IpSec VPN between MT / AZURE

aeg · December 17, 2014, 1:13am

We are trying to setup a IpSec Site-to-Site VPN between our office and Windows Azure.
The VPN does not establish with the following error

14:00:32 ipsec,debug respond new phase 2 negotiation: 103.29.yy.xx[500]<=>23.101.yyy.xxx[500]
14:00:32 ipsec,error authtype mismatched: my:hmac-sha1 peer:hmac-sha256
14:00:32 ipsec,debug not matched

As far as I understand we can not change any related settings on the Azure side. Therefore
I have tried to find a matching setting in the MT phase 2 but the menu does not offer
a SHA256 phase 2 authentication.

Is that a bug or simply not a capability supported by mikrotik or can it be added?

Does any one has that VPN working, if so could you share the config please.
v6.23 Current pahse 2 proposal setting with sha256 Auth Algoritmus not available.png

rjickity · December 17, 2014, 2:47pm

mikrotik isn’t technically supported by azure i just grab the prebuilt cisco configs from the generator, apply your ios=ros translation skills. Here’s a sanatised snip from a working azure setup i’ve got running for a traditional site-to-site tunnel:

/ip ipsec proposal
add disabled=yes enc-algorithms=aes-256-cbc lifetime=8h name=azure
/ip ipsec peer
add address=z.z.z.z/32 comment="Azure IPSec" disabled=yes dpd-interval=disable-dpd enc-algorithm=aes-256 lifebytes=102400000 lifetime=1h my-id-user-fqdn=x.x.x.x nat-traversal=no secret=passphrase
/ip ipsec policy
add comment="Azure IPSec" disabled=yes dst-address=y.y.y.y/24 proposal=azure sa-dst-address=:: sa-src-address=:: src-address=w.w.w.w/16 tunnel=yes

z.z.z.z = azure network gateway ip
x.x.x.x = public IP of the site mikrotik
y.y.y.y = azure internal subnet
w.w.w.w = internal lan subnet

Hope that helps you.

aeg · December 19, 2014, 1:30am

Hi rjickity

Thank you for your replay.
I have tried your config with the same result:

dec/18 10:28:33 ipsec,error authtype mismatched: my:hmac-sha1 peer:hmac-sha256 dec/18 10:28:33 ipsec,debug not matched

As per my first post I don’t see an option to select a aes256 auth for phase2 in the menue.

When consulting the wiki I found the following command line options for the phase2 proposal:
auth-algorithms (md5|sha1|null|sha256|sha512; Default: sha1)

So my proposal looks like this:
name=“azure256” auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=8h pfs-group=modp1024

After adding this proposal I have the tunnel now connecting and standing up.
All errors are gone from the ipsec log but still not able to ping the other side…

When connecting between mikrotiks with the same settings there are no problems (given they are on the same firmware) and hosts are able to ping…

So my problem was that the menue in my Winbox did not show all available options.
Therefore I could “only” select SHA1 even dough the commandline offers more options.

For your information I am using v6.23

Thanks
Andy

rjickity · January 28, 2015, 11:51am

hi aeg, sorry for the late reply.

if you haven’t figured out already - azure does not like ping. do not use it as diagnostic as it is always dropped.

check your sa’s and make sure your byte counts are increasing and test out another protocol like ssh or rdp to your vm instance.

sergejs · January 28, 2015, 12:14pm

aeg,

So my problem was that the menue in my Winbox did not show all available options.
Therefore I could “only” select SHA1 even dough the commandline offers more options.

Please make sure you are using newest Winbox (possible). 2.2.18 or even better Winbox 3 from MikroTik.com
There should be all algorithms available at Proposal configuration.

eldarkt · February 18, 2016, 6:19pm

Hi there, I have RouterBoard 951-2n (OS 6.33.5) and it works fine with same settings in sha1 mode, but I see in error log:
authtype mismatched: my:hmac-sha1 peer:hmac-sha256

Should it work with sha256 also?

I tried to set sha256 in peer and proposal settings, but it just stopped to work - no packets, no error messages, until I set it back to sha1.
Any thoughts?..

mrz · February 19, 2016, 10:09am

Make sure you are using at least v6.34 where sha256 incompatibility with other vendors is fixed.

eldarkt · February 19, 2016, 10:46am

Mrz, many thanks!
Just updated to 6.34.1 and now it works in sha256 mode.

One last thing: I still have those errors in log every 2 minutes:

phase1 negotiation failed due to time up [500]<=>[500]

But why?.. tunnel works!
Here is my Mikrotik configs:

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
    lifetime=8h
/ip ipsec peer
add address=<azure gateway ip> dpd-interval=10m enc-algorithm="" hash-algorithm=\
    sha256 local-address=0.0.0.0 secret=<secret>
/ip ipsec policy
add dst-address=10.0.0.0/24 sa-dst-address=<azure gateway ip> sa-src-address=\
    <mikrotik gateway ip> src-address=192.168.0.0/24 tunnel=yes

eldarkt · February 21, 2016, 11:13am

Hi all,
yesterday it just stopped to log this error (I didn’t change anything).
Looks like it was something wrong on other (Azure) side and was fixed after a while (probably timeout 24 hours or something like this) .

So now it works great.