IPsec: payload missing SA error

simonefil · May 26, 2024, 12:29pm

Good morning everyone.
I’m having trouble setting up a Mikrotik CCR in IPsec with Microsoft Azure. After configuring all the IPsec parameters, peer does not go up.
This error: ipsec: payload missing SA.
I enabled ipsec logging and this is the detail:

The configuration (cleaned of unnecessary data is this):

# 2024-05-26 13:50:00 by RouterOS 7.14.3
/interface bridge
add comment="Bridge 1 for LAN 1 (Custom)" name="bridge1 - LAN1" \
    port-cost-mode=short
add comment="Bridge 2 for LAN 2 (Custom)" disabled=yes name="bridge2 - LAN2" \
    port-cost-mode=short
/interface list
add name=WAN
add name=LAN

/ip ipsec profile
add dh-group=ecp256,modp2048,modp1024 enc-algorithm=aes-256,aes-128 name=\
    "Profile Microsoft Azure (custom)" nat-traversal=no
/ip ipsec peer
add address=***********/32 comment="Org IP in Azure" exchange-mode=ike2 name=\
    "Peer VPN Azure" profile="Profile Microsoft Azure (custom)"
/ip ipsec proposal
add auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc \
    lifetime=1h name="Proposal Azure (Custom)"

/interface detect-internet
set detect-interface-list=all
/interface list member
add comment="LAN Org (Custom)" interface="bridge1 - LAN1" list=LAN
add comment="WAN ISP (Custom)" interface="pppoe-out1 - ISP" list=WAN
add comment="LAN 2 - Lawal (Custom)" interface="bridge2 - LAN2" list=LAN
/ip address
add address=10.0.0.254/24 comment="LAN - Router IP (custom)" interface=\
    "bridge1 - LAN1" network=10.0.0.0
add address=192.168.120.11/24 comment="LAN 2 - IP Router (Custom)" disabled=\
    yes interface="bridge2 - LAN2" network=192.168.120.0

/ip firewall nat
add action=accept chain=srcnat comment="LAN to VPN Azure (Custom)" \
    dst-address=192.168.1.0/24 src-address=10.0.0.0/24
add action=masquerade chain=srcnat comment="LAN to Internet (Custom)"
/ip ipsec identity
add comment="PSK in Azure (Custom)" peer="Peer VPN Azure"
/ip ipsec policy
add comment="Policy MS Azure DataCenter Virtual Network (custom)" \
    dst-address=192.168.1.0/24 peer="Peer VPN Azure" proposal=\
    "Proposal Azure (Custom)" src-address=10.0.0.0/24 tunnel=yes
add comment="Milan LAN (Custom)" disabled=yes dst-address=172.16.128.0/24 \
    peer="Peer VPN Azure" src-address=10.0.0.0/24 tunnel=yes
/ip route
add check-gateway=ping comment="LAN 2 Gw (Custom)" disabled=no distance=1 \
    dst-address=192.168.120.0/24 gateway=192.168.120.11 pref-src="" \
    routing-table=main suppress-hw-offload=no
add comment="Site Milan by Azure path for AD Sync (Custom)" disabled=yes \
    distance=1 dst-address=10.0.0.0/24 gateway=******** pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10

Has anyone already had a similar problem? What tests could I do to try to resolve it?
Thank you all

Kentzo · June 3, 2024, 2:18am

Where is the authentication material in /ip ipsec identity?

simonefil · June 3, 2024, 8:05am

Good morning.
Here is the Identity section of IPsec

/ip ipsec identity
add comment="PSK in Azure (Custom)" peer="Peer VPN Azure"
/ip ipsec peer
add address=13.***.***.***/32 comment="Org IP in Azure" exchange-mode=ike2 name=\
    "Peer VPN Azure" profile="Profile Microsoft Azure (custom)"

Thank you for your help

Kentzo · June 3, 2024, 4:54pm

It looks like there is a mismatch in phase 1 configuration. Can you share the diagnostic logs from Azure’s VPN? Capturing the packets might on the router by sniffing may also be helpful to see what you send vs what Azure’s responder expects.