Messages

Update....got it sorted. I had to create the connection using override.conf file in /usr/local/etc/swanctl/conf.d

This allowed me to set the required proposal. Only minor drawback is the connection doesn't show up in the UI.

Tunnel is now up and I can route traffic from LAN to Azure, but not Azure to LAN :-(

Hi there,

I've been using a route-based IPsec S2S tunnel with Azure VPN Gateway (Basic SKU) for a while now. It's been working great, but I recently upgraded to version 25.1 and thought it was a good idea to switch to the new IPsec connections. I'm worried that the legacy tunnel settings might become deprecated soon, so I wanted to make the switch before it's too late.

I'm using the Basic SKU for Azure VPN, so I can't customise the IKE policies on the Azure side. I'm stuck with the settings that Microsoft allows by default.

I've tried setting up the new connection, but I keep getting an error saying that there are no valid IKE proposals available. Azure says that the following proposals are available:

IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024

None of these proposals are available when I use the new IPsec connections, but they are available in the legacy tunnel settings.

Is it possible to add these proposals to OPNsense? If so, does anyone know how to do it?

Thanks a bunch!
FB

Update:

The hostname of the device has now changed in Zenarmor devices. I'm not sure what caused the change. I applied the latest hotfix for opnsense (24.7_9) and I also rebooted the firewall post update (I know that's not required, but i always like to reboot ASAP after an upgrade).

I don't know if it was the update (unlikely based on release notes), the firewall reboot, or if Zenarmor refreshes hostnames for devices periodically.

Hi

No, i mean the actual hostname that is shown under the device properties in Zenarmor. I have updated the name in Zenarmor to the correct new name, but the hostname is still showing as the old name.

I have attached a screenshot (some info redacted) that shows the Zenarmor device name and hostname mismatch.

I am a Zenarmor home subscriber and have a small issue with the 'Devices' feature.

I have changed the hostname of one of my devices but the hostname for the device is not updating in the devices list. I have removed the device, generated some traffic on the device to force it to appear again as a new device, marked it as a trusted device, but it is still showing the old hostname.

How do I update the hostname of the device in the Zenarmor device list or is there a method to force Zenarmor to re-query (reverse DNS lookup I assume) my DNS servers (unbound on Opnsense) to get the updated hostname?

Zenarmor is configured to use unbound DNS on Opnsense itself for DNS enrichment.

Performing a reverse DNS lookup of the IP address of the device that has had its hostname returns the correct hostname.

Thank you.

I originally installed Zenarmour using SQLite but I wanted more than 2 days data retention. Although my firewall is powerful enough to install elasticsearch (quad core, 8gb RAM), I preferred to keep Elasticsearch separate from my firewall, so I purchased a mini server to act as my Elasticsearch server (I will use it for other data logging as well now that I have it).

The install of Zenarmour went well and everything is working well as far as I can see but when I check the database in settings I get the following warning:

'We do not advise to set a data retention interval longer than 2 days for elasticsearchRemote backend'

It is currently set to 7 days.

Question; Why would using a much more powerful external Elasticsearch server for Zenarmor give a recommendation to only retain 2 days of logs while using Elasticsearch installed on the vastly less powerful firewall it is happy with a 7 day retention period?