Site-to-Site VPN cannot be established with IKEv2 on VSec for Azure / CloudGuard for Azure

Support Center > Search Results > SecureKnowledge Details

Solution ID	sk122675
Product	CloudGuard for Azure, vSEC for Azure, IPSec VPN
Version	R77.30, R80.10, R80.20
OS	Gaia
Platform / Model	Azure
Date Created	26-Mar-2018
Last Modified	07-May-2019

Symptoms

Site-to-Site VPN cannot be established with IKEv2 on VSec for Azure / CloudGuard for Azure

vpnd.elg shows the following:

[ 8217][11 Jan 13:16:31][ikev2] ikeSimpOrder::getMyIpAddr: disregarding interface with [IP address], which is a member interface
[ 8217][11 Jan 13:16:31][ikev2] ikeSimpOrder::getMyIpAddr: disregarding interface with [IP address], which is a member interface
[ 8217][11 Jan 13:16:31][ikev2] ikeSimpOrder::getMyIpAddr: disregarding interface with [IP address], which is a member interface
[ 8217][11 Jan 13:16:31][ikev2] ikeSimpOrder::getMyIpAddr: disregarding interface with [IP address], which is a member interface
[ 8217][11 Jan 13:16:31][ikev2] ikeSimpOrder::getMyIpAddr: found 0 interfaces (order 2545, ref count 1).
[ 8217][11 Jan 13:16:31][ikev2] natTraversalHandler::createNatDetectSource: failed to get my interfaces ip addr.
[ 8217][11 Jan 13:16:31][ikev2] Exchange::startPrepareMessage: error encountered. has notifications to send: 0
[ 8217][11 Jan 13:16:31][ikev2] Message::~Message: entering
[ 8217][11 Jan 13:16:31][ikev2] Exchange::setStatus: Changing status from: initial to: failure (final)..

No traffic is seen on port 500 or 4500 on the external interface.

Cause

There is an incompatibility between IKEv2 and vSec for Azure/CloudGuard for Azure.

As a result, a VIP for the cluster is not found. The VPN tunnel then goes down because the peers cannot exchange keys.

Solution

Note: To view this solution you need to Sign In .