Azure Site-to-Site

PhthisicusPhthisicus Member Posts: 2  Freshman Member
I am trying to make a site-to-site witch azure only the connection would not establish.

The logs show the following:

2017-12-07 15:01:00 vpn 46.x.x.x 13.x.x.x
[SA] : No proposal chosen [count=3]
2017-12-07 15:01:00 vpn 46.x.x.x 13.x.x.x
The cookie pair is : 0x8ff0e64c51494b3c / 0x555b446570751a36
2017-12-07 15:01:00 vpn 13.x.x.x 46.x.x.x
Recv IKE sa: SA([0] protocol = IKE (1), AES CBC key len = 256, HMAC-SHA1-96, HMAC-SHA1 PRF, 1024 bit MODP; [1] protocol = IKE (1), AES CBC key len = 256, HMAC-SHA256-128, HMAC-SHA256 PRF, 1024 bit MODP; [2] protocol = IKE (1), AES CBC key len = 128, HMAC- [count=3]
2017-12-07 15:01:00 vpn 13.x.x.x 46.x.x.x
[INIT] Recv: [SA][KE][NONCE][NOTIFY][NOTIFY][VID][VID][VID][VID] [count=3]
2017-12-07 15:01:00 vpn 13.x.x.x 46.x.x.x
Receiving IKEv2 request [count=3]
2017-12-07 15:01:00 vpn 13.x.x.x 46.x.x.x
The cookie pair is : 0x555b446570751a36 / 0x8ff0e64c51494b3c [count=2]
2017-12-07 15:01:01 vpn 46.x.x.x 13.x.x.x
The cookie pair is : 0x8ff0e64c51494b3c / 0xb4e8c422d1274207
2017-12-07 15:01:01 vpn 13.x.x.x 46.x.x.x
The cookie pair is : 0xb4e8c422d1274207 / 0x8ff0e64c51494b3c [count=2]
2017-12-07 15:01:02 vpn 46.x.x.x 13.x.x.x
The cookie pair is : 0x8ff0e64c51494b3c / 0xb54231e766312f3c
2017-12-07 15:01:02 vpn 13.x.x.x 46.x.x.x
The cookie pair is : 0xb54231e766312f3c / 0x8ff0e64c51494b3c [count=2]

Anyone have any experience with this and nebula ?

Comments

  • PhthisicusPhthisicus Member Posts: 2  Freshman Member
    Seems that the NSG100 is not compatible with IKEv2 so you need to do a Policy Based gateway in Azure. :(
  • Nebula_IreneNebula_Irene Zyxel Official Agent Posts: 140  mod
    Hi @Phthisicus

    I am glad to see you create Site-to-Site VPN between Microsoft Azure and NSG100 successfully. ;)

    When you see “No proposal chosen” on event log, it means there is something wrong in IKE version/Phase 1&2 setting (such as Encryption, Authentication…).

    On Microsoft Azure, you have to set Policy-based (static-routing) gateway for IKEv1 that is supported by NSG100.

    Besides, I just saw you created a ticket regarding this question through our technical support channel, if you would like to have IKEv2 on NSG, I would like to help you transfer case to feature request. Any detail scenario on your side, please feel free to share! :+1:

  • FrankIversenFrankIversen Member Posts: 71  Ally Member
    but isn't policy-based gateway only for 1 connection? what if we need to connect multiple offices to azure? 
  • ITProITPro Member Posts: 11  Freshman Member

    Yes, policy-based gateway is only for 1 connection. What is your VPN topology?

    Azure is as HQ (like Hub role), and other branches (like spoke role) connect with azure? 

    Enter you signature
  • FrankIversenFrankIversen Member Posts: 71  Ally Member
    Yes, our customers run the servers in Azure. In many cases we want the remote branch Offices, which are using NSG100, to connect site-2-site with Azure.
    we have been deploying site-2-site for multiple connection for decades. I find it a little bit weird that NSG100 is not supporting Azure, on the largest Iaas cloud providers, for connecting a small company with a few branch Offices.
  • Nebula_ChrisNebula_Chris Zyxel Official Agent Posts: 91  mod
    Hello @FrankIversen

    About the multiple VPN connection with Azure (hub and spoke role) is in our feature queue now.
    The schedule is still under discussion but will implement on the next year.
    Anyone who got the same request can press like on this conversation to let us know how popular it is ! :)
  • FrankIversenFrankIversen Member Posts: 71  Ally Member
    any news regarding this?
  • Nebula_ChrisNebula_Chris Zyxel Official Agent Posts: 91  mod
    @FrankIversen
    Do you mean the precise date of schedule or something else?
  • FrankIversenFrankIversen Member Posts: 71  Ally Member
    was hoping for schedule. We really need to be able to connect to Azure with ikeV2 and route based VPN asap
  • Nebula_ChrisNebula_Chris Zyxel Official Agent Posts: 91  mod
    Hello  @FrankIversen
    The schedule will be on June 2019 if everything go through well!
    So stay tuned =)
Sign In to comment.