shutterstock_184473665.jpg

Summit 7 Team Blogs

Azure VPN - IKE/Authip Quick Mode Failure

Recently, while working on an Azure project that involved setting up site-to-site VPN connections for a customer we ran into an issue where we were getting an authentication failure when attempting to connect the on-premises VPN gateway with the Azure VPN gateway. Specifically, we were seeing the following errors in the AzureVnetGateway diagnostics.

Event Header:
Timestamp: 1601-01-01T00:00:00.000Z
Flags: 0x00000100
IP version field set
IP version: IPv4
IP protocol: 0
Local address: 0.0.0.0
Remote address: 0.0.0.0
Local Port: 0
Remote Port: 0
Application ID:
User SID: <invalid>
Failure type: IKE/Authip Quick Mode Failure
Type specific info:
Failure error code:0x000035e9
IKE authentication credentials are unacceptable
Failure point: Local
Keying module type: IKEv2
QM State: Initial state, no QM packets sent
QM SA role: Initiator
Mode: Tunnel Mode
Local Subnet:
IPv4 Addr & Mask: 0.0.0.0/0.0.0.0
Remote Subnet:
IPv4 Addr & Mask: 0.0.0.0/0.0.0.0
QM Filter ID: 0x0000000000105bd9

Searching the internet leads you to numerous posts about this being a certificate related issue. Unfortunately, those directions are not accurate in this case because a site-to-site VPN doesn’t use certificates for authentication. Instead, it relies on a pre-shared key.

What we found in our case, was that while the pre-shared key set by Azure when the VPN gateway was created matched in both the Azure VPN gateway and the on-premises VPN gateway configuration; the key was too long for the particular Checkpoint device to recognize.

SHARE THIS STORY | |