Docs の特定ページの変更を監視したい


# GitHub の API を Logic Apps とかで叩いてみたものの、もっと楽な方法があるらしいので書き換え。

 

Azure をはじめとする Microsofするの各種サービスのドキュメント類が Docs に移行されて久しいですが、特定のページに変更があったかを監視したいことってありますよね。

とはいえ、GitHub のリポジトリ全体を Watch したくはないわけで…。

 

適当な例として、ASE の管理 IP のページでやってみます。(この IP が変動することがあるのか私は知りませんが)

ドキュメントの右上、[編集] をクリックします。

 

すると GitHub の該当ページに飛びますね。

で、GitHub で History とかを見る。

あとは URL の末尾に .atom をつけるだけで RSS になるらしい。楽ちん。

 

ぶちぞう先生、いつもありがとうございます。


Azure VPN Gateway (Active / Active) と、FortiGate 100E / Juniper SRX650 / Cisco C841M で VPN を張って、BGP で経路交換してみた


Azure と某プライベート コンテナ データセンターを VPN で繋いで BGP で経路交換してみたので、忘れないうちにメモっておきます。

 

構成図

  • Azure 側は VPN Gateway を GwSku1 で Active / Active と BGP を有効化して、Public IPを 2 つ持つ構成。
    (下図では a1.a1.a1.a1 / a2.a2.a2.a2)
  • オンプレミス側は対外接続用のルーター 3 台に固定の Public IP を 1 つずつ用意。
    (下図では f.f.f.f / j.j.j.j / c.c.c.c)

 

Azure 側の構築手順

ドキュメントなどを参考に、VPN Gateway を Basic 以外の SKU (Standard / High Performance / VpnGw1 / VpnGw2 / VpnGw3) で作成。

作成時に Active / Active (+ Public IP 2 つ) と、BGP を忘れずに有効化して、Azure 側で使用する AS 番号も設定します。

ちなみに、Azure とオンプレミス間は eBGP で経路交換をすることになるので、オンプレミス側の ASN と同一にはできません。
(その他、Azure で予約されていて使用不可の ASN は FAQ 参照)

 

VPN Gateway の作成が完了したら、Public IP が 2 つ付与されていることを確認します。
(同一 VNET 内に VPN Gateway は 2 つ作れないので、Active / Active 構成の VPN Gateway を 1 つ作るだけです)

2 番目の Public IP が隠れていて見えないときは、[もっと見る] をクリックしましょう。

 

[構成] ブレードで Active / Active と BGP が有効化されていることを確認します。

また、オンプレミス側のルーターを設定する際に使用する BGP Peer IP (オンプレミスから見た Neighbor) をメモっておきます。

 

続いて、オンプレミス側の各ルーターの定義を [ローカル ネットワーク ゲートウェイ] として作成します。

各設定項目は以下のような感じで設定しましょう。

  • IP アドレス: オンプレミス側のルーターの Public IP
  • アドレス空間: オンプレミス側の BGP Peer IP (オンプレミスへの Static Route に使われるため、/32 付きで指定)
  • BGP 設定の構成: チェック有
  • 自立システム番号 (ASN): オンプレミス側の AS 番号
  • BGP ピアの IP アドレス: オンプレミス側の BGP Peer IP (Neighbor の設定には /32 は不要)

 

同様に、オンプレミスのルーターの台数分の [ローカル ネットワーク ゲートウェイ] をつくります。(今回は 3 つ)

 

最後に、VPN Gateway とローカル ネットワーク ゲートウェイを [接続] します。

 

こちらも、BGP のオプションを忘れずに有効化します。

 

[接続] のリソースも、[ローカル ネットワーク ゲートウェイ] と同じくオンプレミス側の台数分作成します。

以下の図だと [状態] が [接続済み] になっていますが、オンプレミス側が未設定の場合は [接続中] の表示になっているはずです。
(英語だと Connecting で、接続を試みている最中、すなわち未接続の状態を意味します)

接続状態を読み込んだり更新している最中に、一時的に [状態] が [成功] と表示されますが、これはリソースの定義 (Provisioning State) が正常なことを意味するだけで、VPN がつながっているわけではないので誤解しないように。

 

オンプレミス側の構成 (FortiGate 100E)

FortiGate との VPN 接続については、CookBook が大変わかりやすいので、こちらを参照。

今回、Azure 側は Active / Active 構成で 2 つ Public IP があるため、FortiGate 側の VPN の設定も 2 つ定義します。

それから、BGP を使うので、[8. Creating the FortiGate static route] では、VNET のアドレス空間の代わりに、Azure 側の BGP Peer IP (今回は 10.0.255.4 / 10.0.255.5) を設定します。(別に VNET のアドレス空間宛に Static Route を書いてもいいですが、BGP の意味が…)

無事に VPN が接続できていれば、Azure とトンネルが 2 本確立されているはずです。(Phase 1 / 2 あるので、SA は 4 つ)

# diagnose vpn ike status detailed 

vd: root/0
name: Azure
version: 2
connection: 1/712
IKE SA: created 1/713
IPsec SA: created 1/713
 
vd: root/0
name: AzureBGP
version: 2
connection: 1/29
IKE SA: created 4/83  established 4/57  times 0/170/9040 ms
IPsec SA: created 4/80  established 4/58  times 0/156/9040 ms
 
vd: root/0
name: AzureBGP2
version: 2
connection: 1/2
IKE SA: created 2/55  established 2/54  times 10/886/26080 ms
IPsec SA: created 2/55  established 2/55  times 0/383/21060 ms

 

VPN のトンネルが張れたら、続いて BGP で経路交換をしてみます。

このあたりは @kongou_ae さんの以下のブログが詳しいので大変参考になりました。

気を付ける点としては、ebgp multihop の設定くらいですかね。(直接 Peer を張っているわけではなく、VPN トンネル越しなので。)

今回は適当に Loopback Interface (172.16.255.254) を作って、オンプレミス側の経路 (172.16.0.0/16) を広報しています。

routing tableに乗っていない経路を広報する関係上、network-import-check を disable していますが、これは構成次第では不要かと。

# show system interface 
config system interface
    edit "BGPloopback"
        set vdom "root"
        set ip 172.16.255.254 255.255.255.255
        set type loopback
    next

# show router bgp
config router bgp
    set as 65521
    set network-import-check disable
    config neighbor
        edit "10.0.255.4"
            set ebgp-enforce-multihop enable
            set next-hop-self enable
            set soft-reconfiguration enable
            set remote-as 65516
            set update-source "BGPloopback"
        next
        edit "10.0.255.5"
            set ebgp-enforce-multihop enable
            set next-hop-self enable
            set soft-reconfiguration enable
            set remote-as 65516
            set update-source "BGPloopback"
        next
    end
    config network
        edit 1
            set prefix 172.16.0.0 255.255.0.0
        next
    end

 

BGP の Neighbor が脹れていることを確認します。

# get router info bgp neighbors 
BGP neighbor is 10.0.255.4, remote AS 65516, local AS 65521, external link
  BGP version 4, remote router ID 10.0.255.4
  BGP state = Established, up for 05:11:19
  Last read 00:00:33, hold time is 180, keepalive interval is 60 seconds
  Configured hold time is 180, keepalive interval is 60 seconds
  Neighbor capabilities:
    Route refresh: advertised and received (new)
    Address family IPv4 Unicast: advertised and received
    Address family IPv6 Unicast: advertised and received
  Received 479 messages, 0 notifications, 0 in queue
  Sent 502 messages, 14 notifications, 0 in queue
  Route refresh request: received 0, sent 0
  Minimum time between advertisement runs is 30 seconds
  Update source is BGPloopback
 
 For address family: IPv4 Unicast
  BGP table version 39, neighbor version 38
  Index 1, Offset 0, Mask 0x2
    Graceful restart: received
  Inbound soft reconfiguration allowed
  NEXT_HOP is always this router
  Community attribute sent to this neighbor (both)
  4 accepted prefixes
  4 announced prefixes

 For address family: IPv6 Unicast
  BGP table version 1, neighbor version 1
  Index 1, Offset 0, Mask 0x2
    Graceful restart: received
  Community attribute sent to this neighbor (both)
  0 accepted prefixes
  0 announced prefixes
 
 Connections established 17; dropped 16
  External BGP neighbor may be up to 255 hops away.
Local host: 172.16.255.254, Local port: 13377
Foreign host: 10.0.255.4, Foreign port: 179
Nexthop: 172.16.255.254
Nexthop global: ::
Nexthop local: ::
BGP connection: non shared network
Last Reset: 05:11:24, due to BGP Notification sent
Notification Error Message: (Hold Timer Expired/Unspecified Error Subcode)
 
BGP neighbor is 10.0.255.5, remote AS 65516, local AS 65521, external link
  BGP version 4, remote router ID 10.0.255.5
  BGP state = Established, up for 05:14:23
  Last read 00:00:25, hold time is 180, keepalive interval is 60 seconds
  Configured hold time is 180, keepalive interval is 60 seconds
  Neighbor capabilities:
    Route refresh: advertised and received (new)
    Address family IPv4 Unicast: advertised and received
    Address family IPv6 Unicast: advertised and received
  Received 494 messages, 0 notifications, 0 in queue
  Sent 522 messages, 16 notifications, 0 in queue
  Route refresh request: received 0, sent 0
  Minimum time between advertisement runs is 30 seconds
  Update source is BGPloopback
 
 For address family: IPv4 Unicast
  BGP table version 39, neighbor version 38
  Index 2, Offset 0, Mask 0x4
    Graceful restart: received
  Inbound soft reconfiguration allowed
  NEXT_HOP is always this router
  Community attribute sent to this neighbor (both)
  4 accepted prefixes
  2 announced prefixes
 
 For address family: IPv6 Unicast
  BGP table version 1, neighbor version 1
  Index 2, Offset 0, Mask 0x4
    Graceful restart: received
  Community attribute sent to this neighbor (both)
  0 accepted prefixes
  0 announced prefixes
 
 Connections established 18; dropped 17
  External BGP neighbor may be up to 255 hops away.
Local host: 172.16.255.254, Local port: 24137
Foreign host: 10.0.255.5, Foreign port: 179
Nexthop: 172.16.255.254
Nexthop global: ::
Nexthop local: ::
BGP connection: non shared network
Last Reset: 05:14:27, due to BGP Notification sent
Notification Error Message: (Hold Timer Expired/Unspecified Error Subcode)

 

BGP で受け取った経路についても確認をしてみます。

Azure 側の BGP Peer IP (10.0.255.4 / 10.0.255.5) から、同じ経路を受け取っていることが分かります。

# get router info bgp neighbors 10.0.255.4 received-routes
BGP table version is 39, local router ID is 172.16.255.254
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
 
   Network          Next Hop            Metric LocPrf Weight Path
*> 10.0.0.0/16      10.0.255.4                             0 65516 i
*> 172.16.0.0       10.0.255.4               0             0 65516 65521 i
*> 172.16.255.252/32
                    10.0.255.4                             0 65516 i
*> 172.16.255.253/32
                    10.0.255.4                             0 65516 i
*> 172.16.255.254/32
                    10.0.255.4                             0 65516 i
 
Total number of prefixes 5
 
 
# get router info bgp neighbors 10.0.255.5 received-routes
BGP table version is 39, local router ID is 172.16.255.254
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
 
   Network          Next Hop            Metric LocPrf Weight Path
*> 10.0.0.0/16      10.0.255.5                             0 65516 i
*> 172.16.0.0       10.0.255.5                             0 65516 65521 i
*> 172.16.255.252/32
                    10.0.255.5                             0 65516 i
*> 172.16.255.253/32
                    10.0.255.5                             0 65516 i
*> 172.16.255.254/32
                    10.0.255.5                             0 65516 i
 
Total number of prefixes 5

オンプレミス側の構成 (Juniper SRX650)

SRX との VPN 接続については、ご丁寧に日本語の PDF があったので、こちらの動的ルーティングの設定 (P.30 – )を参照。

FortiGate と同じく、VPN のトンネルを 2 本 (st0.0 / st0.1) つくり、static route も BGP Peer IP (10.0.255.4 / 10.0.255.5) を設定。

# show security
ike {
    proposal azure-phase1-proposal {
        authentication-method pre-shared-keys;
        dh-group group2;
        authentication-algorithm sha1;
        encryption-algorithm aes-256-cbc;
        lifetime-seconds 28800;
    }
    policy azure-policy {
        mode main;
        proposals azure-phase1-proposal;
        pre-shared-key ascii-text "xxxxxxxxxx"; ## SECRET-DATA
    }
    gateway azure-gw {
        ike-policy azure-policy;
        address a1.a1.a1.a1;
        dead-peer-detection {
            interval 10;
            threshold 5;
        }
        local-identity inet j.j.j.j;
        external-interface ge-0/0/0;
        version v2-only;
    }
    gateway azure-gw2 {
        ike-policy azure-policy;
        address a2.a2.a2.a2;
        dead-peer-detection {
            interval 10;
            threshold 5;
        }
        local-identity inet j.j.j.j;
        external-interface ge-0/0/0;
        version v2-only;
    }
}
ipsec {
    proposal azure-phase2-proposal {
        protocol esp;
        authentication-algorithm hmac-sha-256-128;
        encryption-algorithm aes-256-cbc;
        lifetime-seconds 3600;
    }
    policy azure-phase2-policy {
        proposals azure-phase2-proposal;
    }
    vpn azure-vpn {
        bind-interface st0.0;
        vpn-monitor {
            optimized;
            source-interface st0.0;
            destination-ip 10.0.0.0;
        }
        ike {
            gateway azure-gw;
            proxy-identity {
                local 0.0.0.0/0;
                remote 0.0.0.0/0;
                service any;
            }
            ipsec-policy azure-phase2-policy;
        }
        establish-tunnels immediately;
    }
    vpn azure-vpn2 {
        bind-interface st0.1;
        vpn-monitor {
            optimized;
            source-interface st0.1;
            destination-ip 10.0.0.0;
        }
        ike {
            gateway azure-gw2;
            proxy-identity {
                local 0.0.0.0/0;
                remote 0.0.0.0/0;
                service any;
            }
            ipsec-policy azure-phase2-policy;
        }
        establish-tunnels immediately;
    }
}
address-book {
    global {
        address Azure-VNET 10.0.0.0/16;
        address OnPremise-NW 172.16.0.0/16;
    }
}
flow {
    tcp-mss {
        ipsec-vpn {
            mss 1350;
        }
    }
}
policies {
    from-zone trust to-zone azure-zone {
        policy trust-to-azure-zone {
            match {
                source-address OnPremise-NW;
                destination-address Azure-VNET;
                application any;
            }
            then {
                permit;
            }
        }
    }
    from-zone azure-zone to-zone trust {
        policy azure-zone-to-trust {
            match {
                source-address Azure-VNET;
                destination-address OnPremise-NW;
                application any;
            }
            then {
                permit;
            }
        }
    }
}
zones {
    security-zone azure-zone {
        interfaces {
            st0.0;
            st0.1;
        }
    }
}

# show interfaces
st0 {
    unit 0 {
        family inet;
    }
    unit 1 {
        family inet;
    }
}
# show routing-options
static {
    route 10.0.255.4/32 next-hop st0.0;
    route 10.0.255.5/32 next-hop st0.1;
}

 

無事に VPN が接続できていれば、Azure とトンネルが 2 本確立されているはずです。

# run show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
776365  UP     30964821a7e60fc5  7488a3d455c203f0  IKEv2          a2.a2.a2.a2
776366  UP     1c0743a73adbe841  e903979aed9c53b7  IKEv2          a1.a1.a1.a1

# run show security ipsec security-associations
  Total active tunnels: 2
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <131073 ESP:aes-cbc-256/sha256 9079c193 3565/ unlim U root 500 a1.a1.a1.a1 >131073 ESP:aes-cbc-256/sha256 ac1035a4 3565/ unlim U root 500 a1.a1.a1.a1
  <131074 ESP:aes-cbc-256/sha256 83a51222 3507/ unlim U root 500 a2.a2.a2.a2 >131074 ESP:aes-cbc-256/sha256 fa64cbf2 3507/ unlim U root 500 a2.a2.a2.a2

 

VPN がつながったら、適当に Loopback Interface を作り、ebgp multihop を有効化して、BGP で経路を交換します。

SRX も routing table にない経路を広報しないようなので、static route に 172.16.0.0/16 を入れてみましたが、これでいいのかな…。

あと、今回は FortiGate 側の経路を優先させて、SRX や C841M はバックアップ用にしたいので、AS Path を追加しています。

# show interfaces
lo0 {
    unit 0 {
        family inet {
            address 172.16.255.253/32;
        }
    }
}

# show routing-options
static {
    route 10.0.255.4/32 next-hop st0.0;
    route 10.0.255.5/32 next-hop st0.1;
    route 172.16.0.0/16 reject;
}
autonomous-system 65521;

# show protocols bgp
local-address 172.16.255.253;
group azure {
    type external;
    multihop {
        ttl 255;
    }
    neighbor 10.0.255.4 {
        export OnPremises;
        peer-as 65516;
    }
    neighbor 10.0.255.5 {
        export OnPremises;
        peer-as 65516;
    }
}

# show policy-options
prefix-list OnPremises {
    172.16.0.0/16;
}
policy-statement OnPremises {
    term 1 {
        from {
            protocol static;
            route-filter 172.16.0.0/16 exact;
        }
        then {
            as-path-prepend 65521;
            accept;
        }
    }
}

 

SRX 側から広報している経路と、Azure 側から受け取っている経路を確認します。

AS Path Prepend もきちんと反映されているので問題なさそうです。

> show route advertising-protocol bgp 10.0.255.4

inet.0: 12 destinations, 18 routes (12 active, 0 holddown, 0 hidden)
  Prefix                  Nexthop              MED     Lclpref    AS path
* 172.16.0.0/16           Self                                    65521 [65521] I

> show route advertising-protocol bgp 10.0.255.5

inet.0: 12 destinations, 18 routes (12 active, 0 holddown, 0 hidden)
  Prefix                  Nexthop              MED     Lclpref    AS path
* 172.16.0.0/16           Self                                    65521 [65521] I

> show route receive-protocol bgp 10.0.255.4

inet.0: 12 destinations, 18 routes (12 active, 0 holddown, 0 hidden)
  Prefix                  Nexthop              MED     Lclpref    AS path
* 10.0.0.0/16             10.0.255.4                              65516 I
* 172.16.255.252/32       10.0.255.4                              65516 I
  172.16.255.253/32       10.0.255.4                              65516 I
* 172.16.255.254/32       10.0.255.4                              65516 I

> show route receive-protocol bgp 10.0.255.5

inet.0: 12 destinations, 18 routes (12 active, 0 holddown, 0 hidden)
  Prefix                  Nexthop              MED     Lclpref    AS path
  10.0.0.0/16             10.0.255.5                              65516 I
  172.16.255.252/32       10.0.255.5                              65516 I
  172.16.255.253/32       10.0.255.5                              65516 I
  172.16.255.254/32       10.0.255.5                              65516 I

 

オンプレミス側の構成 (Cisco C841M)

Cisco IOS との VPN 接続に関しては、GitHub のサンプルやら、Azure ポータルからコンフィグとれるので、そのあたりを参考に。

基本的には FortiGate や SRX と何ら変わらないので、特に難しくないと思います。

crypto ikev2 proposal Azure-proposal
 encryption aes-cbc-256 aes-cbc-128 3des
 integrity sha1
 group 2
!
crypto ikev2 policy Azure-policy
 match address local c.c.c.c
 proposal Azure-proposal
!
crypto ikev2 keyring Azure-keyring
 peer a1.a1.a1.a1
  address a1.a1.a1.a1
  pre-shared-key xxxxxxxxxx
 !
 peer a2.a2.a2.a2
  address a2.a2.a2.a2
  pre-shared-key xxxxxxxxxx
 !
!
!
crypto ikev2 profile Azure-profile
 match address local c.c.c.c
 match identity remote address a1.a1.a1.a1 255.255.255.255
 match identity remote address a2.a2.a2.a2 255.255.255.255
 authentication remote pre-share
 authentication local pre-share
 keyring local Azure-keyring
 lifetime 3600
!
!
crypto ipsec transform-set Azure-TransformSet esp-aes 256 esp-sha-hmac
 mode tunnel
!
crypto ipsec profile Azure-IPsecProfile
 set transform-set Azure-TransformSet
 set ikev2-profile Azure-profile
!
!
interface Loopback11
 ip address 172.16.255.252 255.255.255.255
!
interface Tunnel11
 ip address 169.254.0.1 255.255.255.252
 ip tcp adjust-mss 1350
 tunnel source c.c.c.c
 tunnel mode ipsec ipv4
 tunnel destination a1.a1.a1.a1
 tunnel protection ipsec profile Azure-IPsecProfile
!
interface Tunnel12
 ip address 169.254.0.5 255.255.255.252
 ip tcp adjust-mss 1350
 tunnel source c.c.c.c
 tunnel mode ipsec ipv4
 tunnel destination a2.a2.a2.a2
 tunnel protection ipsec profile Azure-IPsecProfile
!
!
router bgp 65521
 bgp log-neighbor-changes
 neighbor 10.0.255.4 remote-as 65516
 neighbor 10.0.255.4 ebgp-multihop 255
 neighbor 10.0.255.4 update-source Loopback11
 neighbor 10.0.255.5 remote-as 65516
 neighbor 10.0.255.5 ebgp-multihop 255
 neighbor 10.0.255.5 update-source Loopback11
 !
 address-family ipv4
  network 172.16.0.0
  neighbor 10.0.255.4 activate
  neighbor 10.0.255.4 route-map OnPremises out
  neighbor 10.0.255.5 activate
  neighbor 10.0.255.5 route-map OnPremises out
 exit-address-family
!
!
ip route 10.0.255.4 255.255.255.255 Tunnel11
ip route 10.0.255.5 255.255.255.255 Tunnel12
ip route 172.16.0.0 255.255.0.0 Null0 200
!
!
ip prefix-list OnPremises seq 5 permit 172.16.0.0/16
!
route-map OnPremises permit 10
 match ip address prefix-list OnPremises
 set as-path prepend 65521 65521
!
!
access-list 101 permit ip 172.16.0.0 0.0.255.255 10.0.0.0 0.0.255.255
access-list 102 permit esp host a1.a1.a1.a1 host c.c.c.c
access-list 102 permit udp host a1.a1.a1.a1 eq isakmp host c.c.c.c
access-list 102 permit esp host a2.a2.a2.a2 host c.c.c.c
access-list 102 permit udp host a2.a2.a2.a2 eq isakmp host c.c.c.c
!

VPN の接続状況と、BGP の経路も問題なく交換できました。

#show crypto ikev2 sa
 IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
2         c.c.c.c/500     a1.a1.a1.a1/500     none/none            READY
      Encr: AES-CBC, keysize: 256, PRF: SHA1, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 3600/1478 sec

Tunnel-id Local                 Remote                fvrf/ivrf            Status
6         c.c.c.c/500     a2.a2.a2.a2/500    none/none            READY
      Encr: AES-CBC, keysize: 256, PRF: SHA1, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 3600/1972 sec

 IPv6 Crypto IKEv2  SA

#show crypto ipsec sa

interface: Tunnel11
    Crypto map tag: Tunnel11-head-0, local addr c.c.c.c

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer a1.a1.a1.a1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 24, #pkts encrypt: 24, #pkts digest: 24
    #pkts decaps: 10351, #pkts decrypt: 10351, #pkts verify: 10351
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: c.c.c.c, remote crypto endpt.: a1.a1.a1.a1
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/4
     current outbound spi: 0xED0535B2(3976541618)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x5CDC6A89(1557949065)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 438, flow_id: Onboard VPN:438, sibling_flags 80000040, crypto map: Tunnel11-head-0
        sa timing: remaining key lifetime (k/sec): (4349436/1644)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xED0535B2(3976541618)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 437, flow_id: Onboard VPN:437, sibling_flags 80000040, crypto map: Tunnel11-head-0
        sa timing: remaining key lifetime (k/sec): (4349447/1644)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

interface: Tunnel12
    Crypto map tag: Tunnel12-head-0, local addr c.c.c.c

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer a2.a2.a2.a2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 85613, #pkts encrypt: 85613, #pkts digest: 85613
    #pkts decaps: 79209, #pkts decrypt: 79209, #pkts verify: 79209
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: c.c.c.c, remote crypto endpt.: a2.a2.a2.a2
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/4
     current outbound spi: 0x6EEC2E88(1860972168)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xBC5C8981(3160181121)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 436, flow_id: Onboard VPN:436, sibling_flags 80000040, crypto map: Tunnel12-head-0
        sa timing: remaining key lifetime (k/sec): (4188027/1328)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x6EEC2E88(1860972168)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 435, flow_id: Onboard VPN:435, sibling_flags 80000040, crypto map: Tunnel12-head-0
        sa timing: remaining key lifetime (k/sec): (4188019/1328)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

#show bgp
BGP table version is 204, local router ID is 172.16.255.252
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *   10.0.0.0/16      10.0.255.4                             0 65516 i
 *>                   10.0.255.5                             0 65516 i
 *>  172.16.0.0       0.0.0.0                  0         32768 i
 r   172.16.255.252/32
                       10.0.255.4                             0 65516 i
 r>                   10.0.255.5                             0 65516 i
 *   172.16.255.253/32
                       10.0.255.5                             0 65516 i
 *>                   10.0.255.4                             0 65516 i
 *   172.16.255.254/32
                       10.0.255.4                             0 65516 i
 *>                   10.0.255.5                             0 65516 i

#show ip bgp neighbors 10.0.255.4 advertised-routes
BGP table version is 204, local router ID is 172.16.255.252
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  172.16.0.0       0.0.0.0                  0         32768 i

Total number of prefixes 1

#show ip bgp neighbors 10.0.255.5 advertised-routes
BGP table version is 204, local router ID is 172.16.255.252
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  172.16.0.0       0.0.0.0                  0         32768 i

Total number of prefixes 1

#show ip route bgp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 202.222.13.254 to network 0.0.0.0

      10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
B        10.0.0.0/16 [20/0] via 10.0.255.5, 06:35:10
      172.16.0.0/16 is variably subnetted, 6 subnets, 3 masks
B        172.16.255.253/32 [20/0] via 10.0.255.4, 05:55:15
B        172.16.255.254/32 [20/0] via 10.0.255.5, 06:35:10

 

Azure VPN Gateway 側からの確認

最後に、Azure 側からも VPN の接続状況や、BGP の Neighbor が張れて、経路交換ができているか確認します。

> Get-AzureRmVirtualNetworkGatewayConnection -Name FortiGate100E-BGP -ResourceGroupName caledfwlch

Name                    : Fortigate100E-BGP
ResourceGroupName       : caledfwlch
Location                : japaneast
Id                      : /subscriptions/49dde45f-5712-44b2-b0ab-296bde83af6b/resourceGroups/caledfwlch/providers/Microsoft.Network/c
                          onnections/Fortigate100E-BGP
Etag                    : W/"aece2efa-9d05-4dd8-b928-9634bf6fd463"
ResourceGuid            : b85b8f35-8c61-4ad1-ac5f-a908c58b2b0e
ProvisioningState       : Succeeded
Tags                    :
AuthorizationKey        :
VirtualNetworkGateway1  : "/subscriptions/49dde45f-5712-44b2-b0ab-296bde83af6b/resourceGroups/caledfwlch/providers/Microsoft.Network/
                          virtualNetworkGateways/caledfwlch-vpngw"
VirtualNetworkGateway2  :
LocalNetworkGateway2    : "/subscriptions/49dde45f-5712-44b2-b0ab-296bde83af6b/resourceGroups/caledfwlch/providers/Microsoft.Network/
                          localNetworkGateways/Fortigate100E-BGP"
Peer                    :
RoutingWeight           : 0
SharedKey               : xxxxxxxxxx
ConnectionStatus        : Connected
EgressBytesTransferred  : 769116
IngressBytesTransferred : 630868
TunnelConnectionStatus  : [
                            {
                              "Tunnel": "Fortigate100E-BGP_13.78.115.150",
                              "ConnectionStatus": "Connected",
                              "IngressBytesTransferred": 296650,
                              "EgressBytesTransferred": 359947,
                              "LastConnectionEstablishedUtcTime": "05/03/2018 16:05:48"
                            },
                            {
                              "Tunnel": "Fortigate100E-BGP_52.185.132.141",
                              "ConnectionStatus": "Connected",
                              "IngressBytesTransferred": 334218,
                              "EgressBytesTransferred": 409169,
                              "LastConnectionEstablishedUtcTime": "05/03/2018 16:02:36"
                            }
                          ]



> Get-AzureRmVirtualNetworkGatewayConnection -Name SRX650-BGP -ResourceGroupName caledfwlch

Name                    : SRX650-BGP
ResourceGroupName       : caledfwlch
Location                : japaneast
Id                      : /subscriptions/49dde45f-5712-44b2-b0ab-296bde83af6b/resourceGroups/caledfwlch/providers/Microsoft.Network/c
                          onnections/SRX650-BGP
Etag                    : W/"554cf1f6-bea7-4c38-9905-c7423b332ae4"
ResourceGuid            : 1fa22476-2a6e-45f5-89f4-aadb2cfa0c56
ProvisioningState       : Succeeded
Tags                    :
AuthorizationKey        :
VirtualNetworkGateway1  : "/subscriptions/49dde45f-5712-44b2-b0ab-296bde83af6b/resourceGroups/caledfwlch/providers/Microsoft.Network/
                          virtualNetworkGateways/caledfwlch-vpngw"
VirtualNetworkGateway2  :
LocalNetworkGateway2    : "/subscriptions/49dde45f-5712-44b2-b0ab-296bde83af6b/resourceGroups/caledfwlch/providers/Microsoft.Network/
                          localNetworkGateways/SRX650-BGP"
Peer                    :
RoutingWeight           : 0
SharedKey               : xxxxxxxxxx
ConnectionStatus        : Connected
EgressBytesTransferred  : 389914
IngressBytesTransferred : 663672
TunnelConnectionStatus  : [
                            {
                              "Tunnel": "SRX650-BGP_13.78.115.150",
                              "ConnectionStatus": "Connected",
                              "IngressBytesTransferred": 308264,
                              "EgressBytesTransferred": 206306,
                              "LastConnectionEstablishedUtcTime": "05/03/2018 16:03:48"
                            },
                            {
                              "Tunnel": "SRX650-BGP_52.185.132.141",
                              "ConnectionStatus": "Connected",
                              "IngressBytesTransferred": 355408,
                              "EgressBytesTransferred": 183608,
                              "LastConnectionEstablishedUtcTime": "05/03/2018 16:04:36"
                            }
                          ]


> Get-AzureRmVirtualNetworkGatewayConnection -Name C841M-BGP -ResourceGroupName caledfwlch

Name                    : C841M-BGP
ResourceGroupName       : caledfwlch
Location                : japaneast
Id                      : /subscriptions/49dde45f-5712-44b2-b0ab-296bde83af6b/resourceGroups/caledfwlch/providers/Microsoft.Network/c
                          onnections/C841M-BGP
Etag                    : W/"e1fcee4f-2f5b-4a6b-91be-89d6ee74b5ab"
ResourceGuid            : ba300bfb-e09e-4163-98bf-37e37265ce8a
ProvisioningState       : Succeeded
Tags                    :
AuthorizationKey        :
VirtualNetworkGateway1  : "/subscriptions/49dde45f-5712-44b2-b0ab-296bde83af6b/resourceGroups/caledfwlch/providers/Microsoft.Network/
                          virtualNetworkGateways/caledfwlch-vpngw"
VirtualNetworkGateway2  :
LocalNetworkGateway2    : "/subscriptions/49dde45f-5712-44b2-b0ab-296bde83af6b/resourceGroups/caledfwlch/providers/Microsoft.Network/
                          localNetworkGateways/C841M-BGP"
Peer                    :
RoutingWeight           : 0
SharedKey               : xxxxxxxxxx
ConnectionStatus        : Connected
EgressBytesTransferred  : 4209273
IngressBytesTransferred : 4178973
TunnelConnectionStatus  : [
                            {
                              "Tunnel": "C841M-BGP_13.78.115.150",
                              "ConnectionStatus": "Connected",
                              "IngressBytesTransferred": 0,
                              "EgressBytesTransferred": 325920,
                              "LastConnectionEstablishedUtcTime": "05/03/2018 16:05:48"
                            },
                            {
                              "Tunnel": "C841M-BGP_52.185.132.141",
                              "ConnectionStatus": "Connected",
                              "IngressBytesTransferred": 4178973,
                              "EgressBytesTransferred": 3883353,
                              "LastConnectionEstablishedUtcTime": "05/03/2018 16:00:36"
                            }
                          ]

> Get-AzureRmVirtualNetworkGatewayBGPPeerStatus -VirtualNetworkGatewayName caledfwlch-vpngw -ResourceGroupName caledfwlch  | sort Neighbor | ft

  Asn ConnectedDuration LocalAddress MessagesReceived MessagesSent Neighbor       RoutesReceived State
  --- ----------------- ------------ ---------------- ------------ --------       -------------- -----
65516                   10.0.255.4                  0            0 10.0.255.4                  0 Unknown
65516 06:45:41.7296384  10.0.255.4                502          549 10.0.255.5                  5 Connected
65521 06:38:08.4475376  10.0.255.4                469          508 172.16.255.252              1 Connected
65521 05:57:19.8491887  10.0.255.4                804          829 172.16.255.253              1 Connected
65521 06:38:08.7202774  10.0.255.4                464          516 172.16.255.254              1 Connected

> Get-AzureRmVirtualNetworkGatewayLearnedRoute -VirtualNetworkGatewayName caledfwlch-vpngw -ResourceGroupName caledfwlch | where Origin -eq EBgp | sort Network, ASPath | ft

AsPath            LocalAddress Network       NextHop        Origin SourcePeer     Weight
------            ------------ -------       -------        ------ ----------     ------
65521             10.0.255.4   172.16.0.0/16 172.16.255.254 EBgp   172.16.255.254  32768
65521-65521       10.0.255.4   172.16.0.0/16 172.16.255.253 EBgp   172.16.255.253  32768
65521-65521-65521 10.0.255.4   172.16.0.0/16 172.16.255.252 EBgp   172.16.255.252  32768


> Get-AzureRmVirtualNetworkGatewayAdvertisedRoute -VirtualNetworkGatewayName caledfwlch-vpngw -ResourceGroupName caledfwlch -Peer 172.16.255.254 | sort Network | ft

AsPath LocalAddress Network           NextHop    Origin SourcePeer Weight
------ ------------ -------           -------    ------ ---------- ------
65516  10.0.255.4   10.0.0.0/16       10.0.255.4 Igp                    0
65516  10.0.255.4   172.16.255.252/32 10.0.255.4 Igp                    0
65516  10.0.255.4   172.16.255.253/32 10.0.255.4 Igp                    0
65516  10.0.255.4   172.16.255.254/32 10.0.255.4 Igp                    0


> Get-AzureRmVirtualNetworkGatewayAdvertisedRoute -VirtualNetworkGatewayName caledfwlch-vpngw -ResourceGroupName caledfwlch -Peer 172.16.255.253 | sort Network | ft

AsPath      LocalAddress Network           NextHop    Origin SourcePeer Weight
------      ------------ -------           -------    ------ ---------- ------
65516       10.0.255.4   10.0.0.0/16       10.0.255.4 Igp                    0
65516-65521 10.0.255.4   172.16.0.0/16     10.0.255.4 Igp                    0
65516       10.0.255.4   172.16.255.252/32 10.0.255.4 Igp                    0
65516       10.0.255.4   172.16.255.253/32 10.0.255.4 Igp                    0
65516       10.0.255.4   172.16.255.254/32 10.0.255.4 Igp                    0


> Get-AzureRmVirtualNetworkGatewayAdvertisedRoute -VirtualNetworkGatewayName caledfwlch-vpngw -ResourceGroupName caledfwlch -Peer 172.16.255.252 | sort Network | ft

AsPath      LocalAddress Network           NextHop    Origin SourcePeer Weight
------      ------------ -------           -------    ------ ---------- ------
65516       10.0.255.4   10.0.0.0/16       10.0.255.4 Igp                    0
65516-65521 10.0.255.4   172.16.0.0/16     10.0.255.4 Igp                    0
65516       10.0.255.4   172.16.255.252/32 10.0.255.4 Igp                    0
65516       10.0.255.4   172.16.255.253/32 10.0.255.4 Igp                    0
65516       10.0.255.4   172.16.255.254/32 10.0.255.4 Igp                    0

細かい部分は非常に怪しい気がしますが、まあ最低限は出来たということで。

間違ってる箇所があれば適宜コメントください。


Azure PowerShell でデータセンターの IP アドレス帯を一括登録する


前回に引き続き NSG の Augmented rules 絡みです。

Azure PowerShell でデータセンター IP レンジをダウンロードしてきて、リージョン事に一括登録するのをサクっと書いてみました。
先の記事でも書いた通り IP レンジは更新される可能性があるので、Azure Automation とかで毎週実行するように仕込むのは必須で。

あとは、ぱっと確認した限り、Augmented rules は SourceAddressPrefix / DestinationAddressPrefix ともに 2000 個ずつが上限のようで、既に Azure のデータセンター IP レンジが 1970 なので、今以上に増えたら溢れそうでした…。おとなしく Service Tags を使ったほうがいいかもしれませんねー。

# IP Range をダウンロード
$DownloadUri = 'https://www.microsoft.com/en-in/download/confirmation.aspx?id=41653'
$DownloadPage = Invoke-WebRequest -Uri $DownloadUri
$XmlFileUri = ($DownloadPage.RawContent.Split('"') -like 'https://*PublicIps*')[0]
$Response = Invoke-WebRequest -Uri $XmlFileUri
[xml]$XmlResponse = [System.Text.Encoding]::UTF8.GetString($Response.Content)
$Regions = $XmlResponse.AzurePublicIpAddresses.Region

# 既存の NSG を取得
$NSG = Get-AzureRmNetworkSecurityGroup -Name 'NSG 名' -ResourceGroupName 'リソース グループ名'

# もしくは空の NSG を作成
# $NSG = New-AzureRmNetworkSecurityGroup -Name 'NSG 名' -ResourceGroupName 'リソース グループ名' -Location 'リージョン名'


# 各リージョンの Inbound ルールを追加
$Priority = 4000
$Regions | foreach{
$NSG = Add-AzureRmNetworkSecurityRuleConfig `
-Name From_$($_.Name) `
-NetworkSecurityGroup $NSG `
-Protocol * `
-SourcePortRange * `
-DestinationPortRange * `
-SourceAddressPrefix $_.IpRange.Subnet `
-DestinationAddressPrefix * `
-Access Allow `
-Priority $Priority `
-Direction Inbound
$Priority++
}

# 各リージョンの Outbound ルールを追加
$Priority = 4000
$Regions | foreach{
$NSG = Add-AzureRmNetworkSecurityRuleConfig `
-Name To_$($_.Name) `
-NetworkSecurityGroup $NSG `
-Protocol * `
-SourcePortRange * `
-DestinationPortRange * `
-SourceAddressPrefix * `
-DestinationAddressPrefix $_.IpRange.Subnet `
-Access Allow `
-Priority $Priority `
-Direction Outbound
$Priority++
}

# 設定を反映
Set-AzureRmNetworkSecurityGroup -NetworkSecurityGroup $NSG

Azure PowerShell で CSV から NSG を作成する


NSG に大量のルールを登録する場合、CSV からインポートしたいことがありますよね。
Azure PowerShell でサクっとやりましょう。

# 既存の NSG を取得
$NSG = Get-AzureRmNetworkSecurityGroup -Name "NSG 名" -ResourceGroupName "リソース グループ名"

# もしくは空の NSG を作成
# $NSG = New-AzureRmNetworkSecurityGroup -Name "NSG 名" -ResourceGroupName "リソース グループ名" -Location "リージョン名"

# CSV ファイルを取得
$CSV = Import-CSV "CSV のパス" -Encoding UTF8

# 各行のルールを追加
$CSV | foreach{
    Add-AzureRmNetworkSecurityRuleConfig `
    -Name $_.Name `
    -NetworkSecurityGroup $NSG `
    -Description $_.Description `
    -Protocol $_.Protocol `
    -SourcePortRange $_.SourcePortRange `
    -DestinationPortRange $_.DestinationPortRange `
    -SourceAddressPrefix ($_.SourceAddressPrefix  -split ",") `
    -DestinationAddressPrefix ($_.DestinationAddressPrefix  -split ",") `
    -Access $_.Access `
    -Priority $_.Priority `
    -Direction $_.Direction
}

# 設定を反映
Set-AzureRmNetworkSecurityGroup -NetworkSecurityGroup $NSG

ちなみに、1 つのルールに複数のアドレス空間を入れることができるようになったので、Source / Destination Address Prefix に -split でバラした配列を突っ込めるようにしてみました。(インポート用の CSV サンプルはこちら)

ね、簡単でしょう?


Azure VPN Gateway と SRX で VPN がつながらない場合のトラブルシューティング方法


先日の Fortigate 編 に続いて、今度は @kazubu 先生にご提供いただいた SRX で VPN のトラシューのメモを。
JUNOS はまだ全く慣れてないので、だいぶ雑ですがご容赦を…。

各種ドキュメント

構成手順

ほぼ日本語 PDF の手順通りでつながったので割愛。(一か所 typo があった気がするけど忘れた。)
Azure 側の手順は旧ポータルでの記載になってるので、仔細は MS のドキュメント参照。

VPN トンネルをクリア

//peer-address を未指定にするとすべての SA がクリアされる (他拠点との接続も切れる) ので注意
clear security ike security-associations aa.aa.aa.aa

パケット採取

後で確認。

VPN トンネルを確認

SA が確立されていることを確認します

> show security ipsec statistics
ESP Statistics: //接続済みであればパケットがカウントされています
  Encrypted bytes:             1976
  Decrypted bytes:          1924704
  Encrypted packets:             13
  Decrypted packets:          60147
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0

> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
5870219 UP a2a4867ce688050e 162df6175e622dbc IKEv2 aa.aa.aa.aa

> show security ike security-associations detail
IKE peer aa.aa.aa.aa, Index 5870219, Gateway Name: azure-gw
  Role: Responder, State: UP
  Initiator cookie: a2a4867ce688050e, Responder cookie: 162df6175e622dbc
  Exchange type: IKEv2, Authentication method: Pre-shared-keys
  Local: jj.jj.jj.jj:500, Remote: aa.aa.aa.aa:500
  Lifetime: Expires in 8440 seconds
  Peer ike-id: aa.aa.aa.aa
  Xauth assigned IP: 0.0.0.0
  Algorithms:
   Authentication        : hmac-sha1-96
   Encryption            : aes256-cbc
   Pseudo random function: hmac-sha1
   Diffie-Hellman group  : DH-group-2
  Traffic statistics:
   Input  bytes  :               771724
   Output bytes  :               771612
   Input  packets:                10141
   Output packets:                10141
  IPSec security associations: 14 created, 7 deleted
  Phase 2 negotiations in progress: 1

    Negotiation type: Quick mode, Role: Responder, Message ID: 0
    Local: jj.jj.jj.jj:500, Remote: aa.aa.aa.aa:500
    Local identity: jj.jj.jj.jj
    Remote identity: aa.aa.aa.aa
    Flags: IKE SA is created

> show security ipsec security-associations
 Total active tunnels: 1
 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
 <131073 ESP:aes-cbc-256/sha1 88bad682 3186/ unlim - root 500 aa.aa.aa.aa
 >131073 ESP:aes-cbc-256/sha1 eaaf6166 3186/ unlim - root 500 aa.aa.aa.aa

> show security ipsec security-associations detail

ID: 131073 Virtual-system: root, VPN Name: azure-vpn
  Local Gateway: jj.jj.jj.jj, Remote Gateway: aa.aa.aa.aa
  Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Version: IKEv2
  DF-bit: clear, Bind-interface: st0.0
  Port: 500, Nego#: 415, Fail#: 0, Def-Del#: 0 Flag: 0x600a29
  Tunnel events:
    Fri Jan 19 2018 07:50:57: IPSec SA rekey successfully completed (25 times)
    Fri Jan 19 2018 02:21:10: IKE SA rekey successfully completed (2 times)
    Thu Jan 18 2018 11:09:06: IPSec SA negotiation successfully completed (1 times)
    Thu Jan 18 2018 11:09:06: IKE SA negotiation successfully completed (1 times)
    Thu Jan 18 2018 11:08:37: IPSec SAs cleared as corresponding IKE SA deleted (1 times)
    Thu Jan 18 2018 10:27:52: IPSec SA rekey successfully completed (31 times)
    Thu Jan 18 2018 07:36:23: IKE SA rekey successfully completed (3 times)
    Wed Jan 17 2018 08:48:20: IPSec SA negotiation successfully completed (1 times)
    Wed Jan 17 2018 08:48:20: IKE SA negotiation successfully completed (1 times)
    Wed Jan 17 2018 08:48:17: IPSec SA delete payload received from peer, corresponding IPSec SAs cleared (1 times)
    Wed Jan 17 2018 08:15:29: IPSec SA rekey successfully completed (72 times)
    Wed Jan 17 2018 01:53:22: IKE SA rekey successfully completed (7 times)
    Sun Jan 14 2018 20:41:14: IPSec SA negotiation successfully completed (1 times)
    Sun Jan 14 2018 20:41:14: IKE SA negotiation successfully completed (1 times)
    Sun Jan 14 2018 19:10:02: IKE SA rekey successfully completed (2 times)
    Sun Jan 14 2018 03:58:00: IKE SA negotiation successfully completed (1 times)
  Direction: inbound, SPI: 72332189, AUX-SPI: 0
    Hard lifetime: Expires in 2815 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2204 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64
  Direction: outbound, SPI: e7bae17a, AUX-SPI: 0
    Hard lifetime: Expires in 2815 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2204 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64

デバッグログの有効化

monitor start kmd
monitor stop kmd
show log kmd //ログの実体は /var/log/kmd に出力される模様

PSK の不一致

[Jan 19 09:11:49]---------> Received from aa.aa.aa.aa:500 to jj.jj.jj.jj:0, VR 0, length 380 on IF
[Jan 19 09:11:49]ikev2_decode_packet: [101cc00/1094c00] Received packet: HDR, IDi, AUTH, SA, TSi, TSr
[Jan 19 09:11:49]ikev2_state_dispatch: [101cc00/1094c00] Responder side IKE_AUTH
[Jan 19 09:11:49]ikev2_reply_cb_shared_key_auth_verify: [101cc00/1094c00] Error: Auth payload contents does not match
[Jan 19 09:11:49]ikev2_state_error: [101cc00/1094c00] Negotiation failed because of error Authentication failed (24)
[Jan 19 09:11:49]IKE negotiation fail for local:jj.jj.jj.jj, remote:aa.aa.aa.aa IKEv2 with status: Authentication failed
[Jan 19 09:11:49]IPSec negotiation failed for SA-CFG azure-vpn for local:jj.jj.jj.jj, remote:aa.aa.aa.aa IKEv2. status: Authentication failed

正常時のログが以下。IKE_AUTH 付近にエラーがないから良いのかな…?

[Jan 20 04:03:02]---------> Received from aa.aa.aa.aa:500 to jj.jj.jj.jj:0, VR 0, length 380 on IF
[Jan 20 04:03:02]ikev2_decode_packet: [ffd000/1094c00] Received packet: HDR, IDi, AUTH, SA, TSi, TSr
[Jan 20 04:03:02]ikev2_state_dispatch: [ffd000/1094c00] Responder side IKE_AUTH
[Jan 20 04:03:02]ikev2_select_sa_reply: [1034400/1094c00] SA selected successfully

Proposal Mismatch

//Azure から応答を受信
[Jan 20 03:18:03]---------> Received from aa.aa.aa.aa:500 to jj.jj.jj.jj:0, VR 0, length 620 on IF
[Jan 20 03:18:03]ikev2_packet_st_input_get_or_create_sa: [fff400/0] No IKE SA for packet; requesting permission to create one.
[Jan 20 03:18:03]ikev2_decode_packet: [fff400/1094c00] Received packet: HDR, SA, KE, Nonce, N(NAT_DETECTION_SOURCE_IP), N(NAT_DETECTION_DESTINATION_IP), Vid, Vid, Vid, Vid
[Jan 20 03:18:03]ikev2_state_dispatch: [fff400/1094c00] Responder side IKE_SA_INIT

//Azure 側から受け取った proposal
[Jan 20 03:18:03]Peer's proposed IKE SA payload is SA([0](id = 1) protocol = IKE (1), AES CBC key len = 256, HMAC-SHA1-96, HMAC-SHA1 PRF, 1024 bit MODP; [1](id = 2) protocol = IKE (1), AES CBC key len = 256, HMAC-SHA256-128, HMAC-SHA256 PRF

//SRX 側の proposal
[Jan 20 03:18:03]Configured proposal is SA([0](id = 1) protocol = IKE (1), 3DES, HMAC-MD5-96, 1024 bit MODP, HMAC-MD5 PRF; )

//No proposal chosen で SRX と Azure の proposal が一致しないためエラーになっている
[Jan 20 03:18:03]P1 SA payload match failed for sa-cfg azure-vpn. Aborting negotiation local:jj.jj.jj.jj remote:aa.aa.aa.aa IKEv2.
[Jan 20 03:18:03]iked_pm_ike_spd_select_ike_sa failed. rc 1, error_code: No proposal chosen
[Jan 20 03:18:03]ikev2_select_sa_reply: [fff400/1094c00] Error: SA select failed: 14
[Jan 20 03:18:03]ikev2_state_error: [fff400/1094c00] Negotiation failed because of error No proposal chosen (14)
[Jan 20 03:18:03]IKE negotiation fail for local:jj.jj.jj.jj, remote:aa.aa.aa.aa IKEv2 with status: No proposal chosen
[Jan 20 03:18:03]IKE SA delete called for p1 sa 5870294 (ref cnt 1) local:jj.jj.jj.jj, remote:aa.aa.aa.aa, IKEv2
[Jan 20 03:18:03]iked_pm_p1_sa_destroy: p1 sa 5870294 (ref cnt 0), waiting_for_del 0x0

正常時のログは以下のような感じでした。

//SRX から Azure へ接続要求 (SA_INIT) を送付
[Jan 20 04:02:37]ikev2_udp_send_packet: [1023400/1094c00] <-------- Sending packet - length = 76 VR id 0 [Jan 20 04:02:37]---------> Received from aa.aa.aa.aa:500 to jj.jj.jj.jj:0, VR 0, length 76 on IF
[Jan 20 04:02:37]ikev2_decode_packet: [1022c00/1094c00] Received packet: HDR
[Jan 20 04:02:37]ikev2_state_dispatch: [1022c00/1094c00] Initiator side INFORMATIONAL
[Jan 20 04:02:37]iked_pm_ike_sa_delete_notify_done_cb: For p1 sa index 5870425, ref cnt 2, status: Error ok
[Jan 20 04:02:37]iked_pm_p1_sa_destroy:  p1 sa 5870425 (ref cnt 0), waiting_for_del 0xd365a0
[Jan 20 04:02:37]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)
[Jan 20 04:03:02]---------> Received from aa.aa.aa.aa:500 to jj.jj.jj.jj:0, VR 0, length 620 on IF
[Jan 20 04:03:02]ikev2_packet_st_input_get_or_create_sa: [1029800/0] No IKE SA for packet; requesting permission to create one.
[Jan 20 04:03:02]ikev2_decode_packet: [1029800/1094c00] Received packet: HDR, SA, KE, Nonce, N(NAT_DETECTION_SOURCE_IP), N(NAT_DETECTION_DESTINATION_IP), Vid, Vid, Vid, Vid
[Jan 20 04:03:02]ikev2_state_dispatch: [1029800/1094c00] Responder side IKE_SA_INIT

//Azure 側から受け取った proposal 
[Jan 20 04:03:02]Peer's proposed IKE SA payload is SA([0](id = 1) protocol = IKE (1), AES CBC key len = 256, HMAC-SHA1-96, HMAC-SHA1 PRF, 1024 bit MODP; [1](id = 2) protocol = IKE (1), AES CBC key len = 256, HMAC-SHA256-128, HMAC-SHA256 PRF

//SRX 側の proposal 
[Jan 20 04:03:02]Configured proposal is SA([0](id = 1) protocol = IKE (1), AES CBC key len = 256, HMAC-SHA1-96, 1024 bit MODP, HMAC-SHA1 PRF; )

//proposal が一致
[Jan 20 04:03:02]ikev2_select_sa_reply: [1029800/1094c00] SA selected successfully
[Jan 20 04:03:02]ikev2_state_init_responder_in_end: [1029800/0] Send reply IKE_SA_INIT packet
[Jan 20 04:03:02]ikev2_udp_send_packet: [1031800/0] <-------- Sending packet - length = 346 VR id 0 [Jan 20 04:03:02]---------> Received from aa.aa.aa.aa:500 to jj.jj.jj.jj:0, VR 0, length 380 on IF
[Jan 20 04:03:02]ikev2_decode_packet: [ffd000/1094c00] Received packet: HDR, IDi, AUTH, SA, TSi, TSr
[Jan 20 04:03:02]ikev2_state_dispatch: [ffd000/1094c00] Responder side IKE_AUTH
[Jan 20 04:03:02]ikev2_select_sa_reply: [1034400/1094c00] SA selected successfully
[Jan 20 04:03:02]Construction NHTB payload for  local:jj.jj.jj.jj, remote:aa.aa.aa.aa IKEv2 P1 SA index 5870426 sa-cfg azure-vpn
[Jan 20 04:03:02]Peer router vendor is not Juniper. Not sending NHTB payload for sa-cfg azure-vpn, p1_sa=5870426
[Jan 20 04:03:02]iked_pm_ipsec_sa_install: local:jj.jj.jj.jj, remote:aa.aa.aa.aa  IKEv2 for SA-CFG azure-vpn, rekey-ikev2:no
[Jan 20 04:03:02]iked_pm_ipsec_sa_create: encr key len 32, auth key len: 20, salt len: 0
[Jan 20 04:03:02]Added (spi=0xe913e01d, protocol=ESP dst=jj.jj.jj.jj) entry to the peer hash table
[Jan 20 04:03:02]Added (spi=0x9a0dbe24, protocol=ESP dst=aa.aa.aa.aa) entry to the peer hash table
[Jan 20 04:03:02]iked_pm_ipsec_sa_install: NHTB add passed for sa-cfg azure-vpn
[Jan 20 04:03:02]Hardlife timer started for inbound azure-vpn with 3600 seconds/0 kilobytes
[Jan 20 04:03:02]Softlife timer started for inbound azure-vpn with 3025 seconds/0 kilobytes
[Jan 20 04:03:02]In iked_ipsec_sa_pair_add Adding GENCFG msg with key; Tunnel = 131073;SPI-In = 0xe913e01d
[Jan 20 04:03:02]Added dependency on SA config blob with tunnelid = 131073
[Jan 20 04:03:02]Successfully added ipsec SA PAIR
[Jan 20 04:03:02]iked_pm_ike_sa_done: local:jj.jj.jj.jj, remote:aa.aa.aa.aa IKEv2
[Jan 20 04:03:02]IKE negotiation done for local:jj.jj.jj.jj, remote:aa.aa.aa.aa IKEv2 with status: Error ok
[Jan 20 04:03:02]IPSec  negotiation done successfully for SA-CFG azure-vpn for local:jj.jj.jj.jj, remote:aa.aa.aa.aa  IKEv2

例のごとく、各社のデバイスのコンフィグ、トラシュー方法については、各機器ベンダーまで確認しましょう。

気まぐれで追記します。


Azure VPN Gateway と Fortigate で VPN がつながらない場合のトラブルシューティング方法


どこのご家庭にある一般的な Fortigate 100E で Azure と VPN の接続検証をしてみたので、個人的なメモとして残しておきます。

各種ドキュメント

ドキュメントを見ると、Azure 的には FortiOS 5.6 が最小要件みたいですね。Fortigate とは IKEv2 で接続するので、Azure 側はルートベースのゲートウェイを作りましょう。

構成手順

Cookbook の通りに設定すればつながったので省略。

VPN トンネルをクリア

diagnose vpn ike restart
diagnose vpn ike gateway clear

パケット採取

とりあえずパケット採取から。100E はストレージを積んでないので、CLI でキャプチャして、fgt2eth で pcap に変換すれば良さそう。

FG100E # diagnose sniffer packet any "" 6
fgt2eth.exe -in <上記でキャプチャしたテキスト ファイル> -out packet.pcap

VPN トンネルを確認

まず初めに、トンネルの一覧を取得して現状を確認。以下は接続できていない場合の例です。

FG100E # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=Azure ver=2 serial=1 ff.ff.ff.ff:0->aa.aa.aa.aa:0
bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu
proxyid_num=1 child_num=0 refcnt=9 ilast=0 olast=0 ad=/0 itn-status=a1
stat: rxp=0 txp=0 rxb=0 txb=0 //切断状態なので、TX/RX ともに 0 になっています
dpd: mode=on-idle on=0 idle=20000ms retry=3 count=0 seqno=129956
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=Azure proto=0 sa=0 ref=1 serial=1
 src: 0:0.0.0.0/0.0.0.0:0
 dst: 0:0.0.0.0/0.0.0.0:0

正常に接続出来ている状態だと、以下のような結果になるはず。

FG100E # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=Azure ver=2 serial=1 xx.xx.xx.xx:0->yy.yy.yy.yy:0
bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu
proxyid_num=1 child_num=0 refcnt=12 ilast=6 olast=3 ad=/0 itn-status=a2
stat: rxp=3 txp=2 rxb=312 txb=168 //接続済みであればパケットがカウントされています
dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=129979
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=Azure proto=0 sa=1 ref=3 serial=1
 src: 0:0.0.0.0/0.0.0.0:0
 dst: 0:0.0.0.0/0.0.0.0:0

 //先ほどまで表示されていなかった SA の情報が追加で出ています
 SA: ref=6 options=10026 type=00 soft=0 mtu=1438 expire=26584/0B replaywin=1024
 seqno=3 esn=0 replaywin_lastseq=00000003 itn=0
 life: type=01 bytes=0/0 timeout=26731/27000
 dec: spi=101af04b esp=aes key=32 47f48f9be216cd73b0583d192569138e2a44480dfca10e7b41a833f2b565bb3c
 ah=sha1 key=20 8da6cf572039a77cc454e39d294d47842f4fa71c
 enc: spi=b9c6a7b0 esp=aes key=32 d8361980da39eab24e49527f2b1c08ac0583114d7b94228d98b465e1c3366dce
 ah=sha1 key=20 88442398c9fb9fff1d76f6d0fc029ccdf9b50763
 dec:pkts/bytes=3/96, enc:pkts/bytes=2/304
 npu_flag=03 npu_rgwy=aa.aa.aa.aa npu_lgwy=ff.ff.ff.ff npu_selid=0 dec_npuid=1 enc_npuid=1

デバッグログの有効化

トンネルが正しく張れていない場合などは、IKE のデバッグ ログを有効化してみましょう。

トラブルシューティング ガイドには 2 パターン書かれていますが、それぞれ何が違うんだろう・・・。(Phase 1, 2 ?)

diag vpn ike log 
diag debug app ike -1
diag debug enable

デバッグ ログを止める場合は以下のコマンドで。(以降の手順でも同様)

diagnose debug reset
diagnose debug disable

PSK の不一致

PSK が間違っている場合、以下のように明確に pre-shared key mismatch のログが出ます。

ike 0:Azure:230: PSK auth failed: probable pre-shared key mismatch
ike Negotiate SA Error: ike ike [6253]

Proposal Mismatch

SA の Proposal が一致しない (mismatch) 場合、以下のようなログが出ます。

//Fortigate から Azure へ接続要求 (SA_INIT) を送付
ike 0:Azure:781: sent IKE msg (SA_INIT): ff.ff.ff.ff:500->aa.aa.aa.aa:500, len=252, id=c9b9112fd4614416/0000000000000000
ike 0: comes aa.aa.aa.aa:500->ff.ff.ff.ff:500,ifindex=7....
ike 0: IKEv2 exchange=SA_INIT_RESPONSE id=c9b9112fd4614416/d00184a2a68d4b91 len=36
ike 0: in C9B9112FD4614416D00184A2A68D4B91292022200000000000000024000000080000000E

//Azure から応答を受信
ike 0:Azure:781: initiator received SA_INIT response
ike 0:Azure:781: processing notify type NO_PROPOSAL_CHOSEN
ike 0:Azure:781: malformed message
ike 0: comes aa.aa.aa.aa:500->ff.ff.ff.ff:500,ifindex=7....
ike 0: IKEv2 exchange=SA_INIT id=d4455f39cff0dd02/0000000000000000 len=620
ike 0: in D4455F39CFF0DD02000000000000000021202208000000000000026C220001040200002C010100040300000C0100000C800E01000300000803000002030000080200000200000008040000020200002C020100040300000C0100000C800E0100030000080300000C030000080200000500000008040000020200002C030100040300000C0100000C800E00800300000803000002030000080200000200000008040000020200002C040100040300000C0100000C800E0080030000080300000C030000080200000500000008040000020200002805010004030000080100000303000008030000020300000802000002000000080400000200000028060100040300000801000003030000080300000C0300000802000005000000080400000228000088000200004191FDF37EC6B68E1EFC9C40EDCE63919DE238DCD0A45B2B165EE30D6B0050953F4D4617E4449B4E96D455DEB34660FBA90308D82D11F29726B1BE27DB39DDC1605A2AC986F00D7F150649C954FA56ECC0183F1020FEFBCDA895F5A8EF33D959F0C1685C81AE533F1FE4904E2F8E9C4A300E8CD7795D1232910E68C852CAD9DE2900003499BE0BCCC36A0A9785CD1A2648ACB60B6E04D55DD3164797685AA6B06722E13D17CDACB1039FA8C7F01A697901B453442900001C000040048BF34E42B5DCB2F629EA1E8D91A7C71CB30388ED2B00001C00004005727E19E5CC569747EC22A6DD9CC63D94AA49EE642B0000181E2B516905991C7D7C96FCBFB587E461000000092B000014FB1DE3CDF341B7EA16B7E5BE0855F1202B00001426244D38EDDB61B3172A36E3D0CFB8190000001801528BBBC00696121849AB9A1C5B2A5100000002
ike 0:d4455f39cff0dd02/0000000000000000:782: responder received SA_INIT msg
ike 0:d4455f39cff0dd02/0000000000000000:782: received notify type NAT_DETECTION_SOURCE_IP
ike 0:d4455f39cff0dd02/0000000000000000:782: received notify type NAT_DETECTION_DESTINATION_IP

//Azure 側から受け取った proposal
ike 0:d4455f39cff0dd02/0000000000000000:782: incoming proposal:
ike 0:d4455f39cff0dd02/0000000000000000:782: proposal id = 1:
ike 0:d4455f39cff0dd02/0000000000000000:782:   protocol = IKEv2:
ike 0:d4455f39cff0dd02/0000000000000000:782:      encapsulation = IKEv2/none
ike 0:d4455f39cff0dd02/0000000000000000:782:         type=ENCR, val=AES_CBC (key_len = 256)
ike 0:d4455f39cff0dd02/0000000000000000:782:         type=INTEGR, val=AUTH_HMAC_SHA_96
ike 0:d4455f39cff0dd02/0000000000000000:782:         type=PRF, val=PRF_HMAC_SHA
ike 0:d4455f39cff0dd02/0000000000000000:782:         type=DH_GROUP, val=MODP1024.
ike 0:d4455f39cff0dd02/0000000000000000:782: proposal id = 2:
ike 0:d4455f39cff0dd02/0000000000000000:782:   protocol = IKEv2:
ike 0:d4455f39cff0dd02/0000000000000000:782:      encapsulation = IKEv2/none
ike 0:d4455f39cff0dd02/0000000000000000:782:         type=ENCR, val=AES_CBC (key_len = 256)
ike 0:d4455f39cff0dd02/0000000000000000:782:         type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike 0:d4455f39cff0dd02/0000000000000000:782:         type=PRF, val=PRF_HMAC_SHA2_256
ike 0:d4455f39cff0dd02/0000000000000000:782:         type=DH_GROUP, val=MODP1024.
ike 0:d4455f39cff0dd02/0000000000000000:782: proposal id = 3:
ike 0:d4455f39cff0dd02/0000000000000000:782:   protocol = IKEv2:
ike 0:d4455f39cff0dd02/0000000000000000:782:      encapsulation = IKEv2/none
ike 0:d4455f39cff0dd02/0000000000000000:782:         type=ENCR, val=AES_CBC (key_len = 128)
ike 0:d4455f39cff0dd02/0000000000000000:782:         type=INTEGR, val=AUTH_HMAC_SHA_96
ike 0:d4455f39cff0dd02/0000000000000000:782:         type=PRF, val=PRF_HMAC_SHA
ike 0:d4455f39cff0dd02/0000000000000000:782:         type=DH_GROUP, val=MODP1024.
ike 0:d4455f39cff0dd02/0000000000000000:782: proposal id = 4:
ike 0:d4455f39cff0dd02/0000000000000000:782:   protocol = IKEv2:
ike 0:d4455f39cff0dd02/0000000000000000:782:      encapsulation = IKEv2/none
ike 0:d4455f39cff0dd02/0000000000000000:782:         type=ENCR, val=AES_CBC (key_len = 128)
ike 0:d4455f39cff0dd02/0000000000000000:782:         type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike 0:d4455f39cff0dd02/0000000000000000:782:         type=PRF, val=PRF_HMAC_SHA2_256
ike 0:d4455f39cff0dd02/0000000000000000:782:         type=DH_GROUP, val=MODP1024.
ike 0:d4455f39cff0dd02/0000000000000000:782: proposal id = 5:
ike 0:d4455f39cff0dd02/0000000000000000:782:   protocol = IKEv2:
ike 0:d4455f39cff0dd02/0000000000000000:782:      encapsulation = IKEv2/none
ike 0:d4455f39cff0dd02/0000000000000000:782:         type=ENCR, val=3DES_CBC
ike 0:d4455f39cff0dd02/0000000000000000:782:         type=INTEGR, val=AUTH_HMAC_SHA_96
ike 0:d4455f39cff0dd02/0000000000000000:782:         type=PRF, val=PRF_HMAC_SHA
ike 0:d4455f39cff0dd02/0000000000000000:782:         type=DH_GROUP, val=MODP1024.
ike 0:d4455f39cff0dd02/0000000000000000:782: proposal id = 6:
ike 0:d4455f39cff0dd02/0000000000000000:782:   protocol = IKEv2:
ike 0:d4455f39cff0dd02/0000000000000000:782:      encapsulation = IKEv2/none
ike 0:d4455f39cff0dd02/0000000000000000:782:         type=ENCR, val=3DES_CBC
ike 0:d4455f39cff0dd02/0000000000000000:782:         type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike 0:d4455f39cff0dd02/0000000000000000:782:         type=PRF, val=PRF_HMAC_SHA2_256
ike 0:d4455f39cff0dd02/0000000000000000:782:         type=DH_GROUP, val=MODP1024.

//Fortigate 側の proposal
ike 0:d4455f39cff0dd02/0000000000000000:782: my proposal, gw Azure:
ike 0:d4455f39cff0dd02/0000000000000000:782: proposal id = 1:
ike 0:d4455f39cff0dd02/0000000000000000:782:   protocol = IKEv2:
ike 0:d4455f39cff0dd02/0000000000000000:782:      encapsulation = IKEv2/none
ike 0:d4455f39cff0dd02/0000000000000000:782:         type=ENCR, val=DES_CBC
ike 0:d4455f39cff0dd02/0000000000000000:782:         type=INTEGR, val=AUTH_HMAC_MD5_96
ike 0:d4455f39cff0dd02/0000000000000000:782:         type=PRF, val=PRF_HMAC_MD5
ike 0:d4455f39cff0dd02/0000000000000000:782:         type=DH_GROUP, val=MODP1024.

//no proposal chosen で Fortigate と Azure の proposal が一致しないためエラーになっている
ike 0:d4455f39cff0dd02/0000000000000000:782: lifetime=28800
ike 0:d4455f39cff0dd02/0000000000000000:782: no proposal chosen
ike Negotiate SA Error: ike ike  [9697]

正常な場合のログは以下。

//Fortigate から Azure へ接続要求 (SA_INIT) を送付
ike 0:Azure:815: sent IKE msg (SA_INIT): ff.ff.ff.ff:500->aa.aa.aa.aa:500, len=340, id=a773817d787e06a4/0000000000                                                                                                                        000000
ike 0: comes aa.aa.aa.aa:500->ff.ff.ff.ff:500,ifindex=7....
ike 0: IKEv2 exchange=SA_INIT_RESPONSE id=a773817d787e06a4/5d4182e9c4e71157 len=364
ike 0: in A773817D787E06A45D4182E9C4E7115721202220000000000000016C220000300000002C010100040300000C0100000C800E0100030                                                                                                                        000080300000203000008020000020000000804000002280000880002000041168ABAA25B349FEF74B97112D464ACBDD24E9D415DB600ADA95C48                                                                                                                        F9FB09DD63388A7C14FDBF75EA926F25A97DFED9BDE66FD5E614A7B3FA0E6E72C4D25F018B709EFECFCDCADD3D3407B3821658A63EC9B9396EDCC                                                                                                                        AAFC79B68362928275364452E4513CD12AAD700846D45E52A8C91B3DF1168BE4A28BFCCCA1030949CAD29000034C2C8CB225C4F02C82BA41D222F                                                                                                                        C47318C9BB968E42109586814018DD44781D172DA7821374A5C71FF61120A6D5D8ADE92900001C0000400412B129D9A38E93680D50A89633A517B                                                                                                                        C0DF692582B00001C0000400572B08CE048FE1A5A0644D512093F674262CDEACE2B0000181E2B516905991C7D7C96FCBFB587E461000000090000                                                                                                                        0014FB1DE3CDF341B7EA16B7E5BE0855F120

//Azure から応答を受信
ike 0:Azure:815: initiator received SA_INIT response
ike 0:Azure:815: processing notify type NAT_DETECTION_SOURCE_IP
ike 0:Azure:815: ignoring unauthenticated notify payload (NAT_DETECTION_SOURCE_IP)
ike 0:Azure:815: processing notify type NAT_DETECTION_DESTINATION_IP
ike 0:Azure:815: ignoring unauthenticated notify payload (NAT_DETECTION_DESTINATION_IP)

//Azure 側から受け取った proposal
ike 0:Azure:815: incoming proposal:
ike 0:Azure:815: proposal id = 1:
ike 0:Azure:815:   protocol = IKEv2:
ike 0:Azure:815:      encapsulation = IKEv2/none
ike 0:Azure:815:         type=ENCR, val=AES_CBC (key_len = 256)
ike 0:Azure:815:         type=INTEGR, val=AUTH_HMAC_SHA_96
ike 0:Azure:815:         type=PRF, val=PRF_HMAC_SHA
ike 0:Azure:815:         type=DH_GROUP, val=MODP1024.

//Fortigate 側と一致した proposal
ike 0:Azure:815: matched proposal id 1
ike 0:Azure:815: proposal id = 1:
ike 0:Azure:815:   protocol = IKEv2:
ike 0:Azure:815:      encapsulation = IKEv2/none
ike 0:Azure:815:         type=ENCR, val=AES_CBC (key_len = 256)
ike 0:Azure:815:         type=INTEGR, val=AUTH_HMAC_SHA_96
ike 0:Azure:815:         type=PRF, val=PRF_HMAC_SHA
ike 0:Azure:815:         type=DH_GROUP, val=MODP1024.

//INITIAL-CONTACT を送付
ike 0:Azure:815: lifetime=28800
ike 0:Azure:815: IKE SA a773817d787e06a4/5d4182e9c4e71157 SK_ei 32:936D0D524FBD63007463875227CCF5EBF8E57329DEB3CAA91E                                                                                                                        3E2EB2E888CD10
ike 0:Azure:815: IKE SA a773817d787e06a4/5d4182e9c4e71157 SK_er 32:47962985DA68DEB918F4046430BE910B47081089B99EF38507                                                                                                                        1C0B517A3B0AAA
ike 0:Azure:815: IKE SA a773817d787e06a4/5d4182e9c4e71157 SK_ai 20:289FE8FA93A7F8428E837BFBAF9C0DEAB3315E65
ike 0:Azure:815: IKE SA a773817d787e06a4/5d4182e9c4e71157 SK_ar 20:CCA087CA7FFBC1F6F89A56A6EF762EEDA60EA9D4
ike 0:Azure:815: initiator preparing AUTH msg
ike 0:Azure:815: sending INITIAL-CONTACT

 

あ、当然ですが Fortigate のコンフィグとかトラブルシューティングは Fortinet 社に確認してくださいね。MS から各社の VPN デバイスについて正式な回答とかできるはずもないので、その辺は是非とも空気読んでくださいませ。

 

また気が向いたら追記します。