Messages

1

Virtual private networks / Re: Trying to use Azure Global Secure Access

« on: December 14, 2023, 01:13:13 pm »

Update,

My inexperience with VTI tunnels shows, so... i tried using the old interface, saw that it made that both side of the PH2 ware 0.0.0.0/0 so i set it to that in connection and it dose connect tho now i have one way traffic

This is usually when something is wrong with the PH2 encryption settings since i had that before i did the insecure NA/SHA256 setting on PH2.

I do get this error in the logs now

<|1844> querying policy 0.0.0.0/0 === 0.0.0.0/0 out failed, not found

2

Virtual private networks / Re: Trying to use Azure Global Secure Access

« on: December 13, 2023, 04:34:19 pm »

Doesnt the custom setting state that there is no limitation to PFS?

With a *, * is whats on the dropdown, there is a choice of a few decent ones like ecp256, but it also lets you do things that i would consider irresponsible like DH2

That's nice!

You probably need to provide some more details about your config to say something useful. Those cryptic Microsoft error codes doesn't make much sense.

https://docs.strongswan.org/docs/5.9/interop/microsoftStatusNotify.html

So basically, typical microsoft error,

So for my configuration,
I am attempting to use the new connections menu, so thats what I am going for,

The attachment is what i setup on Azure side, they later on give me a XML with information on what the endpoint is, i set up a tunnel PH1, with the settings, then i add PSK validation, followed by setting up the PH2 and then a VTI tunel (i make sure to uncheck the policy install)

I can provide screenshots on the weekend when i get back home.

I really see interesting potential in this system, as I do have E5 licenses, i can just use this as a work form home access to certin company resources if i can get this working

as it will in the future even support UDP, i can possibly use this to access some on prem licensing systems ect and only have my firewall have a IPSec to direct VPNs to my end users and have to accept %any on the connections for vpn.

3

Virtual private networks / Re: Trying to use Azure Global Secure Access

« on: December 12, 2023, 05:02:43 pm »

Hello, So yes im not a expert in IPSec, but i know microsoft is wierd with this, especially with DH24, that seems to be considered insecure.

I managed to configure this set

P1: aes128gcm16-sha256-ecp256 [Enum 3/1/2]
P2: aes128gcm16-ecp256 [Enum 0/0/4]

Now i cant get the tunnel to start it errors out with this

Informational   charon   09[IKE] <84c349bc-f7a4-4267-b8c7-c6f94b98aefb|1352> received MS_NOTIFY_STATUS notify error   
Informational   charon   09[ENC] <84c349bc-f7a4-4267-b8c7-c6f94b98aefb|1352> parsed IKE_AUTH response 1 [ N(MS_STATUS(87)) ]

I am trying to use the new Connections interface to get this setup, so i might be doing something wrong with that one. But at least its not giving me now no proposlas errors, so I assume that part is correct now.

4

Virtual private networks / Re: Trying to use Azure Global Secure Access

« on: December 08, 2023, 01:46:48 pm »

I can set it as the first part, so encryption, for integrity i can only select sha1/sha256/shar384/sha512/aex-xcbc

And form what i understand this has to also be aes256gcm16, when i set it to anything else its no traffic then.

I did it for testing to null/sha265 and that works then correctly but then setting to no encryption is a sound idea.

5

Virtual private networks / Trying to use Azure Global Secure Access

« on: December 07, 2023, 05:18:29 pm »

So im trying to work out using azure global secure access, it has a few interesting features we might use at work.

The problem is that it uses VPN settings that i can seem to set for phase 2

https://learn.microsoft.com/en-us/entra/global-secure-access/reference-remote-network-configurations

How can i put in the Ph2 settings ? integrity of GCMASE128/192/256 dose not seem to be a option in OpnSense.