OPENSUSE13.1 over IPSEC to Azure = ?

 # cat /etc/issue
Welcome to openSUSE 13.1 "Bottle" - Kernel \r (\l).

opensuse13.1 i386

# rpm -qa | grep -i openswan
openswan-2.6.29-59.1.i586

Problem - Didnt connected ( I dont understand why ;(:frowning: )

# ipsec auto --verbose --up dmsazure
000 initiating all conns with alias='dmsazure' 
002 "dmsazure/3x1" #2: initiating Main Mode
104 "dmsazure/3x1" #2: STATE_MAIN_I1: initiate
003 "dmsazure/3x1" #2: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
003 "dmsazure/3x1" #2: received and ignored informational message
010 "dmsazure/3x1" #2: STATE_MAIN_I1: retransmission; will wait 20s for response
003 "dmsazure/3x1" #2: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
003 "dmsazure/3x1" #2: received and ignored informational message
^C


About my ipsec configs:

# cat /etc/ipsec.conf
config setup
    interfaces=%defaultroute
    dumpdir=/var/run/pluto/
    nat_traversal=yes
    virtual_private=%v4:172.16.0.0/16,%v4:172.17.0.0/16,%v4:192.168.0.0/16
    oe=off
    protostack=auto
    plutostderrlog=/dev/null


# default settings for connections
conn %default
    # keyingtries default to %forever
    #keyingtries=3
    # Sig keys (default: %dnsondemand)
    leftrsasigkey=%cert
    rightrsasigkey=%cert
    # Lifetimes, defaults are 1h/8hrs
    #ikelifetime=20m
    #keylife=1h
    #rekeymargin=8m

# Add connections here

conn dmsazure
    authby=secret
    auto=start
    type=tunnel
    left=MYLINUX_REAL_IP
    leftsubnets={172.16.0.0/16,172.17.0.0/16,192.168.0.0/16}
    right=AZURE_VPN_GATEWAY_IP
    rightsubnets={172.19.1.0/24}
    ike=aes128-sha1-modp1024
    esp=aes128-sha1
    pfs=no
    ikelifetime=8h
    keylife=1h
    phase2=esp
    


# cat /etc/ipsec.secrets
MY_LINUX_REAL_IP AGURE_VPN_GATEWAY_IP : PSK "xxxxxxxxxxxxxxxxxxxxxxxxxxxx"

Please, Help me.

Serg

Particularly when you are using an old version of openSUSE,
There have been different ways to set up IPSEC.

You need to
Identify the OS of the machine on each end of your IPSEC tunnel (not just the 13.1 end).
If you’re following a guide, provide a link or where the guide came from.
You may need to provide the ipsec configs for each machine on the ends of your IPSEC tunnel
You may need to describe how you created your IPSEC “secret” and the method you used to provide that secret to both ends.

TSU


# uname -a
Linux ipsec01 3.11.10-17-pae #1 SMP Mon Jun 16 15:28:13 UTC 2014 (fba7c1f) i686 i686 i386 GNU/Linux
# rpm -qa | grep -i kernel
kernel-firmware-20130714git-2.17.1.noarch
kernel-pae-3.11.10-11.1.i686
kernel-pae-3.11.10-17.2.i686
# rpm -qa | grep -i openswan
openswan-2.6.29-59.1.i586
2. Guides:
https://azure.microsoft.com/en-us/blog/connecting-to-a-windows-azure-virtual-network-via-a-linux-based-software-vpn-device/
 http://mobireme.com/azure-vpn-testing/azure-vpn-linux-openswan-vpn/
3. My ipsec configs in the previsial post.
4. IPSEC was created in the AZURE ( https://azure.microsoft.com/en-us/blog/connecting-to-a-windows-azure-virtual-network-via-a-linux-based-software-vpn-device/ )


# uname -a
Linux ipsec01 3.11.10-17-pae #1 SMP Mon Jun 16 15:28:13 UTC 2014 (fba7c1f) i686 i686 i386 GNU/Linux
# rpm -qa | grep -i kernel
kernel-firmware-20130714git-2.17.1.noarch
kernel-pae-3.11.10-11.1.i686
kernel-pae-3.11.10-17.2.i686
# rpm -qa | grep -i openswan
openswan-2.6.29-59.1.i586
2. Guides:
https://azure.microsoft.com/en-us/blog/connecting-to-a-windows-azure-virtual-network-via-a-linux-based-software-vpn-device/
 http://mobireme.com/azure-vpn-testing/azure-vpn-linux-openswan-vpn/
3. My ipsec configs in the previsial post.
4. IPSEC was created in the AZURE ( https://azure.microsoft.com/en-us/blog/connecting-to-a-windows-azure-virtual-network-via-a-linux-based-software-vpn-device/ )

OK,
And need some verification what you’re running in Azure


Might be a dotNET app,
A full Windows machine (then need the version of Windows)
A full Linux machine (rather newly supported).

TSU

https://azure.microsoft.com/en-us/blog/connecting-to-a-windows-azure-virtual-network-via-a-linux-based-software-vpn-device/
In the Azure use - AZUREŃ‚ŃƒĐ”Ń†Ń‰ĐșĐ» Gateway ( not dedicated server). This is The Azure Service.

Serg

I don`t understand this openswan error-message:

# ipsec auto --up  dmsazure
000 initiating all conns with alias='dmsazure' 
104 "dmsazure/3x1" #2: STATE_MAIN_I1: initiate
003 "dmsazure/3x1" #2: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
003 "dmsazure/3x1" #2: received and ignored informational message
010 "dmsazure/3x1" #2: STATE_MAIN_I1: retransmission; will wait 20s for response
003 "dmsazure/3x1" #2: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
003 "dmsazure/3x1" #2: received and ignored informational message


This is COnfiguration Script form the Azure for Cisco:

Cisco—ipsec—>AZURE

Script text:

! Microsoft Corporation
! Windows Azure Virtual Network

! This configuration template applies to Cisco ASA 5500 Series Adaptive Security Appliances running ASA Software 8.3.
! It configures an IPSec VPN tunnel connecting your on-premise VPN device with the Azure gateway.

! ---------------------------------------------------------------------------------------------------------------------
! ACL and NAT rules
! 
! Proper ACL and NAT rules are needed for permitting cross-premise network traffic.
! You should also allow inbound UDP/ESP traffic for the interface which will be used for the IPSec tunnel.
object-group network azure-networks
 network-object 172.19.1.0 255.255.255.0
 exit
object-group network onprem-networks
 network-object 192.168.0.0 255.255.0.0
 network-object 172.16.0.0 255.255.0.0
 network-object 172.17.0.0 255.255.0.0
 exit
access-list azure-vpn-acl extended permit ip object-group onprem-networks object-group azure-networks
nat (inside,outside) source static onprem-networks onprem-networks destination static azure-networks azure-networks

! ---------------------------------------------------------------------------------------------------------------------
! Internet Key Exchange (IKE) configuration
! 
! This section specifies the authentication, encryption, hashing, Diffie-Hellman, and lifetime parameters for the Phase
! 1 negotiation and the main mode security association. We have picked an arbitrary policy # "10" as an example. If
! that happens to conflict with an existing policy, you may choose to use a different policy #.
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800
 exit

! ---------------------------------------------------------------------------------------------------------------------
! IPSec configuration
! 
! This section specifies encryption, authentication, and lifetime properties for the Phase 2 negotiation and the quick
! mode security association. 
crypto ipsec transform-set azure-ipsec-proposal-set esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 102400000

! ---------------------------------------------------------------------------------------------------------------------
! Crypto map configuration
!
! This section defines a crypto map that binds the cross-premise network traffic to the
! IPSec transform set and remote peer. We have picked an arbitrary ID # "10" as an example. If
! that happens to conflict with an existing crypto map, you may choose to use a different ID #.
crypto map azure-crypto-map 10 match address azure-vpn-acl
crypto map azure-crypto-map 10 set peer AZURE_IP_ADDRESS_PUBLIC
crypto map azure-crypto-map 10 set transform-set azure-ipsec-proposal-set
! Note that you can only bind one crypto map to the "outside" interface. You can, however, define
! different peer/transform-set within a crypto map and identify them with different IDs.
crypto map azure-crypto-map interface outside

! ---------------------------------------------------------------------------------------------------------------------
! Tunnel configuration
!
! This section defines an IPSec site-to-site tunnel connecting to the Azure gateway and specifies the pre-shared key
! value used for Phase 1 authentication.  
tunnel-group AZURE_IP_ADDRESS_PUBLIC type ipsec-l2l
tunnel-group AZURE_IP_ADDRESS_PUBLIC ipsec-attributes
 pre-shared-key "xxxxxxxxxxxxxxxxxxx"
 exit

! ---------------------------------------------------------------------------------------------------------------------
! TCPMSS clamping
!
! Adjust the TCPMSS value properly to avoid fragmentation
sysopt connection tcpmss 1350
exit


The Azure documentation you reference conveniently uses an Ubuntu image from its own inventory to create a VM set up as the VPN Gateway using openswan, then connects to it using another Linux VM(I assume same Ubuntu image) emulating a remote VPN client. Be aware that a demo example like this conveniently assures that exact same versions of many things are used on both ends of the demo VPN which might be important to the result.

The results and configurations you posted in this thread come from only one machine?
Are you setting up your VPN gateway also using an Ubuntu image like your reference or did you set up using an openSUSE or other image?

I also need to ask you, although the Microsoft Azure reference describes connecting from one VM to another VM, can I assume that you are creating a VM as your openswan VPN gateway but are using your own real machine as the VPN client instead of another VM as described in the reference?

The general steps in the Azure reference might be repeated and summarized, modified to support using your own machine as the VPN client


Create a Linux VM for your VPN gateway, configured with a public network interface and a private network interface.
Install openswan.
Open the IPsec ports in your firewall
Run openswan (The reference uses old commands. If you use any recent versions of Ubuntu or openSUSE, the commands will be different, and openSUSE uses systemd command).
Using the Azure UI Portal(Networks tab),
Assign the public ip as a VPN device and at least one private IP for your private network. If you assign a network by subnet mask, all LAN clients must be deployed on the same physical machine (as the Gateway?). BTW - I’m sure the Azure reference is wrong about how many addresses can be used in a /24 subnet, it’s very well known that the highest and lowest addresses in a range can’t be used
 They’re special addresses which denote “everyone” like a broadcast and “only myself” like localhost.
Create a Static Routing Gateway
DO NOT CLOSE THE WEBSITE

The above sets up the Server side, or the first(right) site if you’re configuring site to site instead of client-server.
Now, you set up your end (the end that’s not likely in the cloud)

Install openswan
Edit /etc/ipsec.conf
To configure /etc/ipsec.conf correctly, you need to configure values taken from the openswan website (The first steps above). The “right” value should be the public IP address of the gateway you set up in the cloud, and the “rightsubnet” is the private network on Azure behind the gateway. This means also that “left” is the public IP address of the machine you’re currently working on, and the “leftsubnet” is the private network behind your machine.

Note also that depending on your version of openswan, your “conn vpn” code block might look slightly different and if you need help configuring should rean the man pages

man ipsec.conf

Your next step should be to import the PSK used to encrypt your IPSEC tunnel from the Azure UI portal site.
Copy the PSK and insert it into the file /etc/ipsec.secrets in the following format

LocalIP GatewayVIP : PSK ‘’Shared Key‘’
Example:


#include /etc/ipsec.d/*.secrets
100.88.124.18 137.117.136.230 : PSK "XXXXXXXXXXXXXXXXXXXX"

Restart your IPsec service, assuming this machine is your 13.1,

systemctl restart ipsec.service

You can view your ipsec status afterwards

systemctl status ipsec.service

The steps as described assumes that openswan will manage minor differences between the gateway in the cloud and your own machine. Major differences in openswan may be a problem, one way is to deploy your own 13.1 vhd into Azure so that both ends are the same, so should address any differences.

TSU