The Azure documentation you reference conveniently uses an Ubuntu image from its own inventory to create a VM set up as the VPN Gateway using openswan, then connects to it using another Linux VM(I assume same Ubuntu image) emulating a remote VPN client. Be aware that a demo example like this conveniently assures that exact same versions of many things are used on both ends of the demo VPN which might be important to the result.
The results and configurations you posted in this thread come from only one machine?
Are you setting up your VPN gateway also using an Ubuntu image like your reference or did you set up using an openSUSE or other image?
I also need to ask you, although the Microsoft Azure reference describes connecting from one VM to another VM, can I assume that you are creating a VM as your openswan VPN gateway but are using your own real machine as the VPN client instead of another VM as described in the reference?
The general steps in the Azure reference might be repeated and summarized, modified to support using your own machine as the VPN client…
Create a Linux VM for your VPN gateway, configured with a public network interface and a private network interface.
Open the IPsec ports in your firewall
Run openswan (The reference uses old commands. If you use any recent versions of Ubuntu or openSUSE, the commands will be different, and openSUSE uses systemd command).
Using the Azure UI Portal(Networks tab),
Assign the public ip as a VPN device and at least one private IP for your private network. If you assign a network by subnet mask, all LAN clients must be deployed on the same physical machine (as the Gateway?). BTW - I’m sure the Azure reference is wrong about how many addresses can be used in a /24 subnet, it’s very well known that the highest and lowest addresses in a range can’t be used… They’re special addresses which denote “everyone” like a broadcast and “only myself” like localhost.
Create a Static Routing Gateway
DO NOT CLOSE THE WEBSITE
The above sets up the Server side, or the first(right) site if you’re configuring site to site instead of client-server.
Now, you set up your end (the end that’s not likely in the cloud)
To configure /etc/ipsec.conf correctly, you need to configure values taken from the openswan website (The first steps above). The “right” value should be the public IP address of the gateway you set up in the cloud, and the “rightsubnet” is the private network on Azure behind the gateway. This means also that “left” is the public IP address of the machine you’re currently working on, and the “leftsubnet” is the private network behind your machine.
Note also that depending on your version of openswan, your “conn vpn” code block might look slightly different and if you need help configuring should rean the man pages
Your next step should be to import the PSK used to encrypt your IPSEC tunnel from the Azure UI portal site.
Copy the PSK and insert it into the file /etc/ipsec.secrets in the following format
LocalIP GatewayVIP : PSK ‘’Shared Key‘’
100.88.124.18 22.214.171.124 : PSK "XXXXXXXXXXXXXXXXXXXX"
Restart your IPsec service, assuming this machine is your 13.1,
systemctl restart ipsec.service
You can view your ipsec status afterwards
systemctl status ipsec.service
The steps as described assumes that openswan will manage minor differences between the gateway in the cloud and your own machine. Major differences in openswan may be a problem, one way is to deploy your own 13.1 vhd into Azure so that both ends are the same, so should address any differences.