1000" with prio 2+2 Feb 24 21:07:43 charon 15[CFG] <con1000|2> found matching child config "con1000" with prio 4 Feb 24 21:07:43 charon 15[IKE] <con1000|2> configuration payload negotiation failed, no CHILD_SA built Feb 24 21:07:43 charon 15[IKE] <con1000|2> failed to establish CHILD_SA, keeping IKE_SA Feb 24 21:07:43 charon 15[ENC] <con1000|2> generating IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(INT_ADDR_FAIL) ] Feb 24 21:07:43 charon 15[NET] <con1000|2> sending packet: from 10.1.1.19[4500] to 64.xx.xx.xx[4500] (144 bytes) Feb 24 21:07:43 charon 15[NET] <con1000|2> received packet: from 64.xx.xx.xx[4500] to 10.1.1.19[4500] (80 bytes) Feb 24 21:07:43 charon 15[ENC] <con1000|2> parsed INFORMATIONAL request 2 [ D ] Feb 24 21:07:43 charon 15[IKE] <con1000|2> received DELETE for IKE_SA con1000[2] Feb 24 21:07:43 charon 15[IKE] <con1000|2> deleting IKE_SA con1000[2] between 10.1.1.19[10.1.1.19]...64.xx.xx.xx[192.168.1.35] Feb 24 21:07:43 charon 15[IKE] <con1000|2> IKE_SA con1000[2] state change: ESTABLISHED => DELETING Feb 24 21:07:43 charon 15[IKE] <con1000|2> IKE_SA deleted Feb 24 21:07:43 charon 15[ENC] <con1000|2> generating INFORMATIONAL response 2 [ ] Feb 24 21:07:43 charon 15[NET] <con1000|2> sending packet: from 10.1.1.19[4500] to 64.xx.xx.xx[4500] (80 bytes) Feb 24 21:07:43 charon 15[IKE] <con1000|2> IKE_SA con1000[2] state change: DELETING => DESTROYING
Any ideas why I'm not able to connect?
- no virtual IP found, sending INTERNAL_ADDRESS_FAILURE. From reading around this seems related to mobile configs but I'm not trying to connect mobile devices.
- Could it be related to ESP protocol for which I have opened up port 50 on Azure NSG but Azure doesn't have something to specifically allow the protocol
I greatly appreciate any help. Have tried a lot of things and still no luck.
Thank you