Azure VPN Gateway と SRX で VPN がつながらない場合のトラブルシューティング方法

先日の Fortigate 編 に続いて、今度は @kazubu 先生にご提供いただいた SRX で VPN のトラシューのメモを。
JUNOS はまだ全く慣れてないので、だいぶ雑ですがご容赦を…。

各種ドキュメント

構成手順

ほぼ日本語 PDF の手順通りでつながったので割愛。(一か所 typo があった気がするけど忘れた。)
Azure 側の手順は旧ポータルでの記載になってるので、仔細は MS のドキュメント参照。

VPN トンネルをクリア

//peer-address を未指定にするとすべての SA がクリアされる (他拠点との接続も切れる) ので注意
clear security ipsec security-associations aa.aa.aa.aa
clear security ike security-associations aa.aa.aa.aa

パケット採取

後で確認。

VPN トンネルを確認

SA が確立されていることを確認します

> show security ipsec statistics
ESP Statistics: //接続済みであればパケットがカウントされています
  Encrypted bytes:             1976
  Decrypted bytes:          1924704
  Encrypted packets:             13
  Decrypted packets:          60147
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0

> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
5870219 UP a2a4867ce688050e 162df6175e622dbc IKEv2 aa.aa.aa.aa

> show security ike security-associations detail
IKE peer aa.aa.aa.aa, Index 5870219, Gateway Name: azure-gw
  Role: Responder, State: UP
  Initiator cookie: a2a4867ce688050e, Responder cookie: 162df6175e622dbc
  Exchange type: IKEv2, Authentication method: Pre-shared-keys
  Local: jj.jj.jj.jj:500, Remote: aa.aa.aa.aa:500
  Lifetime: Expires in 8440 seconds
  Peer ike-id: aa.aa.aa.aa
  Xauth assigned IP: 0.0.0.0
  Algorithms:
   Authentication        : hmac-sha1-96
   Encryption            : aes256-cbc
   Pseudo random function: hmac-sha1
   Diffie-Hellman group  : DH-group-2
  Traffic statistics:
   Input  bytes  :               771724
   Output bytes  :               771612
   Input  packets:                10141
   Output packets:                10141
  IPSec security associations: 14 created, 7 deleted
  Phase 2 negotiations in progress: 1

    Negotiation type: Quick mode, Role: Responder, Message ID: 0
    Local: jj.jj.jj.jj:500, Remote: aa.aa.aa.aa:500
    Local identity: jj.jj.jj.jj
    Remote identity: aa.aa.aa.aa
    Flags: IKE SA is created

> show security ipsec security-associations
 Total active tunnels: 1
 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
 <131073 ESP:aes-cbc-256/sha1 88bad682 3186/ unlim - root 500 aa.aa.aa.aa
 >131073 ESP:aes-cbc-256/sha1 eaaf6166 3186/ unlim - root 500 aa.aa.aa.aa

> show security ipsec security-associations detail

ID: 131073 Virtual-system: root, VPN Name: azure-vpn
  Local Gateway: jj.jj.jj.jj, Remote Gateway: aa.aa.aa.aa
  Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Version: IKEv2
  DF-bit: clear, Bind-interface: st0.0
  Port: 500, Nego#: 415, Fail#: 0, Def-Del#: 0 Flag: 0x600a29
  Tunnel events:
    Fri Jan 19 2018 07:50:57: IPSec SA rekey successfully completed (25 times)
    Fri Jan 19 2018 02:21:10: IKE SA rekey successfully completed (2 times)
    Thu Jan 18 2018 11:09:06: IPSec SA negotiation successfully completed (1 times)
    Thu Jan 18 2018 11:09:06: IKE SA negotiation successfully completed (1 times)
    Thu Jan 18 2018 11:08:37: IPSec SAs cleared as corresponding IKE SA deleted (1 times)
    Thu Jan 18 2018 10:27:52: IPSec SA rekey successfully completed (31 times)
    Thu Jan 18 2018 07:36:23: IKE SA rekey successfully completed (3 times)
    Wed Jan 17 2018 08:48:20: IPSec SA negotiation successfully completed (1 times)
    Wed Jan 17 2018 08:48:20: IKE SA negotiation successfully completed (1 times)
    Wed Jan 17 2018 08:48:17: IPSec SA delete payload received from peer, corresponding IPSec SAs cleared (1 times)
    Wed Jan 17 2018 08:15:29: IPSec SA rekey successfully completed (72 times)
    Wed Jan 17 2018 01:53:22: IKE SA rekey successfully completed (7 times)
    Sun Jan 14 2018 20:41:14: IPSec SA negotiation successfully completed (1 times)
    Sun Jan 14 2018 20:41:14: IKE SA negotiation successfully completed (1 times)
    Sun Jan 14 2018 19:10:02: IKE SA rekey successfully completed (2 times)
    Sun Jan 14 2018 03:58:00: IKE SA negotiation successfully completed (1 times)
  Direction: inbound, SPI: 72332189, AUX-SPI: 0
    Hard lifetime: Expires in 2815 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2204 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64
  Direction: outbound, SPI: e7bae17a, AUX-SPI: 0
    Hard lifetime: Expires in 2815 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2204 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64

デバッグログの有効化

monitor start kmd
monitor stop kmd
show log kmd //ログの実体は /var/log/kmd に出力される模様

PSK の不一致

[Jan 19 09:11:49]---------> Received from aa.aa.aa.aa:500 to jj.jj.jj.jj:0, VR 0, length 380 on IF
[Jan 19 09:11:49]ikev2_decode_packet: [101cc00/1094c00] Received packet: HDR, IDi, AUTH, SA, TSi, TSr
[Jan 19 09:11:49]ikev2_state_dispatch: [101cc00/1094c00] Responder side IKE_AUTH
[Jan 19 09:11:49]ikev2_reply_cb_shared_key_auth_verify: [101cc00/1094c00] Error: Auth payload contents does not match
[Jan 19 09:11:49]ikev2_state_error: [101cc00/1094c00] Negotiation failed because of error Authentication failed (24)
[Jan 19 09:11:49]IKE negotiation fail for local:jj.jj.jj.jj, remote:aa.aa.aa.aa IKEv2 with status: Authentication failed
[Jan 19 09:11:49]IPSec negotiation failed for SA-CFG azure-vpn for local:jj.jj.jj.jj, remote:aa.aa.aa.aa IKEv2. status: Authentication failed

正常時のログが以下。IKE_AUTH 付近にエラーがないから良いのかな…?

[Jan 20 04:03:02]---------> Received from aa.aa.aa.aa:500 to jj.jj.jj.jj:0, VR 0, length 380 on IF
[Jan 20 04:03:02]ikev2_decode_packet: [ffd000/1094c00] Received packet: HDR, IDi, AUTH, SA, TSi, TSr
[Jan 20 04:03:02]ikev2_state_dispatch: [ffd000/1094c00] Responder side IKE_AUTH
[Jan 20 04:03:02]ikev2_select_sa_reply: [1034400/1094c00] SA selected successfully

Proposal Mismatch

//Azure から応答を受信
[Jan 20 03:18:03]---------> Received from aa.aa.aa.aa:500 to jj.jj.jj.jj:0, VR 0, length 620 on IF
[Jan 20 03:18:03]ikev2_packet_st_input_get_or_create_sa: [fff400/0] No IKE SA for packet; requesting permission to create one.
[Jan 20 03:18:03]ikev2_decode_packet: [fff400/1094c00] Received packet: HDR, SA, KE, Nonce, N(NAT_DETECTION_SOURCE_IP), N(NAT_DETECTION_DESTINATION_IP), Vid, Vid, Vid, Vid
[Jan 20 03:18:03]ikev2_state_dispatch: [fff400/1094c00] Responder side IKE_SA_INIT

//Azure 側から受け取った proposal
[Jan 20 03:18:03]Peer's proposed IKE SA payload is SA([0](id = 1) protocol = IKE (1), AES CBC key len = 256, HMAC-SHA1-96, HMAC-SHA1 PRF, 1024 bit MODP; [1](id = 2) protocol = IKE (1), AES CBC key len = 256, HMAC-SHA256-128, HMAC-SHA256 PRF

//SRX 側の proposal
[Jan 20 03:18:03]Configured proposal is SA([0](id = 1) protocol = IKE (1), 3DES, HMAC-MD5-96, 1024 bit MODP, HMAC-MD5 PRF; )

//No proposal chosen で SRX と Azure の proposal が一致しないためエラーになっている
[Jan 20 03:18:03]P1 SA payload match failed for sa-cfg azure-vpn. Aborting negotiation local:jj.jj.jj.jj remote:aa.aa.aa.aa IKEv2.
[Jan 20 03:18:03]iked_pm_ike_spd_select_ike_sa failed. rc 1, error_code: No proposal chosen
[Jan 20 03:18:03]ikev2_select_sa_reply: [fff400/1094c00] Error: SA select failed: 14
[Jan 20 03:18:03]ikev2_state_error: [fff400/1094c00] Negotiation failed because of error No proposal chosen (14)
[Jan 20 03:18:03]IKE negotiation fail for local:jj.jj.jj.jj, remote:aa.aa.aa.aa IKEv2 with status: No proposal chosen
[Jan 20 03:18:03]IKE SA delete called for p1 sa 5870294 (ref cnt 1) local:jj.jj.jj.jj, remote:aa.aa.aa.aa, IKEv2
[Jan 20 03:18:03]iked_pm_p1_sa_destroy: p1 sa 5870294 (ref cnt 0), waiting_for_del 0x0

正常時のログは以下のような感じでした。

//SRX から Azure へ接続要求 (SA_INIT) を送付
[Jan 20 04:02:37]ikev2_udp_send_packet: [1023400/1094c00] <-------- Sending packet - length = 76 VR id 0 [Jan 20 04:02:37]---------> Received from aa.aa.aa.aa:500 to jj.jj.jj.jj:0, VR 0, length 76 on IF
[Jan 20 04:02:37]ikev2_decode_packet: [1022c00/1094c00] Received packet: HDR
[Jan 20 04:02:37]ikev2_state_dispatch: [1022c00/1094c00] Initiator side INFORMATIONAL
[Jan 20 04:02:37]iked_pm_ike_sa_delete_notify_done_cb: For p1 sa index 5870425, ref cnt 2, status: Error ok
[Jan 20 04:02:37]iked_pm_p1_sa_destroy:  p1 sa 5870425 (ref cnt 0), waiting_for_del 0xd365a0
[Jan 20 04:02:37]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)
[Jan 20 04:03:02]---------> Received from aa.aa.aa.aa:500 to jj.jj.jj.jj:0, VR 0, length 620 on IF
[Jan 20 04:03:02]ikev2_packet_st_input_get_or_create_sa: [1029800/0] No IKE SA for packet; requesting permission to create one.
[Jan 20 04:03:02]ikev2_decode_packet: [1029800/1094c00] Received packet: HDR, SA, KE, Nonce, N(NAT_DETECTION_SOURCE_IP), N(NAT_DETECTION_DESTINATION_IP), Vid, Vid, Vid, Vid
[Jan 20 04:03:02]ikev2_state_dispatch: [1029800/1094c00] Responder side IKE_SA_INIT

//Azure 側から受け取った proposal 
[Jan 20 04:03:02]Peer's proposed IKE SA payload is SA([0](id = 1) protocol = IKE (1), AES CBC key len = 256, HMAC-SHA1-96, HMAC-SHA1 PRF, 1024 bit MODP; [1](id = 2) protocol = IKE (1), AES CBC key len = 256, HMAC-SHA256-128, HMAC-SHA256 PRF

//SRX 側の proposal 
[Jan 20 04:03:02]Configured proposal is SA([0](id = 1) protocol = IKE (1), AES CBC key len = 256, HMAC-SHA1-96, 1024 bit MODP, HMAC-SHA1 PRF; )

//proposal が一致
[Jan 20 04:03:02]ikev2_select_sa_reply: [1029800/1094c00] SA selected successfully
[Jan 20 04:03:02]ikev2_state_init_responder_in_end: [1029800/0] Send reply IKE_SA_INIT packet
[Jan 20 04:03:02]ikev2_udp_send_packet: [1031800/0] <-------- Sending packet - length = 346 VR id 0 [Jan 20 04:03:02]---------> Received from aa.aa.aa.aa:500 to jj.jj.jj.jj:0, VR 0, length 380 on IF
[Jan 20 04:03:02]ikev2_decode_packet: [ffd000/1094c00] Received packet: HDR, IDi, AUTH, SA, TSi, TSr
[Jan 20 04:03:02]ikev2_state_dispatch: [ffd000/1094c00] Responder side IKE_AUTH
[Jan 20 04:03:02]ikev2_select_sa_reply: [1034400/1094c00] SA selected successfully
[Jan 20 04:03:02]Construction NHTB payload for  local:jj.jj.jj.jj, remote:aa.aa.aa.aa IKEv2 P1 SA index 5870426 sa-cfg azure-vpn
[Jan 20 04:03:02]Peer router vendor is not Juniper. Not sending NHTB payload for sa-cfg azure-vpn, p1_sa=5870426
[Jan 20 04:03:02]iked_pm_ipsec_sa_install: local:jj.jj.jj.jj, remote:aa.aa.aa.aa  IKEv2 for SA-CFG azure-vpn, rekey-ikev2:no
[Jan 20 04:03:02]iked_pm_ipsec_sa_create: encr key len 32, auth key len: 20, salt len: 0
[Jan 20 04:03:02]Added (spi=0xe913e01d, protocol=ESP dst=jj.jj.jj.jj) entry to the peer hash table
[Jan 20 04:03:02]Added (spi=0x9a0dbe24, protocol=ESP dst=aa.aa.aa.aa) entry to the peer hash table
[Jan 20 04:03:02]iked_pm_ipsec_sa_install: NHTB add passed for sa-cfg azure-vpn
[Jan 20 04:03:02]Hardlife timer started for inbound azure-vpn with 3600 seconds/0 kilobytes
[Jan 20 04:03:02]Softlife timer started for inbound azure-vpn with 3025 seconds/0 kilobytes
[Jan 20 04:03:02]In iked_ipsec_sa_pair_add Adding GENCFG msg with key; Tunnel = 131073;SPI-In = 0xe913e01d
[Jan 20 04:03:02]Added dependency on SA config blob with tunnelid = 131073
[Jan 20 04:03:02]Successfully added ipsec SA PAIR
[Jan 20 04:03:02]iked_pm_ike_sa_done: local:jj.jj.jj.jj, remote:aa.aa.aa.aa IKEv2
[Jan 20 04:03:02]IKE negotiation done for local:jj.jj.jj.jj, remote:aa.aa.aa.aa IKEv2 with status: Error ok
[Jan 20 04:03:02]IPSec  negotiation done successfully for SA-CFG azure-vpn for local:jj.jj.jj.jj, remote:aa.aa.aa.aa  IKEv2

例のごとく、各社のデバイスのコンフィグ、トラシュー方法については、各機器ベンダーまで確認しましょう。

気まぐれで追記します。

その他

Azure VPN Gateway 側でもログが取れるようになってたので、以下も併せてどうぞ。

Azure との VPN 接続がうまくいかない場合のデバッグ方法

あと、Jazug Night で登壇した際に更に詳しい話をしたので、以下のスライド P.64 – 73 や YouTube の録画 (1:03:36 – 1:18:50) もご確認ください。

2 comments for “Azure VPN Gateway と SRX で VPN がつながらない場合のトラブルシューティング方法

コメントを残す

メールアドレスが公開されることはありません。 が付いている欄は必須項目です

このサイトはスパムを低減するために Akismet を使っています。コメントデータの処理方法の詳細はこちらをご覧ください