Phase2 error between libreswan and Azure VPN Gateway

Question

I am trying to setup a Site to Site VPN connection between an openswan(libreswan on EC2) and Azure VPN gateway. I can see the Phase1 authentication is happening successfully but failing on Phase2 of VPN connectivity. Not able to figure where I am going wrong. Please help. Details as below:

Azure:

VPN Type = Route based connection
IKE version = IKEv2
SKU = VpnGw1

Openswan:

OS = Amazon Linux
Libreswan version = libreswan.x86_64  (3.25-4.8.amzn2.0.1)

Configuration:

conn Tunnel2
authby=secret
auto=start
dpdaction=restart
dpddelay=30
dpdtimeout=120
forceencaps=yes
ike=aes256-sha1;modp1024
ikelifetime=10800s
ikev2=insist
keyingtries=3
left=%defaultroute
leftid=XXXXXXXXXXXXXX
leftsubnets=XXXXXXXXX
pfs=yes
phase2alg=aes256-sha2
right=XXXXXXX
rightid=XXXXXXXX
rightsubnets=XXXXXXXX
salifetime=3600s
type=tunnel

Answer 1

The default Azure IPsec policy for any SKU including VpnGw1 requires the following configuration for Phase 2 (IPSec):

IPsec encryption = AES256
IPsec integrity  = SHA1

Which, in your configuration file, translates to:

phase2alg=aes128-sha1

Here is an article that I wrote with more details: Build an Azure site-to-site VPN for DevTest

Answer 2

I took and alternative option and setup a new strongswan. Now i am able to connect to AWS VPN as well as Azure VPN.