I am trying to follow Configure a Point-to-Site (P2S) VPN on Linux for use with Azure Files and configuration seems to be working without errors. When I try to connect however, it fails.
The error parts that I can find say:
peer didn't accept DH group ECP_256, it requested ECP_384
requesting ocsp status from 'http://ocsp.digicert.com' ...
nonce in ocsp response doesn't match
received MS_NOTIFY_STATUS notify error
establishing connection 'my-share-vn' failed
Here is the full output:
user@user-temp-ubuntu-2004LTS-vm:~/temp$ sudo ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 5.8.2 IPsec [starter]...
user@user-temp-ubuntu-2004LTS-vm:~/temp$ sudo ipsec up $virtualNetworkName
initiating IKE_SA my-share-vn[1] to xxx.xxx.xxx.xxx
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from yyy.yyy.yyy.yyy[500] to xxx.xxx.xxx.xxx[500] (1128 bytes)
received packet: from xxx.xxx.xxx.xxx[500] to yyy.yyy.yyy.yyy[500] (38 bytes)
parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
peer didn't accept DH group ECP_256, it requested ECP_384
initiating IKE_SA my-share-vn[1] to xxx.xxx.xxx.xxx
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from yyy.yyy.yyy.yyy[500] to xxx.xxx.xxx.xxx[500] (1160 bytes)
received packet: from xxx.xxx.xxx.xxx[500] to yyy.yyy.yyy.yyy[500] (357 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V CERTREQ ]
received MS NT5 ISAKMPOAKLEY v9 vendor ID
received MS-Negotiation Discovery Capable vendor ID
selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384
local host is behind NAT, sending keep alives
received cert request for "CN=P2SRootCert"
sending cert request for "CN=P2SRootCert"
sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA"
establishing CHILD_SA my-share-vn{1}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from yyy.yyy.yyy.yyy[4500] to xxx.xxx.xxx.xxx[4500] (320 bytes)
received packet: from xxx.xxx.xxx.xxx[4500] to yyy.yyy.yyy.yyy[4500] (1276 bytes)
parsed IKE_AUTH response 1 [ EF(1/3) ]
received fragment #1 of 3, waiting for complete IKE message
received packet: from xxx.xxx.xxx.xxx[4500] to yyy.yyy.yyy.yyy[4500] (1276 bytes)
parsed IKE_AUTH response 1 [ EF(2/3) ]
received fragment #2 of 3, waiting for complete IKE message
received packet: from xxx.xxx.xxx.xxx[4500] to yyy.yyy.yyy.yyy[4500] (1244 bytes)
parsed IKE_AUTH response 1 [ EF(3/3) ]
received fragment #3 of 3, reassembled fragmented IKE message (3625 bytes)
parsed IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
received end entity cert "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=00000000-0000-0000-0000-000000000000.vpn.azure.com"
received issuer cert "C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA"
using certificate "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=00000000-0000-0000-0000-000000000000.vpn.azure.com"
using untrusted intermediate certificate "C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA"
checking certificate status of "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=00000000-0000-0000-0000-000000000000.vpn.azure.com"
requesting ocsp status from 'http://ocsp.digicert.com' ...
nonce in ocsp response doesn't match
ocsp check failed, fallback to crl
fetching crl from 'http://crl3.digicert.com/DigiCertSHA2SecureServerCA.crl' ...
using certificate "C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA"
using trusted ca certificate "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA"
certificate policy 2.23.140.1.1 for 'C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA' not allowed by trustchain, ignored
certificate policy 2.23.140.1.2.1 for 'C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA' not allowed by trustchain, ignored
certificate policy 2.23.140.1.2.2 for 'C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA' not allowed by trustchain, ignored
certificate policy 2.23.140.1.2.3 for 'C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA' not allowed by trustchain, ignored
reached self-signed root ca with a path length of 0
crl correctly signed by "C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA"
crl is valid: until Aug 22 18:37:40 2021
certificate status is good
using trusted ca certificate "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA"
checking certificate status of "C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA"
requesting ocsp status from 'http://ocsp.digicert.com' ...
nonce in ocsp response doesn't match
ocsp check failed, fallback to crl
fetching crl from 'http://crl3.digicert.com/DigiCertGlobalRootCA.crl' ...
using trusted certificate "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA"
crl correctly signed by "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA"
crl is valid: until Sep 02 20:49:32 2021
certificate status is good
certificate policy 2.23.140.1.2.2 for 'C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=00000000-0000-0000-0000-000000000000.vpn.azure.com' not allowed by trustchain, ignored
reached self-signed root ca with a path length of 1
authentication of 'C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=00000000-0000-0000-0000-000000000000.vpn.azure.com' with RSA signature successful
server requested EAP_IDENTITY (id 0x00), sending 'client'
EAP_IDENTITY not supported, sending EAP_NAK
generating IKE_AUTH request 2 [ EAP/RES/NAK ]
sending packet: from yyy.yyy.yyy.yyy[4500] to xxx.xxx.xxx.xxx[4500] (67 bytes)
received packet: from xxx.xxx.xxx.xxx[4500] to yyy.yyy.yyy.yyy[4500] (72 bytes)
parsed IKE_AUTH response 2 [ N(MS_STATUS(1244)) ]
received MS_NOTIFY_STATUS notify error
establishing connection 'my-share-vn' failed
user@user-temp-ubuntu-2004LTS-vm:~/temp$
I have no idea how to troubleshoot that. Could that be connected to Strongswan and I should try some other VPN client. Is there a problem with ECP_384? Where do I even start with this problem?
btw, I can connect to this VPN using Windows VPN client that I download from the portal and using/importing client.p12 certificate that was generated by the script from the document.
Thanks!