shutterstock_184473665.jpg

Summit 7 Team Blogs

Azure VPN - IKE/Authip Quick Mode Failure

Recently, while working on an Azure project that involved setting up site-to-site VPN connections for a customer we ran into an issue where we were getting an authentication failure when attempting to connect the on-premises VPN gateway with the Azure VPN gateway. Specifically, we were seeing the following errors in the AzureVnetGateway diagnostics.

Event Header:
Timestamp: 1601-01-01T00:00:00.000Z
Flags: 0x00000100
IP version field set
IP version: IPv4
IP protocol: 0
Local address: 0.0.0.0
Remote address: 0.0.0.0
Local Port: 0
Remote Port: 0
Application ID:
User SID: <invalid>
Failure type: IKE/Authip Quick Mode Failure
Type specific info:
Failure error code:0x000035e9
IKE authentication credentials are unacceptable
Failure point: Local
Keying module type: IKEv2
QM State: Initial state, no QM packets sent
QM SA role: Initiator
Mode: Tunnel Mode
Local Subnet:
IPv4 Addr & Mask: 0.0.0.0/0.0.0.0
Remote Subnet:
IPv4 Addr & Mask: 0.0.0.0/0.0.0.0
QM Filter ID: 0x0000000000105bd9

Searching the internet leads you to numerous posts about this being a certificate related issue. Unfortunately, those directions are not accurate in this case because a site-to-site VPN doesn’t use certificates for authentication. Instead, it relies on a pre-shared key.

What we found in our case, was that while the pre-shared key set by Azure when the VPN gateway was created matched in both the Azure VPN gateway and the on-premises VPN gateway configuration; the key was too long for the particular Checkpoint device to recognize.

SHARE THIS STORY | |
About Jay Simcox

Jay Simcox is a respected IT Professional, and educator with 10 years of Information Technology experience. Jay is a Senior Consultant with Summit 7 Systems where his background in network and systems administration, SharePoint architecture and Administration and end user support and training are utilized by government agencies seeking to make better use of the tools they are provided.