On-Premises Site 2 Site VPN with Azure using Tomato Shibby Mod (Entware-ng and Strongswan setup) – part 4

This article is part of a series of 4 where I am talking about how to setup site-2-site VPN between on-premises and Azure using Tomato Shibby Mod, Entware-ng and Strongswan. For a better understanding please make sure you read also the other parts:

  1. Install and configure Entware-ng + strongSwan on your router.
  2. Configure and perform the site-2-site VPN using Azure dynamic gateway.
  3. Configure and perform the site-2-site VPN using Azure static gateway.
  4. Troubleshooting Azure site-2-site VPN and strongSwan.

 

Troubleshooting Azure site-2-site VPN and strongSwan

 

In case the site-2-site connection fails there are two log files that can be checked to identify the cause (Azure VPN gateway logs and stronSwan logs).

 

strongSwan logging

The strongSwan log file location is defined in the strongswan.conf file. Below is an example of strongswan.conf who will make strongSwan to log into /opt/tmp/charon.log enough details about what’s going wrong with the VPN connection.
nano /opt/etc/strongswan.conf

# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
# Verbosity levels
# -1: Absolutely silent
# 0: Very basic auditing logs, (e.g. SA up/SA down)
# 1: Generic control flow with errors, a good default to see whats going on
# 2: More detailed debugging control flow
# 3: Including RAW data dumps in Hex
# 4: Also include sensitive material in dumps, e.g. keys

charon {
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
        filelog {
                charon {
                        path = /opt/tmp/charon.log
                        time_format = %b %e %T
                        append = no
                        default = 2 # in case troubleshoot is required switch this to 2
                }
                stderr {
                        ike = 2 # in case troubleshoot is required switch this to 2
                        knl = 3 # in case troubleshoot is required switch this to 3
                        ike_name = yes
                }
        }
        syslog {
                # enable logging to LOG_DAEMON, use defaults
                daemon {
                }
                # minimalistic IKE auditing logging to LOG_AUTHPRIV
                auth {
                        default = 2 # in case troubleshoot is required switch this to 2
                        ike = 2 # in case troubleshoot is required switch this to 2
                }
        }
}

include strongswan.d/*.conf

After modifying strongswan.conf make sure you stop and start stongSwan.

 

 

Azure VPN gateway logging

With a bit of Powershell is possible to look also into the Azure VPN gateway logs.

Add-AzureAccount
Get-AzureSubscription
$subscriptionName = '<YOUR SUBSCRIPTION NAME>'
$storageAccountName='<YOUR STORAGE ACCOUNT NAME>'
$azureVNet='<YOUR AZURE NETWORK NAME>'
$captureDuration=300
Set-AzureSubscription -SubscriptionName $subscriptionName -CurrentStorageAccountName $storageAccountName
$storageAccountKey=(Get-AzureStorageKey -StorageAccountName $storageAccountName).Primary
$storageContext=New-AzureStorageContext -StorageAccountName $storageAccountName -StorageAccountKey $storageAccountKey
Start-AzureVNetGatewayDiagnostics -VNetName $azureVNet -StorageContext $storageContext -CaptureDurationInSeconds $captureDuration
Start-Sleep -s $captureDuration
$logURL=(Get-AzureVNetGatewayDiagnostics -VNetName $azureVNet).DiagnosticsUrl
$logContent=(Invoke-WebRequest -Uri $logURL).RawContent
$logContent | Out-File -FilePath C:\vpn.log

 

Leave a Reply