Messages

Heya!  No, sadly I couldn't get it to work. I redeployed to use tunnel / policy instead as a workaround.

Before I gave up I noticed the lack of a route to the VPNGW and added a static route for the VPN gateway - would that not have solved the problem? I also tried modifying the tunnel addresses to be the local IPs (LAN IP local, VPN GW IP for Azure) that didn't seem to work either even though BGP data was exchanged. Baffled as to what happened - as this all worked previously.

Not sure if it's related, but there was this discussion regarding route-based IPSEC connections on GitHub: https://github.com/opnsense/docs/pull/279#pullrequestreview-632969636

I tried again today. No dice. So, anyone else have any thoughts?

I had to go to System ‣ Access ‣ Settings ‣ Administration and under the Authentication section at the bottom, change the Server dropdown to include the newly added LDAP server and save. Then it showed up. It's definitely easy to miss. Lower right corner - tiny little thing.

This morning I deleted my configuration in Azure as well as OPNSense and re-ran through the documentation on the Docs site (https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route-azure.html). The documentation does not call out creating the interface (it appears to assume it is present, though) and setting its Dynamic Gateway Policy. You get a generic complaint about setting an IP on an interface where the network can not be determined without doing so. So the docs need updated at a minimum to include this step.

As far as the remainder of the configuration - it does not appear to work unless there is something more that needs done. I assume that at minimum a static /32 route must be added in order for OPNSense to understand how to get to the Gateway Subnet (which is outside the IPSec tunnel addresses). What's interesting is that creating that route under System > Routes > Configuration never shows up in the list of routes under Routing > Diagnostics > General > IPv4. I can see from Azure that BGP announced my local networks and they show up in Azure's routing table for my VNet Gateway, but nothing shows up in my local Routing > Diagnostics > General > IPv4. What am I missing?

I believe I was on 21.1 just before upgrading - but I am not 100% positive on the details there.

Hi all,

I've been using opnsense for quite a while. Previously, I had a routed IPSec tunnel set up to Azure (using the documentation that was provided on the OPNSense site) that exchanged routes via BGP. This has continued to work fine through multiple updates - until I applied 21.1.3_3.

Now the tunnel comes up but the advertised BGP routes from Azure are marked invalid. I'm confused to why this stopped working - did the behavior change? How can I sort out what's happening? I can see in the firewall logs that Azure is sending me traffic (AD, DNS queries, etc) but I can't route back the other way.

Thanks in advance. This has really messed up my lab (and my SO is annoyed that some of the home automation stuff isn't working!) for the last week or two!