create a vpn tunnel from azure to ibm cloud

Question

Hi

I am trying to create a tunnel from azure to ibm cloud but the status of connection is showing as not connected and when performed the troubleshooting, got this error message

Ingress Packets Dropped due to Traffic Selector Mismatch (since last connected)

can someone please guide me

Answer 1

Hi

Traffic selector mismatch occurs when the local and remote addresses for traffic in the VPN tunnel does not match the traffic selectors configured on either end of the VPN.

Traffic selector mismatch is caused by configuration on either end of the VPN tunnel. Azure VPN Gateways support specific IPsec and IKE configurations that must match with the device on the other end of the tunnel.

Please check your configuration on both ends

ref https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-ipsecikepolicy-rm-powershell

https://www.ibm.com/docs/en/spectrumvirtualizecl/8.4.x?topic=configuration-configuring-site-site-vpn-microsoft-azure-installations

https://cloud.ibm.com/docs/vpc?topic=vpc-using-vpn

Cheers

Answer 2

Hello @pointzi-infracloud ,

I understand that you are trying to create a site-to-site VPN connection between Azure VPN gateway and IBM cloud, but the connection is showing "Not connected" with error message "Ingress Packets Dropped due to Traffic Selector Mismatch (since last connected)".

A traffic selector (also known as a proxy ID) is an agreement between IKE peers to permit traffic through a tunnel if the traffic matches a specified pair of local and remote addresses.

Policy-based vs. route-based VPN devices differ in how the IPsec traffic selectors are set on a connection:

Policy-based VPN devices use the combinations of prefixes from both networks to define how traffic is encrypted/decrypted through IPsec tunnels. It is typically built on firewall devices that perform packet filtering. IPsec tunnel encryption and decryption are added to the packet filtering and processing engine.

Route-based VPN devices use any-to-any (wildcard) traffic selectors and let routing/forwarding tables direct traffic to different IPsec tunnels. It is typically built on router platforms where each IPsec tunnel is modeled as a network interface or VTI (virtual tunnel interface).

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps#about

The error observed by you could be because the Traffic Selectors configured do not include the subnet destination for which the packet is destined.

You mentioned you are using Route-based VPN and the tunnel is UP now but you are unable to SSH or ping the VM on azure to VM on IBM cloud and vice versa.

I requested you to check if ICMP is allowed on the machines? For SSH, is port 22 allowed in the NSG of Azure VMs and security groups of IBM VMs? And is the VM's OS Firewall allowing port 22 traffic?

Are there any UDRs or NSGs on the GatewaySubnet of the Azure VPN gateway? As they could be blocking the traffic.

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-troubleshoot-site-to-site-cannot-connect#step-4-check-udr-and-nsgs-on-the-gateway-subnet

Are there any address spaces overlap between Azure and IBM cloud?

You need to make sure that the address ranges for your IBM network used in the local network gateway don't overlap with ranges of other networks that you want to connect to or the Azure Vnet.

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal#CreatVNet

You confirmed that the issue is now resolved with the provided guidance.

Kindly let us know if the above helps or you need further assistance on this issue.

---

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.