[NEBULA] Azure Site-to-Site

Phthisicus
Phthisicus Posts: 2  Freshman Member
First Comment
edited April 2021 in Nebula
I am trying to make a site-to-site witch azure only the connection would not establish.

The logs show the following:

2017-12-07 15:01:00 vpn 46.x.x.x 13.x.x.x
[SA] : No proposal chosen [count=3]
2017-12-07 15:01:00 vpn 46.x.x.x 13.x.x.x
The cookie pair is : 0x8ff0e64c51494b3c / 0x555b446570751a36
2017-12-07 15:01:00 vpn 13.x.x.x 46.x.x.x
Recv IKE sa: SA([0] protocol = IKE (1), AES CBC key len = 256, HMAC-SHA1-96, HMAC-SHA1 PRF, 1024 bit MODP; [1] protocol = IKE (1), AES CBC key len = 256, HMAC-SHA256-128, HMAC-SHA256 PRF, 1024 bit MODP; [2] protocol = IKE (1), AES CBC key len = 128, HMAC- [count=3]
2017-12-07 15:01:00 vpn 13.x.x.x 46.x.x.x
[INIT] Recv: [SA][KE][NONCE][NOTIFY][NOTIFY][VID][VID][VID][VID] [count=3]
2017-12-07 15:01:00 vpn 13.x.x.x 46.x.x.x
Receiving IKEv2 request [count=3]
2017-12-07 15:01:00 vpn 13.x.x.x 46.x.x.x
The cookie pair is : 0x555b446570751a36 / 0x8ff0e64c51494b3c [count=2]
2017-12-07 15:01:01 vpn 46.x.x.x 13.x.x.x
The cookie pair is : 0x8ff0e64c51494b3c / 0xb4e8c422d1274207
2017-12-07 15:01:01 vpn 13.x.x.x 46.x.x.x
The cookie pair is : 0xb4e8c422d1274207 / 0x8ff0e64c51494b3c [count=2]
2017-12-07 15:01:02 vpn 46.x.x.x 13.x.x.x
The cookie pair is : 0x8ff0e64c51494b3c / 0xb54231e766312f3c
2017-12-07 15:01:02 vpn 13.x.x.x 46.x.x.x
The cookie pair is : 0xb54231e766312f3c / 0x8ff0e64c51494b3c [count=2]

Anyone have any experience with this and nebula ?
«1

Comments

  • Phthisicus
    Phthisicus Posts: 2  Freshman Member
    First Comment
    Seems that the NSG100 is not compatible with IKEv2 so you need to do a Policy Based gateway in Azure. :(
  • Zyxel_Irene
    Zyxel_Irene Posts: 118  Zyxel Employee
    5 Answers First Comment Friend Collector First Anniversary
    Hi @Phthisicus

    I am glad to see you create Site-to-Site VPN between Microsoft Azure and NSG100 successfully. ;)

    When you see “No proposal chosen” on event log, it means there is something wrong in IKE version/Phase 1&2 setting (such as Encryption, Authentication…).

    On Microsoft Azure, you have to set Policy-based (static-routing) gateway for IKEv1 that is supported by NSG100.

    Besides, I just saw you created a ticket regarding this question through our technical support channel, if you would like to have IKEv2 on NSG, I would like to help you transfer case to feature request. Any detail scenario on your side, please feel free to share! :+1:

  • FrankIversen
    FrankIversen Posts: 92  Ally Member
    Ideas master First Comment Friend Collector Third Anniversary
    but isn't policy-based gateway only for 1 connection? what if we need to connect multiple offices to azure? 
  • ITPro
    ITPro Posts: 11  Freshman Member
    First Comment

    Yes, policy-based gateway is only for 1 connection. What is your VPN topology?

    Azure is as HQ (like Hub role), and other branches (like spoke role) connect with azure? 

    Enter you signature
  • FrankIversen
    FrankIversen Posts: 92  Ally Member
    Ideas master First Comment Friend Collector Third Anniversary
    Yes, our customers run the servers in Azure. In many cases we want the remote branch Offices, which are using NSG100, to connect site-2-site with Azure.
    we have been deploying site-2-site for multiple connection for decades. I find it a little bit weird that NSG100 is not supporting Azure, on the largest Iaas cloud providers, for connecting a small company with a few branch Offices.
  • Zyxel_Chris
    Zyxel_Chris Posts: 727  Zyxel Employee
    Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 50 Answers
    Hello @FrankIversen

    About the multiple VPN connection with Azure (hub and spoke role) is in our feature queue now.
    The schedule is still under discussion but will implement on the next year.
    Anyone who got the same request can press like on this conversation to let us know how popular it is ! :)
  • FrankIversen
    FrankIversen Posts: 92  Ally Member
    Ideas master First Comment Friend Collector Third Anniversary
    any news regarding this?
  • Zyxel_Chris
    Zyxel_Chris Posts: 727  Zyxel Employee
    Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 50 Answers
    @FrankIversen
    Do you mean the precise date of schedule or something else?
  • FrankIversen
    FrankIversen Posts: 92  Ally Member
    Ideas master First Comment Friend Collector Third Anniversary
    was hoping for schedule. We really need to be able to connect to Azure with ikeV2 and route based VPN asap
  • Zyxel_Chris
    Zyxel_Chris Posts: 727  Zyxel Employee
    Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 50 Answers
    Hello  @FrankIversen
    The schedule will be on June 2019 if everything go through well!
    So stay tuned =)

Nebula Tips & Tricks