Join Log in
Score:0
avatar Server

Unable to connect to Azure VPN gateway (SKU = VpnGW1, SSTP) from Linux (Ubuntu 20.04 + pppd + sstp-client)

fk flag
vmi

I tried to connect from Linux to Azure VPN Gateway but it failed.

Please let me know if there are any deficiencies in my settings.

Environment information

  • Client
  • Server
    • Azure VPN Gateway (SKU = VpnGW1, SSTP)
      • NOTE: I cannot change this setting because I'm not an administrator.

Result

After making the settings described below, executing sudo pon azure-vpn gave the following result (excerpted log).

Nov 17 01:59:46 azurevpn pppd[12004]: Initializing SSL BIOs
Nov 17 01:59:46 azurevpn pppd[12004]:  -> SSL/TLS Header: TLS 1.0
Nov 17 01:59:46 azurevpn pppd[12004]:  -> Handshake: Client Hello
(snip)
Nov 17 01:59:46 azurevpn pppd[12004]:  <- SSL/TLS Header: TLS 1.2
Nov 17 01:59:46 azurevpn pppd[12004]:  <- Handshake: Server Hello
Nov 17 01:59:46 azurevpn pppd[12004]:  <- Handshake: Certificate
(snip)
Nov 17 01:59:46 azurevpn pppd[12004]:  -> Handshake: Finished: TLS 1.2 <=== *** the connection established with TLS 1.2 ***
(snip)
Nov 17 01:59:46 azurevpn pppd[12004]: rcvd [EAP Request id=0x6 TLS L-- ...]
Nov 17 01:59:46 azurevpn pppd[12004]:  <- SSL/TLS Header: TLS 1.0 <=== *** Why TLS version is downgraded??? ***
Nov 17 01:59:46 azurevpn pppd[12004]:  -> SSL/TLS Header: TLS 1.2
Nov 17 01:59:46 azurevpn pppd[12004]:  -> Alert: protocol version
Nov 17 01:59:46 azurevpn pppd[12004]: sent [EAP Response id=0x6 TLS --- ...]
Nov 17 01:59:46 azurevpn pppd[12004]: rcvd [EAP Failure id=0x6]
Nov 17 01:59:46 azurevpn pppd[12004]: EAP: peer reports authentication failure

Configuration details

  1. Changed /etc/ssl/openssl.cnf to avoid "ca md too weak"
@@ -15,6 +15,9 @@
 #oid_file              = $ENV::HOME/.oid
 oid_section            = new_oids

+# fixup connection error (1)
+openssl_conf = default_conf
+
 # To use this configuration file with the "-extfile" option of the
 # "openssl x509" utility, name here the section containing the
 # X.509v3 extensions to use:
@@ -348,3 +351,19 @@
                                # (optional, default: no)
 ess_cert_id_alg                = sha1  # algorithm to compute certificate
                                # identifier (optional, default: sha1)
+
+# fixup connection error (2)
+
+[default_conf]
+
+ssl_conf = ssl_sect
+
+[ssl_sect]
+
+system_default = system_default_sect
+
+[system_default_sect]
+
+MinProtocol = TLSv1
+# MinProtocol = TLSv1.2
+CipherString = DEFAULT:@SECLEVEL=1
  1. /etc/ppp/peers/azure-vpn (NOTE: ca.pem is a combination of Generic/VpnServerRoot.cer and self-signed CA certificate converted to PEM format)
remotename  ********-****-****-****-************.cloudapp.net
linkname    azure-vpn
ipparam     azure-vpn
pty         "sstpc --log-level 4 --ipparam azure-vpn --nolaunchpppd --ca-cert /etc/ppp/certs/ca.pem azuregateway-********-****-****-****-************-************.cloudapp.net"
name        ********SelfRootCertificate
plugin      sstp-pppd-plugin.so
sstp-sock   /var/run/sstpc/sstpc-azure-vpn
require-mppe
require-eap
refuse-mschap-v2
refuse-pap
refuse-chap
refuse-mschap
nobsdcomp
nodeflate
noauth
# password KEY_PASSWORD
ca /etc/ppp/certs/ca.pem
cert /etc/ppp/certs/user_cert.pem
key /etc/ppp/certs/user_priv.key

debug
  1. All logs on azure-vpn connection
Nov 17 01:59:45 azurevpn pppd[12003]: Plugin sstp-pppd-plugin.so loaded.
Nov 17 01:59:45 azurevpn pppd[12004]: pppd 2.4.7 started by vagrant, uid 0
Nov 17 01:59:45 azurevpn pppd[12004]: using channel 9
Nov 17 01:59:45 azurevpn pppd[12004]: Using interface ppp0
Nov 17 01:59:45 azurevpn pppd[12004]: Connect: ppp0 <--> /dev/pts/2
Nov 17 01:59:45 azurevpn systemd-udevd[12006]: ethtool: autonegotiation is unset or enabled, the speed and duplex are not writable.
Nov 17 01:59:45 azurevpn networkd-dispatcher[620]: WARNING:Unknown index 11 seen, reloading interface list
Nov 17 01:59:45 azurevpn sstpc[12008]: Waiting for sstp-plugin to connect on: /var/run/sstpc/sstpc-azure-vpn
Nov 17 01:59:45 azurevpn NetworkManager[614]: <info>  [1637114385.4448] manager: (ppp0): new Ppp device (/org/freedesktop/NetworkManager/Devices/11)
Nov 17 01:59:45 azurevpn sstpc[12008]: Resolved azuregateway-********-****-****-****-************-************.cloudapp.net to ***.***.***.***
Nov 17 01:59:45 azurevpn sstpc[12008]: Connected to azuregateway-********-****-****-****-************-************.cloudapp.net
Nov 17 01:59:45 azurevpn sstpc[12008]: Sending Connect-Request Message
Nov 17 01:59:45 azurevpn sstpc[12008]: SEND SSTP CRTL PKT(14)
Nov 17 01:59:45 azurevpn sstpc[12008]:   TYPE(1): CONNECT REQUEST, ATTR(1):
Nov 17 01:59:45 azurevpn sstpc[12008]:     ENCAP PROTO(1): 6
Nov 17 01:59:45 azurevpn sstpc[12008]: RECV SSTP CRTL PKT(48)
Nov 17 01:59:45 azurevpn sstpc[12008]:   TYPE(2): CONNECT ACK, ATTR(1):
Nov 17 01:59:45 azurevpn sstpc[12008]:     CRYPTO BIND REQ(4): 40
Nov 17 01:59:45 azurevpn sstpc[12008]: Started PPP Link Negotiation
Nov 17 01:59:46 azurevpn pppd[12004]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xcd8828e0> <pcomp> <accomp>]
Nov 17 01:59:46 azurevpn pppd[12004]: rcvd [LCP ConfReq id=0x0 <mru 4091> <auth eap> <magic 0x333246e9> <pcomp> <accomp> <callback CBCP> <mrru 1614> <endpoint [local:********]>]
Nov 17 01:59:46 azurevpn pppd[12004]: sent [LCP ConfRej id=0x0 <callback CBCP> <mrru 1614>]
Nov 17 01:59:46 azurevpn pppd[12004]: rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x********> <pcomp> <accomp>]
Nov 17 01:59:46 azurevpn pppd[12004]: rcvd [LCP ConfReq id=0x1 <mru 4091> <auth eap> <magic 0x********> <pcomp> <accomp> <endpoint [local:********]>]
Nov 17 01:59:46 azurevpn pppd[12004]: sent [LCP ConfAck id=0x1 <mru 4091> <auth eap> <magic 0x333246e9> <pcomp> <accomp> <endpoint [local:********]>]
Nov 17 01:59:46 azurevpn pppd[12004]: sent [LCP EchoReq id=0x0 magic=0x********]
Nov 17 01:59:46 azurevpn pppd[12004]: rcvd [EAP Request id=0x0 Identity <No message>]
Nov 17 01:59:46 azurevpn pppd[12004]: sent [EAP Response id=0x0 Identity <Name "***SelfRootCertificate">]
Nov 17 01:59:46 azurevpn pppd[12004]: rcvd [LCP EchoRep id=0x0 magic=0x********]
Nov 17 01:59:46 azurevpn pppd[12004]: rcvd [EAP Request id=0x1 TLS --S]
Nov 17 01:59:46 azurevpn pppd[12004]: MTU = 1486
Nov 17 01:59:46 azurevpn pppd[12004]: calling get_eaptls_secret
Nov 17 01:59:46 azurevpn pppd[12004]: calling eaptls_init_ssl
Nov 17 01:59:46 azurevpn pppd[12004]: Initializing SSL BIOs
Nov 17 01:59:46 azurevpn pppd[12004]:  -> SSL/TLS Header: TLS 1.0
Nov 17 01:59:46 azurevpn pppd[12004]:  -> Handshake: Client Hello
Nov 17 01:59:46 azurevpn pppd[12004]: sent [EAP Response id=0x1 TLS --- ...]
Nov 17 01:59:46 azurevpn pppd[12004]: rcvd [EAP Request id=0x2 TLS LM- ...]
Nov 17 01:59:46 azurevpn pppd[12004]: sent [EAP Response id=0x2 TLS Ack]
Nov 17 01:59:46 azurevpn pppd[12004]: rcvd [EAP Request id=0x3 TLS -M- ...]
Nov 17 01:59:46 azurevpn pppd[12004]: sent [EAP Response id=0x3 TLS Ack]
Nov 17 01:59:46 azurevpn pppd[12004]: rcvd [EAP Request id=0x4 TLS --- ...]
Nov 17 01:59:46 azurevpn pppd[12004]:  <- SSL/TLS Header: TLS 1.2
Nov 17 01:59:46 azurevpn pppd[12004]:  <- Handshake: Server Hello
Nov 17 01:59:46 azurevpn pppd[12004]:  <- Handshake: Certificate
Nov 17 01:59:46 azurevpn pppd[12004]: certificate verify depth: 2
Nov 17 01:59:46 azurevpn pppd[12004]: certificate verify depth: 1
Nov 17 01:59:46 azurevpn pppd[12004]: certificate verify depth: 0
Nov 17 01:59:46 azurevpn pppd[12004]: Certificate CN: ********-****-****-****-************.cloudapp.net , peer name ********-****-****-****-************.cloudapp.net
Nov 17 01:59:46 azurevpn pppd[12004]:  <- Handshake: Server Key Exchange
Nov 17 01:59:46 azurevpn pppd[12004]:  <- Handshake: Certificate Request
Nov 17 01:59:46 azurevpn pppd[12004]:  <- Handshake: Server Hello Done
Nov 17 01:59:46 azurevpn pppd[12004]:  -> SSL/TLS Header: TLS 1.2
Nov 17 01:59:46 azurevpn pppd[12004]:  -> Handshake: Certificate
Nov 17 01:59:46 azurevpn pppd[12004]:  -> SSL/TLS Header: TLS 1.2
Nov 17 01:59:46 azurevpn pppd[12004]:  -> Handshake: Client Key Exchange
Nov 17 01:59:46 azurevpn pppd[12004]:  -> SSL/TLS Header: TLS 1.2
Nov 17 01:59:46 azurevpn pppd[12004]:  -> Handshake: Certificate Verify
Nov 17 01:59:46 azurevpn pppd[12004]:  -> SSL/TLS Header: TLS 1.2
Nov 17 01:59:46 azurevpn pppd[12004]:  -> ChangeCipherSpec
Nov 17 01:59:46 azurevpn pppd[12004]:  -> SSL/TLS Header: TLS 1.2
Nov 17 01:59:46 azurevpn pppd[12004]:  -> Handshake: Finished: TLS 1.2
Nov 17 01:59:46 azurevpn pppd[12004]: sent [EAP Response id=0x4 TLS LM- ...]
Nov 17 01:59:46 azurevpn pppd[12004]: rcvd [EAP Request id=0x5 TLS Ack]
Nov 17 01:59:46 azurevpn pppd[12004]: sent [EAP Response id=0x5 TLS --- ...]
Nov 17 01:59:46 azurevpn pppd[12004]: rcvd [EAP Request id=0x6 TLS L-- ...]
Nov 17 01:59:46 azurevpn pppd[12004]:  <- SSL/TLS Header: TLS 1.0
Nov 17 01:59:46 azurevpn pppd[12004]:  -> SSL/TLS Header: TLS 1.2
Nov 17 01:59:46 azurevpn pppd[12004]:  -> Alert: protocol version
Nov 17 01:59:46 azurevpn pppd[12004]: sent [EAP Response id=0x6 TLS --- ...]
Nov 17 01:59:46 azurevpn pppd[12004]: rcvd [EAP Failure id=0x6]
Nov 17 01:59:46 azurevpn pppd[12004]: EAP: peer reports authentication failure
Nov 17 01:59:46 azurevpn pppd[12004]: sent [LCP TermReq id=0x2 "Failed to authenticate ourselves to peer"]
Nov 17 01:59:46 azurevpn pppd[12004]: rcvd [LCP TermReq id=0x9 "32F\351\000<\315t\000\000\002\263"]
Nov 17 01:59:46 azurevpn pppd[12004]: sent [LCP TermAck id=0x9]
Nov 17 01:59:46 azurevpn pppd[12004]: rcvd [LCP TermAck id=0x2 "Failed to authenticate ourselves to peer"]
Nov 17 01:59:46 azurevpn pppd[12004]: Connection terminated.
Nov 17 01:59:46 azurevpn sstpc[12008]: RECV SSTP CRTL PKT(20)
Nov 17 01:59:46 azurevpn pppd[12004]: Waiting for 1 child processes...
Nov 17 01:59:46 azurevpn pppd[12004]:   script sstpc --log-level 4 --ipparam azure-vpn --nolaunchpppd --ca-cert /etc/ppp/certs/ca.pem azuregateway-********-****-****-****-************-************.cloudapp.net, pid 12005
Nov 17 01:59:46 azurevpn sstpc[12008]:   TYPE(6): DISCONNECT, ATTR(1):
Nov 17 01:59:46 azurevpn sstpc[12008]:     STATUS INFO(2): 12
Nov 17 01:59:46 azurevpn sstpc[12008]: Sending Disconnect Ack Message
Nov 17 01:59:46 azurevpn sstpc[12008]: SEND SSTP CRTL PKT(8)
Nov 17 01:59:46 azurevpn sstpc[12008]:   TYPE(7): DISCONNECT ACK, ATTR(0):
Nov 17 01:59:46 azurevpn sstpc[12008]: Connection was aborted, Reason was not known
Nov 17 01:59:46 azurevpn pppd[12004]: Script sstpc --log-level 4 --ipparam azure-vpn --nolaunchpppd --ca-cert /etc/ppp/certs/ca.pem azuregateway-********-****-****-****-************-************.cloudapp.net finished (pid 12005), status = 0xff
Nov 17 01:59:46 azurevpn pppd[12004]: Exit.
226
0 + 0
vpn
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.