This article is part of a series of 4 where I am talking about how to setup site-2-site VPN between on-premises and Azure using Tomato Shibby Mod, Entware-ng and Strongswan. For a better understanding please make sure you read also the other parts:
- Install and configure Entware-ng + strongSwan on your router.
- Configure and perform the site-2-site VPN using Azure dynamic gateway.
- Configure and perform the site-2-site VPN using Azure static gateway.
- Troubleshooting Azure site-2-site VPN and strongSwan.
Troubleshooting Azure site-2-site VPN and strongSwan
In case the site-2-site connection fails there are two log files that can be checked to identify the cause (Azure VPN gateway logs and stronSwan logs).
strongSwan logging
The strongSwan log file location is defined in the strongswan.conf file. Below is an example of strongswan.conf who will make strongSwan to log into /opt/tmp/charon.log enough details about what’s going wrong with the VPN connection.
nano /opt/etc/strongswan.conf
# strongswan.conf - strongSwan configuration file # # Refer to the strongswan.conf(5) manpage for details # # Configuration changes should be made in the included files # Verbosity levels # -1: Absolutely silent # 0: Very basic auditing logs, (e.g. SA up/SA down) # 1: Generic control flow with errors, a good default to see whats going on # 2: More detailed debugging control flow # 3: Including RAW data dumps in Hex # 4: Also include sensitive material in dumps, e.g. keys charon { load_modular = yes plugins { include strongswan.d/charon/*.conf } filelog { charon { path = /opt/tmp/charon.log time_format = %b %e %T append = no default = 2 # in case troubleshoot is required switch this to 2 } stderr { ike = 2 # in case troubleshoot is required switch this to 2 knl = 3 # in case troubleshoot is required switch this to 3 ike_name = yes } } syslog { # enable logging to LOG_DAEMON, use defaults daemon { } # minimalistic IKE auditing logging to LOG_AUTHPRIV auth { default = 2 # in case troubleshoot is required switch this to 2 ike = 2 # in case troubleshoot is required switch this to 2 } } } include strongswan.d/*.conf
After modifying strongswan.conf make sure you stop and start stongSwan.
Azure VPN gateway logging
With a bit of Powershell is possible to look also into the Azure VPN gateway logs.
Add-AzureAccount Get-AzureSubscription $subscriptionName = '<YOUR SUBSCRIPTION NAME>' $storageAccountName='<YOUR STORAGE ACCOUNT NAME>' $azureVNet='<YOUR AZURE NETWORK NAME>' $captureDuration=300 Set-AzureSubscription -SubscriptionName $subscriptionName -CurrentStorageAccountName $storageAccountName $storageAccountKey=(Get-AzureStorageKey -StorageAccountName $storageAccountName).Primary $storageContext=New-AzureStorageContext -StorageAccountName $storageAccountName -StorageAccountKey $storageAccountKey Start-AzureVNetGatewayDiagnostics -VNetName $azureVNet -StorageContext $storageContext -CaptureDurationInSeconds $captureDuration Start-Sleep -s $captureDuration $logURL=(Get-AzureVNetGatewayDiagnostics -VNetName $azureVNet).DiagnosticsUrl $logContent=(Invoke-WebRequest -Uri $logURL).RawContent $logContent | Out-File -FilePath C:\vpn.log