Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    RRAS to pfSense on Azure VM. no virtual IP found for %any

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 450 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dilenjoy
      last edited by

      Hello everyone,

      I'm new to setting up VPNs. I have pfSense installed on Azure VM and I'm trying to setup a site to site VPN connection between the pfSense (AzureVM) and my local server (RRAS). I have configured Site to Site IPSEC IKEV2. RRAS receive "Invalid payload received" and pfSense logs say:

      .
      .
      .
      .
      Feb 24 21:07:43  charon   15[IKE] <2> remote host is behind NAT  
      Feb 24 21:07:43  charon   15[ENC] <2> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]  
      Feb 24 21:07:43  charon   15[NET] <2> sending packet: from 10.1.1.19[500] to 64.xx.xx.xx[500] (312 bytes)  
      Feb 24 21:07:43  charon   15[NET] <2> received packet: from 64.xx.xx.xx[4500] to 10.1.1.19[4500] (352 bytes)  
      Feb 24 21:07:43  charon   15[ENC] <2> parsed IKE_AUTH request 1 [ IDi AUTH CPRQ(ADDR DNS NBNS SRV) SA TSi TSr ]  
      Feb 24 21:07:43  charon   15[CFG] <2> looking for peer configs matching 10.1.1.19[%any]...64.xx.xx.xx[192.168.1.35]  
      Feb 24 21:07:43  charon   15[CFG] <2> candidate "con1000", match: 1/20/3100 (me/other/ike)  
      Feb 24 21:07:43  charon   15[CFG] <con1000|2> selected peer config 'con1000'  
      Feb 24 21:07:43  charon   15[IKE] <con1000|2> authentication of '192.168.1.35' with pre-shared key successful  
      Feb 24 21:07:43  charon   15[IKE] <con1000|2> processing INTERNAL_IP4_ADDRESS attribute  
      Feb 24 21:07:43  charon   15[IKE] <con1000|2> processing INTERNAL_IP4_DNS attribute  
      Feb 24 21:07:43  charon   15[IKE] <con1000|2> processing INTERNAL_IP4_NBNS attribute  
      Feb 24 21:07:43  charon   15[IKE] <con1000|2> processing INTERNAL_IP4_SERVER attribute  
      Feb 24 21:07:43  charon   15[IKE] <con1000|2> authentication of '10.1.1.19' (myself) with pre-shared key  
      Feb 24 21:07:43  charon   15[IKE] <con1000|2> successfully created shared key MAC  
      Feb 24 21:07:43  charon   15[IKE] <con1000|2> IKE_SA con1000[2] established between 10.1.1.19[10.1.1.19]...64.xx.xx.xx[192.168.1.35]  
      Feb 24 21:07:43  charon   15[IKE] <con1000|2> IKE_SA con1000[2] state change: CONNECTING => ESTABLISHED  
      Feb 24 21:07:43  charon   15[IKE] <con1000|2> scheduling reauthentication in 28051s  
      Feb 24 21:07:43  charon   15[IKE] <con1000|2> maximum IKE_SA lifetime 28591s  
      Feb 24 21:07:43  charon   15[IKE] <con1000|2> peer requested virtual IP %any  
      Feb 24 21:07:43  charon   15[IKE] <con1000|2> no virtual IP found for %any requested by '192.168.1.35'  
      Feb 24 21:07:43  charon   15[IKE] <con1000|2> no virtual IP found, sending INTERNAL_ADDRESS_FAILURE  
      Feb 24 21:07:43  charon   15[CFG] <con1000|2> looking for a child config for 0.0.0.0/0|/0 ::/0|/0 === 0.0.0.0/0|/0 ::/0|/0  
      Feb 24 21:07:43  charon   15[CFG] <con1000|2> proposing traffic selectors for us:  
      Feb 24 21:07:43  charon   15[CFG] <con1000|2> 10.0.0.0/8|/0  
      Feb 24 21:07:43  charon   15[CFG] <con1000|2> proposing traffic selectors for other:  
      Feb 24 21:07:43  charon   15[CFG] <con1000|2> 192.168.1.0/24|/0  
      Feb 24 21:07:43  charon   15[CFG] <con1000|2> candidate "con1000" with prio 2+2  
      Feb 24 21:07:43  charon   15[CFG] <con1000|2> found matching child config "con1000" with prio 4  
      Feb 24 21:07:43  charon   15[IKE] <con1000|2> configuration payload negotiation failed, no CHILD_SA built  
      Feb 24 21:07:43  charon   15[IKE] <con1000|2> failed to establish CHILD_SA, keeping IKE_SA  
      Feb 24 21:07:43  charon   15[ENC] <con1000|2> generating IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(INT_ADDR_FAIL) ]  
      Feb 24 21:07:43  charon   15[NET] <con1000|2> sending packet: from 10.1.1.19[4500] to 64.xx.xx.xx[4500] (144 bytes)  
      Feb 24 21:07:43  charon   15[NET] <con1000|2> received packet: from 64.xx.xx.xx[4500] to 10.1.1.19[4500] (80 bytes)  
      Feb 24 21:07:43  charon   15[ENC] <con1000|2> parsed INFORMATIONAL request 2 [ D ]  
      Feb 24 21:07:43  charon   15[IKE] <con1000|2> received DELETE for IKE_SA con1000[2]  
      Feb 24 21:07:43  charon   15[IKE] <con1000|2> deleting IKE_SA con1000[2] between 10.1.1.19[10.1.1.19]...64.xx.xx.xx[192.168.1.35]  
      Feb 24 21:07:43  charon   15[IKE] <con1000|2> IKE_SA con1000[2] state change: ESTABLISHED => DELETING  
      Feb 24 21:07:43  charon   15[IKE] <con1000|2> IKE_SA deleted  
      Feb 24 21:07:43  charon   15[ENC] <con1000|2> generating INFORMATIONAL response 2 [ ]  
      Feb 24 21:07:43  charon   15[NET] <con1000|2> sending packet: from 10.1.1.19[4500] to 64.xx.xx.xx[4500] (80 bytes)  
      Feb 24 21:07:43  charon   15[IKE] <con1000|2> IKE_SA con1000[2] state change: DELETING => DESTROYING
      

      Any ideas why I'm not able to connect?

      1. no virtual IP found, sending INTERNAL_ADDRESS_FAILURE. From reading around this seems related to mobile configs but I'm not trying to connect mobile devices.
      2. Could it be related to ESP protocol for which I have opened up port 50 on Azure NSG but Azure doesn't have something to specifically allow the protocol

      I greatly appreciate any help. Have tried a lot of things and still no luck.

      Thank you

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.