RRAS to pfSense on Azure VM. no virtual IP found for %any



  • Hello everyone,

    I'm new to setting up VPNs. I have pfSense installed on Azure VM and I'm trying to setup a site to site VPN connection between the pfSense (AzureVM) and my local server (RRAS). I have configured Site to Site IPSEC IKEV2. RRAS receive "Invalid payload received" and pfSense logs say:

    .
    .
    .
    .
    Feb 24 21:07:43  charon   15[IKE] <2> remote host is behind NAT  
    Feb 24 21:07:43  charon   15[ENC] <2> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]  
    Feb 24 21:07:43  charon   15[NET] <2> sending packet: from 10.1.1.19[500] to 64.xx.xx.xx[500] (312 bytes)  
    Feb 24 21:07:43  charon   15[NET] <2> received packet: from 64.xx.xx.xx[4500] to 10.1.1.19[4500] (352 bytes)  
    Feb 24 21:07:43  charon   15[ENC] <2> parsed IKE_AUTH request 1 [ IDi AUTH CPRQ(ADDR DNS NBNS SRV) SA TSi TSr ]  
    Feb 24 21:07:43  charon   15[CFG] <2> looking for peer configs matching 10.1.1.19[%any]...64.xx.xx.xx[192.168.1.35]  
    Feb 24 21:07:43  charon   15[CFG] <2> candidate "con1000", match: 1/20/3100 (me/other/ike)  
    Feb 24 21:07:43  charon   15[CFG] <con1000|2> selected peer config 'con1000'  
    Feb 24 21:07:43  charon   15[IKE] <con1000|2> authentication of '192.168.1.35' with pre-shared key successful  
    Feb 24 21:07:43  charon   15[IKE] <con1000|2> processing INTERNAL_IP4_ADDRESS attribute  
    Feb 24 21:07:43  charon   15[IKE] <con1000|2> processing INTERNAL_IP4_DNS attribute  
    Feb 24 21:07:43  charon   15[IKE] <con1000|2> processing INTERNAL_IP4_NBNS attribute  
    Feb 24 21:07:43  charon   15[IKE] <con1000|2> processing INTERNAL_IP4_SERVER attribute  
    Feb 24 21:07:43  charon   15[IKE] <con1000|2> authentication of '10.1.1.19' (myself) with pre-shared key  
    Feb 24 21:07:43  charon   15[IKE] <con1000|2> successfully created shared key MAC  
    Feb 24 21:07:43  charon   15[IKE] <con1000|2> IKE_SA con1000[2] established between 10.1.1.19[10.1.1.19]...64.xx.xx.xx[192.168.1.35]  
    Feb 24 21:07:43  charon   15[IKE] <con1000|2> IKE_SA con1000[2] state change: CONNECTING => ESTABLISHED  
    Feb 24 21:07:43  charon   15[IKE] <con1000|2> scheduling reauthentication in 28051s  
    Feb 24 21:07:43  charon   15[IKE] <con1000|2> maximum IKE_SA lifetime 28591s  
    Feb 24 21:07:43  charon   15[IKE] <con1000|2> peer requested virtual IP %any  
    Feb 24 21:07:43  charon   15[IKE] <con1000|2> no virtual IP found for %any requested by '192.168.1.35'  
    Feb 24 21:07:43  charon   15[IKE] <con1000|2> no virtual IP found, sending INTERNAL_ADDRESS_FAILURE  
    Feb 24 21:07:43  charon   15[CFG] <con1000|2> looking for a child config for 0.0.0.0/0|/0 ::/0|/0 === 0.0.0.0/0|/0 ::/0|/0  
    Feb 24 21:07:43  charon   15[CFG] <con1000|2> proposing traffic selectors for us:  
    Feb 24 21:07:43  charon   15[CFG] <con1000|2> 10.0.0.0/8|/0  
    Feb 24 21:07:43  charon   15[CFG] <con1000|2> proposing traffic selectors for other:  
    Feb 24 21:07:43  charon   15[CFG] <con1000|2> 192.168.1.0/24|/0  
    Feb 24 21:07:43  charon   15[CFG] <con1000|2> candidate "con1000" with prio 2+2  
    Feb 24 21:07:43  charon   15[CFG] <con1000|2> found matching child config "con1000" with prio 4  
    Feb 24 21:07:43  charon   15[IKE] <con1000|2> configuration payload negotiation failed, no CHILD_SA built  
    Feb 24 21:07:43  charon   15[IKE] <con1000|2> failed to establish CHILD_SA, keeping IKE_SA  
    Feb 24 21:07:43  charon   15[ENC] <con1000|2> generating IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(INT_ADDR_FAIL) ]  
    Feb 24 21:07:43  charon   15[NET] <con1000|2> sending packet: from 10.1.1.19[4500] to 64.xx.xx.xx[4500] (144 bytes)  
    Feb 24 21:07:43  charon   15[NET] <con1000|2> received packet: from 64.xx.xx.xx[4500] to 10.1.1.19[4500] (80 bytes)  
    Feb 24 21:07:43  charon   15[ENC] <con1000|2> parsed INFORMATIONAL request 2 [ D ]  
    Feb 24 21:07:43  charon   15[IKE] <con1000|2> received DELETE for IKE_SA con1000[2]  
    Feb 24 21:07:43  charon   15[IKE] <con1000|2> deleting IKE_SA con1000[2] between 10.1.1.19[10.1.1.19]...64.xx.xx.xx[192.168.1.35]  
    Feb 24 21:07:43  charon   15[IKE] <con1000|2> IKE_SA con1000[2] state change: ESTABLISHED => DELETING  
    Feb 24 21:07:43  charon   15[IKE] <con1000|2> IKE_SA deleted  
    Feb 24 21:07:43  charon   15[ENC] <con1000|2> generating INFORMATIONAL response 2 [ ]  
    Feb 24 21:07:43  charon   15[NET] <con1000|2> sending packet: from 10.1.1.19[4500] to 64.xx.xx.xx[4500] (80 bytes)  
    Feb 24 21:07:43  charon   15[IKE] <con1000|2> IKE_SA con1000[2] state change: DELETING => DESTROYING
    

    Any ideas why I'm not able to connect?

    1. no virtual IP found, sending INTERNAL_ADDRESS_FAILURE. From reading around this seems related to mobile configs but I'm not trying to connect mobile devices.
    2. Could it be related to ESP protocol for which I have opened up port 50 on Azure NSG but Azure doesn't have something to specifically allow the protocol

    I greatly appreciate any help. Have tried a lot of things and still no luck.

    Thank you


Log in to reply