Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
T_Sonnberger
Explorer

VPN Tunnel to Azure - Return traffic unencrypted / blocked as "Antispoofing" R80.30

Hello,

today we have tried to move a VPN tunnel to Azure from our old R77.30 gateway to a new 80.30 appliance. Basically all settings were copied 1:1 however, the connection will not work.

I see that the tunnel seems to be up and I see an "echo request" being routed into the VPN Domain. However, the "echo reply" is dropped on the public interface as "Antispoofing".

Every now and then, I also see an error message:

Informational exchange: Sending notification to peer: Invalid IKE SPI IKE SPIs: *****

 

I have tried to disable SecurXL and set the ike_supernatting thing in GuiDB already to true (was false) as it was true on the R77.30 as well...

Any ideas why the traffic is sent back "unencrypted" / bypassing the tunnel and being dropped as "antispoofing".

On the Azure end, nothing was changed besides the Gateway IP. Azure also tells, that the tunnel is up and running.

 

Thanks in advance!

 

BR,

Thomas

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

Sounds like the encryption domain is not set properly.
You might also have routing misconfigured on your gateway if the echo reply is getting dropped by anti-spoofing.

0 Kudos
PredragPetrovic
Contributor

Hello,

Off the top of my head I would say that you didn't setup the topology and domain correctly. If you can provide how you have configured the tunnels, tunnel management and how you handle the routing between on-premise and cloud would be beneficial. If this is not possible maybe a packet capture, vpn and ike debug could help out.

Cheers,

P.

0 Kudos
T_Sonnberger
Explorer

Hello,

thanks for your reply.
We have the following setup - copied over from the old 77.30 where it was working:
Encryption: IKEv2 only - Phase 1 AES-256/SHA-1 DH Group2 -- Phase 2 AES-128 / SHA-1 -- No PFS
Advanced: 180 Minutes Renegotiate Phase 1/ 3600 Sec. Renegotiate Phase 2
Disable NAT inside the VPN community
----------------------------------------------
On our GW we have set a group as VPN Domain, containing several Subnets covering our local networks (including 10.**** subnets. 192.**** subnets etc.)
On the interoperable device we have set the remote subnet 10.210.***** - this one is not member of the local VPN Domain.
In Azure we have set 10.0.0.0/8 to be on the other side of the tunnel
----------------------------------------------------------------------------
On the local gateway we also do static routing, pointing 10/8 to our core router along with some dedicated routes to other destinations
----------------------------------------------------------------------------

Here are some debugs: - What I don't understand why it does NAT-T and says me=0.0.0.0
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][tunnel] New TransportConnection (68685 Total: 10)
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][tunnel] UDPConnection::Init: peer: 23.*.*.* (ipv6 0) the connection: 0xe8cac7d8, the socket: 0xe85cd2f8, FD: 16
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][tunnel] UDPProtocol::HandleIncommingData: Received 80 bytes from 23.*.*.* (port: 4500).
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][tunnel] fwisakmpd_process_incoming_data: Received NAT-T (IPv4) packet from 23.*.*.* (port: 4500) len: 76
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20] GetEntryIsakmpObjectsHash: received ipaddr: 23.*.*.* as key, found fwobj: AZURE-INTEROPERABLE
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20] fwipsechost_from_ipxaddr: calling GetEntryXIsakmpObjectsHash for 23.*.*.* returned obj: 0x9bce6c4
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20] GetEntryCommunityHashX: received ipaddr: *.*.*.23 as key, found community: AZURE-COMMUNITY
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20] FindCommonCommunity: Found common community (IPv4 addr=*.*.*.23) (AZURE-COMMUNITY) for AZURE-INTEROPERABLE
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] getIKEVersionForCommunity: Community configured to use IKEv2 only.
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] Message::Message: New incoming request from original responder with message id 7
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] Message::Message: i-spi: 6c847c9537f4c7f1, r-spi: 83d127c7118124e9, next: 46, version: 32, ex type: 37, flags: 0 (enc:1, req:1, init:0), msg id: 7, len: 76
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] messageLayer::isIkev2Message: message is an ikev2 message
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] Message::~Message: entering
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20] GetEntryIsakmpObjectsHash: received ipaddr: 23.*.*.* as key, found fwobj: AZURE-INTEROPERABLE
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20] fwipsechost_from_ipxaddr: calling GetEntryXIsakmpObjectsHash for 23.*.*.* returned obj: 0x9bce6c4
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20] canonize_gw: Canonized ip is the same as original ip 23.*.*.*
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] receivedIkev2reply: enter.
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][tunnel] New TransportConnection (68686 Total: 11)
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][tunnel] UDPConnection::UDPConnection: Enter (copy ctor) peer: 23.*.*.*
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][tunnel] UDPConnection::UDPConnection: conn.m_txSocket: 0xe85cd2f8, 0xe8c6ab30.
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] Message::Message: New incoming request from original responder with message id 7
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] Message::Message: i-spi: 6c847c9537f4c7f1, r-spi: 83d127c7118124e9, next: 46, version: 32, ex type: 37, flags: 0 (enc:1, req:1, init:0), msg id: 7, len: 76
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] messageLayer::messageArrived: isRequest: 1. iSpi: 6c847c9537f4c7f1, rSpi: 83d127c7118124e9. msg ID: 7. ip ver: 4
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] messageLayer::messageArrived: Could not find exchange
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] ikeExchangeFlowHandler::createResponderExchange: entering. peer: 23.*.*.*, port: 4500
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] ikeExchangeFlowHandler::getOrder: entering for exchange type Informational as responder.
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] vpn1SADB::getIkeSA: got the IKE SA
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] Here's the IKE SA we dug up:
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] SPIs: I=6c847c9537f4c7f1; R=83d127c7118124e9. initiator=me. internal addr: 0.0.0.0
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] peer: (ext addr: 23.*.*.*). Using port 4500
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] Methods: AES-256, HMAC-SHA1, PRF-SHA1, Group 2
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] MsgIDS: My next: 2, Peer next: 7, Windows size: 1
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] Rekey by: Mon Aug 17 09:54:05 2020
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] NAT-T=Yes, Rekeyed=No , OM=No , Peer Est=Yes, IPv6 0, Replay sync: Yes, Authenticated: Yes (PreShared), IterOP: Yes, valid: Yes
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] doCreateOrder: enter with peer 23.*.*.*
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20] GetEntryIsakmpObjectsHash: received ipaddr: 23.*.*.* as key, found fwobj: AZURE-INTEROPERABLE
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20] fwipsechost_from_ipxaddr: calling GetEntryXIsakmpObjectsHash for 23.*.*.* returned obj: 0x9bce6c4
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] doCreateOrder: peer is not a daip.
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20] GetEntryCommunityHashX: received ipaddr: *.*.*.23 as key, found community: AZURE-COMMUNITY
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20] FindCommonCommunity: Found common community (IPv4 addr=*.*.*.23) (AZURE-COMMUNITY) for AZURE-INTEROPERABLE
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] doCreateOrder: found a common community with 23.*.*.*.
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] dbCommunityHandle::dbCommunityHandle: entering
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] dbCommunityHandle::dbCommunityHandle: Will use custom encryption settings
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] dbCommunityHandle::dbCommunityHandle: Community is of the star type, and we are in the center
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] ikeOrder: new order (generic) with ID 21978
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] ikeOrder::setPeer: Entering, object=0x9bce6c4, is_user=0, force=0
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] ikeSimpOrder::setPeer: peer is not a user (is user: 0) or invalid ike sa (0xe8d8b310)
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] ikeSimpOrder::setPeer: force_non_user 0, is_user 0
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] doCreateOrder: Peer is third party, updating order
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20] GetEntryIsakmpObjectsHash: received ipaddr: 23.*.*.* as key, found fwobj: AZURE-INTEROPERABLE
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20] fwipsechost_from_ipxaddr: calling GetEntryXIsakmpObjectsHash for 23.*.*.* returned obj: 0x9bce6c4
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] >>> EXCHANGE: 22006
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] >>> NEW NEW NEW NEW NEW NEW NEW NEW NEW
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] ikeOrder: refcount for 21978 increased to 1
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] Exchange::setOrder: Associating order 21978 with exchange 22006
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] ikeInformational_r::ikeInformational_r: ID = 22006
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] ikeExchangeFlowHandler::createResponderExchange: setting peer port: 4500, use nat-t: yes (Informational exhcnage).
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] messageLayer::messageArrived: Added request into m_remembered requests. Key = (6c847c9537f4c7f1:83d127c7118124e9, 7), opaque=0xe8c886c8
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] ikeMsgEvent::ikeMsgEvent: entering. (exchange 22006)
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] >>>
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] >>> EXCHANGE: 'Informational for responder' (22006)
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] >>> EVENT: Message Arrived Event
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] >>>
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] Exchange::handleEvent: Exchange 22006, state=initial, status=initial, event=Message Arrived Event
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] stateMachine::getTransition: got handler member 0x9fa25f0 for state initial and event Message Arrived
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] responderExchange::msg_arrived_state_handler: entering.
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] Exchange::doHandleMessage: Got state initial, status initial and event Message Arrived.
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] Exchange::setState: Changing state from: initial to: received message..
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] Exchange::doHandleMessage: Handling incomming message for exchange 22006, 'Informational for responder', iSpi: 6c847c9537f4c7f1, rSpi: 83d127c7118124e9)
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] >>>
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] >>> EXCHANGE: 'Informational for responder' (22006)
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] >>> PROCESS INCOMING MESSAGE
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] >>>
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] cksumMessage: entering
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] cksumMessage: Checksumming 64 bytes with integrity algorithm HMAC-SHA1
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] Message::Decode: Message passes integrity check
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] decryptMessage: entering
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] decryptMessage: IV:
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] 10 08 64 e4 2f 0f 19 db 23 60 66 f7 be ae 3c 89
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] decryptMessage: Decrypting 16 bytes using SK_er
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] ikecrypt_decrypt: decrypted. padlen=15, resulting bytes=0
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] decryptMessage: Result has 0 bytes
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] Exchange::parseAndDecodeMessage: Updating PeerNextMsgID from 7 to 8
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] Exchange::storeIkeSA: entering.
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] vpn1SADB::storeIkeSA: Storing SA with SPIs 6c847c9537f4c7f1:83d127c7118124e9
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] Here's the SA we're storing:
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] SPIs: I=6c847c9537f4c7f1; R=83d127c7118124e9. initiator=me. internal addr: 0.0.0.0
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] peer: (ext addr: 23.*.*.*). Using port 4500
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] Methods: AES-256, HMAC-SHA1, PRF-SHA1, Group 2
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] MsgIDS: My next: 2, Peer next: 8, Windows size: 1
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] Rekey by: Mon Aug 17 09:54:05 2020
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] NAT-T=Yes, Rekeyed=No , OM=No , Peer Est=Yes, IPv6 0, Replay sync: Yes, Authenticated: Yes (PreShared), IterOP: Yes, valid: Yes
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] vpn1SADB::storeIkeSA: new sa mode: 189 (curr mode: 393), new peer next msg id: 8 (curr: 7), new my msg id: 2, (curr: 2)
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] vpn1SADB::storeIkeSA: Storing with timeout = 9945.
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] Here's the SA we're storing, just before storing:
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] SPIs: I=6c847c9537f4c7f1; R=83d127c7118124e9. initiator=me. internal addr: 0.0.0.0
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] peer: (ext addr: 23.*.*.*). Using port 4500
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] Methods: AES-256, HMAC-SHA1, PRF-SHA1, Group 2
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] MsgIDS: My next: 2, Peer next: 8, Windows size: 1
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] Rekey by: Mon Aug 17 09:54:05 2020
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] NAT-T=Yes, Rekeyed=No , OM=No , Peer Est=Yes, IPv6 0, Replay sync: Yes, Authenticated: Yes (PreShared), IterOP: Yes, valid: Yes
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] Exchange::storeIkeSA: notify registered objects
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] Exchange::notifyObjsUponTriggeredEvent: enter with event: 4
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] Exchange::notifyObjsUponTriggeredEvent: None registered for this exchange
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] Exchange::preValidatePayloads: enter. imcomming msg: 0xe851aeb0
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] Exchange::processAllNotifications: entering.
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] Exchange::preValidatePayloads: returning status 0
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] Exchange::processMessage: verifying payloads. curr status: 0
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] Exchange::validatePayloads: enter.
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] Exchange::processPayloads: processing the payloads.
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] Exchange::processPayloads: processPayloads returning initial status
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] Exchange::continueHandleMessage: entering with status = 0
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] ikeInformational_r::postMessageProcessed: entering.
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] responderExchange::postMessageProcessed: entering.
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] >>>
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] >>> EXCHANGE: 'Informational for responder' (22006)
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] >>> CREATE AND TRANSMIT MESSAGE
[vpnd 14623 4093340576]@vistradpgw5[17 Aug 7:08:20][ikev2] >>>
------------------------------------------------------------------------
In the ike.elg I do not find any entry with the respective VPN Community...
--------------------------------------------------------------------------

Also, I can't imagine how the anti-spoofing drops can happen at all:
I see a proper key exchange
The ICMP request is entering the VPN community (LAN interface - outbound)
The ICMP-reply is dropped on the WAN interface - outbound - while there is no route that could explain that traffic flow.
The source IP and destination IP address is still in the "initiating" direction, with my client as source and the remote device as destination, while the "reply" should be vice versa...

Thank you very much in advance!

0 Kudos