We have recently setup a site-to-site VPN tunnel with Azure from our 1200D's (HA).
Traffic (ping) is working to the Azure VPN and back. No problems there.
The problem is that when there is no traffic, VPN is brought down by request of Azure as it seems.
2016-06-09 08:37:38 ike 1: comes azure.external.ip.adress:500->our.external.vpn.ip:500,ifindex=36....
2016-06-09 08:37:38 ike 1: IKEv2 exchange=INFORMATIONAL id=4b56657b5863a222/69ad09fb52ca1223:0000026f len=72
2016-06-09 08:37:38 ike 1: in 4B56657B5863A22269AD09FB52CA12232E2025080000026F000000482A00002C42295E2308A0A4C88E6C7BC2262317A57039EAD293B191BDEA59F36F11032B19638DD7399329F9B2
2016-06-09 08:37:38 ike 1:VPN-Azure:602817: dec 4B56657B5863A22269AD09FB52CA12232E2025080000026F0000002C2A0000040000000C0304000190ACD1C8
2016-06-09 08:37:38 ike 1:VPN-Azure:602817: received informational request
2016-06-09 08:37:38 ike 1:VPN-Azure:602817: processing delete request (proto 3)
2016-06-09 08:37:38 ike 1:VPN-Azure: deleting IPsec SA with SPI 90acd1c8
2016-06-09 08:37:38 ike 1:VPN-Azure:VPN-Azure-MGMT: deleted IPsec SA with SPI 90acd1c8, SA count: 0
2016-06-09 08:37:38 ike 1:VPN-Azure: sending SNMP tunnel DOWN trap for VPN-Azure-MGMT
2016-06-09 08:37:38 ike 1:VPN-Azure:602817: sending delete ack
2016-06-09 08:37:38 ike 1:VPN-Azure:602817: enc 0000000C0304000114A55E4603020103
2016-06-09 08:37:38 ike 1:VPN-Azure:602817: out 4B56657B5863A22269AD09FB52CA12232E2025200000026F000000482A00002CFD94B85D2F62ECFAFF2A1DAD36F235CD87C6769B4D4E96A3C7DF2EBE86B41B79AB21FB7776C5E600
2016-06-09 08:37:38 ike 1:VPN-Azure:602817: sent IKE msg (INFORMATIONAL_RESPONSE): our.external.vpn.ip:500->azure.external.ip.adress:500, len=72, id=4b56657b5863a222/69ad09fb52ca1223:0000026f
2016-06-09 08:37:39 ike 1:VPN-Azure: link is idle 36 our.external.vpn.ip->azure.external.ip.adress:0 dpd=1 seqno=350e
Phase2 selectors
edit "VPN-Azure-Servers1"
set phase1name "VPN-Azure"
set proposal aes256-sha1
set dhgrp 5 2 1
set keepalive enable
set keylife-type both
set keylifeseconds 3600
set keylifekbs 102400000
set src-subnet internal.server1.network 255.255.254.0
set dst-subnet azure.server1.network 255.255.254.0
next
edit "VPN-Azure-MGMT"
set phase1name "VPN-Azure"
set proposal aes256-sha1
set dhgrp 5 2 1
set keepalive enable
set auto-negotiate enable
set keylife-type both
set keylifeseconds 3600
set keylifekbs 102400000
set src-subnet internal.mgmt.network 255.255.254.0
set dst-subnet azure.mgmt.network 255.255.254.0
next
edit "VPN-Azure-Servers2"
set phase1name "VPN-Azure"
set proposal aes256-sha1
set dhgrp 5 2 1
set keepalive enable
set keylife-type both
set keylifeseconds 3600
set keylifekbs 102400000
set src-subnet internal.server2.network 255.255.252.0
set dst-subnet azure.server2.network 255.255.252.0
next
edit "VPN-Azure-MGMT-SRV1"
set phase1name "VPN-Azure"
set proposal aes256-sha1
set dhgrp 5 2 1
set keepalive enable
set keylife-type both
set keylifeseconds 3600
set keylifekbs 102400000
set src-subnet internal.mgmt.network 255.255.254.0
set dst-subnet azure.server1.network 255.255.254.0
next
edit "VPN-Azure-MGMT-SRV2"
set phase1name "VPN-Azure"
set proposal aes256-sha1
set dhgrp 5 2 1
set keepalive enable
set keylife-type both
set keylifeseconds 3600
set keylifekbs 102400000
set src-subnet internal.mgmt.network 255.255.254.0
set dst-subnet azure.server2.network 255.255.252.0
next
edit "VPN-Azure-Servers1-SRV2"
set phase1name "VPN-Azure"
set proposal aes256-sha1
set dhgrp 5 2 1
set keepalive enable
set keylife-type both
set keylifeseconds 3600
set keylifekbs 102400000
set src-subnet internal.server1.network 255.255.254.0
set dst-subnet azure.server2.network 255.255.252.0
next
edit "VPN-Azure-Servers2-SRV1"
set phase1name "VPN-Azure"
set keepalive enable
set keylife-type both
set keylifeseconds 3600
set keylifekbs 102400000
set src-subnet internal.server2.network 255.255.252.0
set dst-subnet azure.server1.network 255.255.254.0
next
end
You can do like me, removing multiple phase2 and doing only one without src and dst-subnet.
config vpn ipsec phase2-interface
edit "VPN-Azure-p2"
set phase1name "VPN-Azure"
set proposal aes256-sha1
set keepalive enable
set auto-negotiate enable
set keylifeseconds 3600
next
end
NSE 7
So its working now?
Not using remote / src subnet is not really an option for us.
Yes it is working. What is the problem of not using selectors? The firewall use the routing information and antispoofing for not matching traffic.
NSE 7
Well, you want to have source and destionation subnets so you can limit access from subnet to subnet. You dont want it to be connect to 'everything'.
phase2 selectors doesn't have this function. You can use routing and firewall policyes to limit the traffic.
NSE 7
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.