OPNsense Forum

Hi there,

I've found that Azure Virtual Network Gateway configured as Basic SKU / Gateway 1 is incompatible with any of the options present in the new method of IKE proposals:

Azure Basic Gateway 1 (Gw1) / Generation 1

QuoteIKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024

OPNsense default internal

Quote
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CHACHA20_POLY1305/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048

Annoyingly, custom IKE policies to find parity for OPNsense are only supported by Gateway 2 (Gw2) / Generation 2 and higher in Azure. The cost difference for me for my own use is approx. £28 a month for Gw1 and £68 for 4 days on Gw2 (which quickly exhausted my spending limits).

I can revert to using Legacy for now but I'm concerned that this will be deprecated / removed at some point.

I see AES256 / SHA256 no PRF was added to the list of proposals with the latest update.

Would it be possible to please add:

QuoteIKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024

This might be a regional difference, but I just checked my portal and I am running on Generation 1 and SKU VpnGw1. I have the following parameters configured - OPNsense 23.7.8_1. This is under the new Connections GUI.

• Proposals: aes256-sha384-ecp384 [DH20, NIST EC]
• Version: IKEv2
• MOBIKE: checked
• Rekey time: 28800
• DPD delay: 45
• sha256_96: unchecked
• Mode: Tunnel
• Policies: checked
• Start action: Trap+start
• DPD action: Clear
• ESP proposals: default
• Rekey time: 3600

I hope this helps.

Update: I just remembered that I also set a custom IPsec/IKE policy on the Azure side. It is under the Connection resource > Configuration (same resource where you set the preshared key). I also added the rekey times under the Advanced setting above.

I have the following there:
IKE Phase 1

• Encryption: AES256
• Integrity/PRF: SHA384
• DH Group: ECP384

IKE Phase 2(IPsec)

• IPsec Encryption: GCMAES256
• IPsec Integrity: GCMAES256
• PFS Group: None

• IPsec SA lifetime in KiloBytes: 0
• IPsec SA lifetime in seconds: 3600
• Use policy based traffic selector: Enable
• DPD timeout in seconds: 45
• Connection Mode: Default
• Use custom traffic selectors: Disabled
• IKE Protocol: IKEv2

I basically followed the Suite-B-GCM-256 specification in RFC6379 (https://datatracker.ietf.org/doc/html/rfc6379#section-3.2) to maximize compatibility with third-party devices.

It doesn't appear to be in my offers (UK South) but I'll give it a try in a few days when my balance resets for December. Thanks for taking the time to post 👍

Your comment made me remember that I tweaked the Azure Connection resource. You're correct; it was not part of the standard Azure proposals. I updated my post with that information. It has been some time since I set all this up.

Ta for the update
Could you confirm this was on the Basic SKU / Azure GW1 please? From what I have access to, custom IPSec/IKE are only available starting from Azure GW2

It shows my SKU to be GW1. It is definitely not Basic so that might be the difference.


SkuText  : {
        "Capacity": 2,
        "Name": "VpnGw1",
        "Tier": "VpnGw1"
        }


Basic has gone from mine after setting it up again from scratch, so I assume it was a legacy/grandfathered configuration within my Azure tenant. I can set custom policy now. :)

I followed your settings and all is working - many thanks!

For the Phase 2 proposals, could you supply what you have selected exactly please as I wasn't able to find

QuoteIKE Phase 2(IPsec)
IPsec Encryption: GCMAES256
IPsec Integrity: GCMAES256
PFS Group: None

I have left it as default which in the logs has selected

Quoteselected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ

That great! For Phase 2, I have the settings you quoted (GCMAES256-GCMAES256-None) set on Azure, and "default" for ESP Proposals in OPNsense. Every thing else on that dropdown specifies a PFS Group. If you are not using PFS, "default" is your only option.

Excellent, thanks! 👍