IPsec VPN to Windows Azure



  • I am setting up an ipsec vpn to windows azure.
    This vpn keeps on dropping with the following error and reconnects with in a few minutes.
    Does anyone have an idea how to fix?
    Here is the log

    Aug 29 13:02:38 : INFO: IPsec-SA established: ESP 192.168.1.1[500]->123.123.123.123[500] spi=2866019992(0xaad3fe98)
    Aug 29 13:02:38 : INFO: IPsec-SA established: ESP 192.168.1.1[500]->123.123.123.123[500] spi=33804485(0x203d0c5)
    Aug 29 13:02:38 : INFO: IPsec-SA established: ESP 192.168.1.1[500]->123.123.123.123[500] spi=2932147670(0xaec505d6)
    Aug 29 13:02:38 : INFO: IPsec-SA established: ESP 192.168.1.1[500]->123.123.123.123[500] spi=194007198(0xb90509e)
    Aug 29 13:02:38 : INFO: IPsec-SA established: ESP 192.168.1.1[500]->123.123.123.123[500] spi=1685238744(0x6472b3d8)
    Aug 29 13:02:38 : INFO: IPsec-SA established: ESP 192.168.1.1[500]->123.123.123.123[500] spi=205017052(0xc384fdc)
    Aug 29 13:02:38 : INFO: IPsec-SA established: ESP 192.168.1.1[500]->123.123.123.123[500] spi=444785174(0x1a82e216)
    Aug 29 13:02:38 : INFO: IPsec-SA established: ESP 192.168.1.1[500]->123.123.123.123[500] spi=229225315(0xda9b363)
    Aug 29 13:02:38 : INFO: IPsec-SA established: ESP 192.168.1.1[500]->123.123.123.123[500] spi=2399938594(0x8f0c2822)
    Aug 29 13:02:38 : INFO: IPsec-SA established: ESP 192.168.1.1[500]->123.123.123.123[500] spi=88172378(0x541675a)
    Aug 29 13:02:38 : INFO: IPsec-SA established: ESP 192.168.1.1[500]->123.123.123.123[500] spi=3543351306(0xd333400a)
    Aug 29 13:02:38 : INFO: IPsec-SA established: ESP 192.168.1.1[500]->123.123.123.123[500] spi=203604894(0xc22c39e)
    Aug 29 13:02:38 ERROR: not matched
    Aug 29 13:02:38 WARNING: authtype mismatched: my:hmac-sha peer:hmac-sha256
    Aug 29 13:02:38 : INFO: respond new phase 2 negotiation: 192.168.1.1[500]<=>123.123.123.123[500]
    Aug 29 13:02:38 ERROR: not matched
    Aug 29 13:02:38 WARNING: authtype mismatched: my:hmac-sha peer:hmac-sha256
    Aug 29 13:02:38 : INFO: respond new phase 2 negotiation: 192.168.1.1[500]<=>123.123.123.123[500]
    Aug 29 13:02:38 ERROR: not matched
    Aug 29 13:02:38 WARNING: authtype mismatched: my:hmac-sha peer:hmac-sha256
    Aug 29 13:02:38 : INFO: respond new phase 2 negotiation: 192.168.1.1[500]<=>123.123.123.123[500]
    Aug 29 13:02:38 ERROR: not matched
    Aug 29 13:02:38 WARNING: authtype mismatched: my:hmac-sha peer:hmac-sha256
    Aug 29 13:02:38 : INFO: respond new phase 2 negotiation: 192.168.1.1[500]<=>123.123.123.123[500]
    Aug 29 13:02:38 ERROR: not matched
    Aug 29 13:02:38 WARNING: authtype mismatched: my:hmac-sha peer:hmac-sha256
    Aug 29 13:02:38 : INFO: respond new phase 2 negotiation: 192.168.1.1[500]<=>123.123.123.123[500]
    Aug 29 13:02:38 ERROR: not matched
    Aug 29 13:02:38 WARNING: authtype mismatched: my:hmac-sha peer:hmac-sha256
    Aug 29 13:02:38 : INFO: respond new phase 2 negotiation: 192.168.1.1[500]<=>123.123.123.123[500]
    Aug 29 13:01:38 INFO: purged IPsec-SA proto_id=ESP spi=2620735192.
    Aug 29 13:01:38 INFO: purged IPsec-SA proto_id=ESP spi=1350342824.
    Aug 29 13:01:38 INFO: purged IPsec-SA proto_id=ESP spi=3114734380.
    Aug 29 13:01:38 INFO: purged IPsec-SA proto_id=ESP spi=4148636974.
    Aug 29 13:01:38 INFO: purged IPsec-SA proto_id=ESP spi=2034106232.
    Aug 29 13:01:38 INFO: purged IPsec-SA proto_id=ESP spi=2757192950.

    Here is the config

    My settings are:
    SITE A:
    Remote Gateway: azure IP Address (123.123.123.123)
    Mode: main
    P1 Protocol: AES (256 bits)
    P1 transforms: SHA1
    pre shreadKey: veryverysecret
    Encryption algorithm: AES | 256 bits
    Hash algorithm: SHA1
    DH Key Group: 2
    Lifetime: 28800

    Phase 2:
    Local Network: LAN subnet
    Remote Network: 192.168.1.0/24
    Protocol: ESP
    Encryption algorithm: AES 256
    Hash algorithms: SHA1
    PFS key group: off
    lifetime:3600


  • Banned

    There is a whole bunch of documentation available here. Absolutely not apparent what your setup is, and frankly, this whole thing should be taken to Windows Azure Forums way before you start debugging pfSense stuff (basically until MS has determined this to be a BSD-specific issue at least.)


Log in to reply