Site to site connectivity with Windows Azure (GA)
Almost a month ago I wrote this post about an attempt to establish a site to site connection between TMG and Windows Azure and the conclusion was: you need a valid IP on your edge device in order to do that. Done, got my valid IP and now I’m ready to rock! It should be straight forward now that I have all the steps in mind and know how it works, but it was not. Using the same lab environment (but now with TMG having a valid IP address I faced a different issue. The tunnel between Azure and TMG connected for a couple of seconds (from the Azure Portal perspective) and then it drops. Constant pattern, so it was not only a transient situation. Using TMG DataPackager with VPN template I gathered the data that I needed to understand what it was going on. When I started to review the IKE Logging this is what I got:
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with Windows error 13824(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with HRESULT 0x80073600(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with Windows error 13824(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with HRESULT 0x80073600(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with Windows error 13824(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with HRESULT 0x80073600(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with Windows error 13824(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with HRESULT 0x80073600(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with Windows error 13824(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with HRESULT 0x80073600(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with Windows error 13824(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with HRESULT 0x80073600(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with Windows error 13824(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with HRESULT 0x80073600(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with Windows error 13824(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with HRESULT 0x80073600(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with Windows error 13824(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with HRESULT 0x80073600(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0480::00/00/0000-00:00:00.000 [ikeext] 0|NULL|IkeRegConfigChangeNotifyCallback invoked
[0]00FC.0480::00/00/0000-00:00:00.000 [ikeext] 0|NULL|Stopping IKE tracing
Invalid header could be something related with the IKE itself, unfortunately researching for this error didn’t help me too much:
Next step: understanding what’s going on on the wire! Start reviewing netmon trace for this traffic and found this:
Oh well, that explains everything……TMG doesn’t work with IKEV2, hence it fails to negotiate. But wait a minute, how that this used to work in the past? Because prior to GA Windows Azure was using IKEV1. When you are using Windows Azure Gateway you can configure it to use Static Routing or Dynamic Routing (see more info about these definitions here), if you use Dynamic Routing then Azure Gateway for Site to Site will use IKEV2. This document is getting updated to reflect this change that was introduced in GA.
Just to remind you: TMG is not supported for site to site connectivity on Azure and now that Dynamic Routing require IKEV2, TMG is not an option even for testing purpose.
Comments
Anonymous
January 01, 2003
The only official answer is what is documented at blogs.technet.com/.../important-changes-to-forefront-product-roadmaps.aspxAnonymous
January 01, 2003
Thanks Daniel...troubleshooting is in my blood, always that I have a chance I enjoy doing it. Sadly the days playing with TMG are coming to an end :(Anonymous
May 09, 2013
Nice to see your TMG knowledge back here and as usual this article is totally self-explanatory with the opportunity of learning some troubleshooting framework stuff :)Anonymous
May 09, 2013
yuri whats the plans after TMG ? will everything move to Directaccess thruogh 2012 server ?Anonymous
July 26, 2017
Hi Yuri,I jut wrote a small tutorial in my KB regarding Site to site with Azure. I invite you to check it out. The catch of this situation is well explained in my post I guess. It is actually regarding IKEv1 and IKEv2 and the VPN type you are actually choosing in AZURE --> Policy Based or Route Based. http://www.vitalit.si/implementing-microsoft-azure-site-to-site-vpn/Kind regards,German