"
Bonjour
Je bloque sur une configuration VPN site-à-site IPsec en VTI (route-based) entre Azure et un pare-feu OPNsense. Le tunnel est monté et actif, mais aucun trafic ne passe (ping, SSH, etc.).
Contexte de configuration :
Côté Azure :
VNet : 10.1.0.0/16
Subnet : 10.1.0.0/24, GatewaySubnet : 10.1.1.0/24
Azure VPN Gateway : active/active, route-based, IKEv2
IPs : 4.178.211.95 et 4.178.242.10
Routes UDR : OK, associées au subnet
Fichier Azure généré : utilisé
Côté OPNsense :
IP WAN : 176.165.131.115
LANs : 192.168.10.0/24, 192.168.20.0/24, 192.168.30.0/24
VTI IPsec tunnel : actif, avec interface virtuelle auto-créée
VTI IPs : 169.254.21.1 <-> 169.254.21.2
Route statique vers 10.1.0.0/16 via 169.254.21.2
Passerelle définie
Règles firewall configurées pour autoriser le trafic
Aucun NAT
Symptômes :
Tunnel monté, logs charon/IKE OK
Aucun ping vers Azure ou depuis Azure
Aucun paquet ne transite par l'interface VTI
Impossible d'assigner une IP manuellement à l'interface VTI
Merci d'avance pour toute aide
ci-après, le fichier Azure
! Microsoft Corporation
! ------------------------------------------------------------------------------
! Sample VPN tunnel configuration template for Cisco IOS-based devices
!
! ##############################################################################
! !!! Search for "REPLACE" to find the values that require special
! !!! considerations
! !!!
! !!! (1) ACL/access-list rule numbers
! !!! (2) Tunnel interface number
! !!! (3) Tunnel interface IP address
! !!! (4) BGP routes to advertise (if BGP is enabled)
! !!! (5) BGP peer IP address on the device - loopback interface number
! ##############################################################################
!
!
! > Device vendor: Cisco
! > Device family: IOS-based (ASR, ISR)
! > Firmware version: IOS 15.1 or beyond
! > Test platform: Cisco ISR 2911, version 15.2
!
! [1] Network parameters
!
! > Connection name: VNet1toSite1
! > VPN Gateway name: 51c20034-46ea-4072-91c5-894348cc58f6
! > Public IP addresses:
! + Public IP 1: 4.178.211.95
! + Public IP 2: 4.178.242.10
! > Virtual network address space:
! + CIDR: 10.1.0.0/16
! - Prefix: 10.1.0.0
! - Netmask: 255.255.0.0
! - Wildcard: 0.0.255.255
! > Local network gateway: Site1
! > On-premises VPN IP: 176.165.131.115
! > On-premises address prefixes:
! + CIDR: 192.168.10.0/24
! - Prefix: 192.168.10.0
! - Netmask: 255.255.255.0
! - Wildcard: 0.0.0.255
! + CIDR: 192.168.20.0/24
! - Prefix: 192.168.20.0
! - Netmask: 255.255.255.0
! - Wildcard: 0.0.0.255
! + CIDR: 192.168.30.0/24
! - Prefix: 192.168.30.0
! - Netmask: 255.255.255.0
! - Wildcard: 0.0.0.255
!
! [2] IPsec/IKE parameters
!
! > IKE version: IKEv2
! + Encryption algorithm: aes-cbc-256
! + Integrityalgorithm: sha1
! + Diffie-Hellman group: 2
! + SA lifetime (seconds): 3600
! + Pre-shared key: abc123
! + UsePolicyBasedTS: False
!
! > IPsec
! + Encryption algorithm: esp-gcm 256
! + Integrity algorithm:
! + PFS Group: none
! + SA lifetime (seconds): 3600
!
! [3] BGP parameters - Azure VPN gateway
!
! > Azure virtual network
! + Enable BGP: False
! + Azure BGP ASN: VNG_ASN
! > On-premises network / LNG
! + On premises BGP ASN: LNG_ASN
! + On premises BGP IP: LNG_BGPIP
!
! ------------------------------------------------------------------------------
! ACL rules
!
! Some VPN devices require explicit ACL rules to allow cross-premises traffic:
!
! 1. Allow traffic between on premises address ranges and VNet address ranges
! 2. Allow IKE traffic (UDP:500) between on premises VPN devices and Azure VPN gateway
! 3. Allow IPsec traffic (Proto:ESP) between on premises VPN devices and Azure VPN gateway
access-list 101 permit ip 192.168.10.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 101 permit ip 192.168.20.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 101 permit ip 192.168.30.0 0.0.0.255 10.1.0.0 0.0.255.255
! ==============================================================================
! Internet Key Exchange (IKE) configuration
! - IKE Phase 1 / Main mode configuration
! - Encryption/integrity algorithms, Diffie-Hellman group, pre-shared key
crypto ikev2 proposal VNet1toSite1-proposal
encryption aes-cbc-256
integrity sha1
group 2
exit
crypto ikev2 policy VNet1toSite1-policy
proposal VNet1toSite1-proposal
match address local 176.165.131.115
exit
crypto ikev2 keyring VNet1toSite1-keyring
peer 4.178.211.95
address 4.178.211.95
pre-shared-key abc123
exit
peer 4.178.242.10
address 4.178.242.10
pre-shared-key abc123
exit
exit
crypto ikev2 profile VNet1toSite1-profile
match address local 176.165.131.115
match identity remote address 4.178.211.95 255.255.255.255
match identity remote address 4.178.242.10 255.255.255.255
authentication remote pre-share
authentication local pre-share
lifetime 3600
keyring local VNet1toSite1-keyring
exit
! ------------------------------------------------------------------------------
! IPsec configuration
! - IPsec (or IKE Phase 2 / Quick Mode) configuration
! - Transform Set: IPsec encryption/integrity algorithms, IPsec ESP mode
crypto ipsec transform-set VNet1toSite1-TransformSet esp-gcm 256
mode tunnel
exit
crypto ipsec profile VNet1toSite1-IPsecProfile
set transform-set VNet1toSite1-TransformSet
set ikev2-profile VNet1toSite1-profile
set security-association lifetime seconds 3600
exit
! ------------------------------------------------------------------------------
! Tunnel interface (VTI) configuration
! - Create/configure a tunnel interface
! - Configure an APIPA (169.254.x.x) address that does NOT overlap with any
! other address on this device. This is not visible from the Azure gateway.
! * REPLACE: Tunnel interface number and APIPA IP address below
! * In active-active configuration, there will be two tunnel interfaces below
int tunnel 11
ip address 169.254.0.1 255.255.255.252
tunnel mode ipsec ipv4
ip tcp adjust-mss 1350
tunnel source 176.165.131.115
tunnel destination 4.178.211.95
tunnel protection ipsec profile VNet1toSite1-IPsecProfile
exit
int tunnel 12
ip address 169.254.0.2 255.255.255.252
tunnel mode ipsec ipv4
ip tcp adjust-mss 1350
tunnel source 176.165.131.115
tunnel destination 4.178.242.10
tunnel protection ipsec profile VNet1toSite1-IPsecProfile
exit
! ------------------------------------------------------------------------------
! BGP configuration
! - BGP configuration if enabled for the connection
! * REPLACE: Loopback interface number(s)
! * REPLACE: Local routes and netmasks to advertise - LOCAL_ROUTE and LOCAL_MASK
! ------------------------------------------------------------------------------
! Static routes
! - Adding the static routes to point the VNet prefixes to the IPsec tunnels
! * REPLACE: Tunnel interface number(s)
ip route 10.1.0.0 255.255.0.0 Tunnel 11
ip route 10.1.0.0 255.255.0.0 Tunnel 12
Je bloque sur une configuration VPN site-à-site IPsec en VTI (route-based) entre Azure et un pare-feu OPNsense. Le tunnel est monté et actif, mais aucun trafic ne passe (ping, SSH, etc.).
Contexte de configuration :
Côté Azure :
VNet : 10.1.0.0/16
Subnet : 10.1.0.0/24, GatewaySubnet : 10.1.1.0/24
Azure VPN Gateway : active/active, route-based, IKEv2
IPs : 4.178.211.95 et 4.178.242.10
Routes UDR : OK, associées au subnet
Fichier Azure généré : utilisé
Côté OPNsense :
IP WAN : 176.165.131.115
LANs : 192.168.10.0/24, 192.168.20.0/24, 192.168.30.0/24
VTI IPsec tunnel : actif, avec interface virtuelle auto-créée
VTI IPs : 169.254.21.1 <-> 169.254.21.2
Route statique vers 10.1.0.0/16 via 169.254.21.2
Passerelle définie
Règles firewall configurées pour autoriser le trafic
Aucun NAT
Symptômes :
Tunnel monté, logs charon/IKE OK
Aucun ping vers Azure ou depuis Azure
Aucun paquet ne transite par l'interface VTI
Impossible d'assigner une IP manuellement à l'interface VTI
Merci d'avance pour toute aide
ci-après, le fichier Azure
! Microsoft Corporation
! ------------------------------------------------------------------------------
! Sample VPN tunnel configuration template for Cisco IOS-based devices
!
! ##############################################################################
! !!! Search for "REPLACE" to find the values that require special
! !!! considerations
! !!!
! !!! (1) ACL/access-list rule numbers
! !!! (2) Tunnel interface number
! !!! (3) Tunnel interface IP address
! !!! (4) BGP routes to advertise (if BGP is enabled)
! !!! (5) BGP peer IP address on the device - loopback interface number
! ##############################################################################
!
!
- Device infomration
! > Device vendor: Cisco
! > Device family: IOS-based (ASR, ISR)
! > Firmware version: IOS 15.1 or beyond
! > Test platform: Cisco ISR 2911, version 15.2
!
! [1] Network parameters
!
! > Connection name: VNet1toSite1
! > VPN Gateway name: 51c20034-46ea-4072-91c5-894348cc58f6
! > Public IP addresses:
! + Public IP 1: 4.178.211.95
! + Public IP 2: 4.178.242.10
! > Virtual network address space:
! + CIDR: 10.1.0.0/16
! - Prefix: 10.1.0.0
! - Netmask: 255.255.0.0
! - Wildcard: 0.0.255.255
! > Local network gateway: Site1
! > On-premises VPN IP: 176.165.131.115
! > On-premises address prefixes:
! + CIDR: 192.168.10.0/24
! - Prefix: 192.168.10.0
! - Netmask: 255.255.255.0
! - Wildcard: 0.0.0.255
! + CIDR: 192.168.20.0/24
! - Prefix: 192.168.20.0
! - Netmask: 255.255.255.0
! - Wildcard: 0.0.0.255
! + CIDR: 192.168.30.0/24
! - Prefix: 192.168.30.0
! - Netmask: 255.255.255.0
! - Wildcard: 0.0.0.255
!
! [2] IPsec/IKE parameters
!
! > IKE version: IKEv2
! + Encryption algorithm: aes-cbc-256
! + Integrityalgorithm: sha1
! + Diffie-Hellman group: 2
! + SA lifetime (seconds): 3600
! + Pre-shared key: abc123
! + UsePolicyBasedTS: False
!
! > IPsec
! + Encryption algorithm: esp-gcm 256
! + Integrity algorithm:
! + PFS Group: none
! + SA lifetime (seconds): 3600
!
! [3] BGP parameters - Azure VPN gateway
!
! > Azure virtual network
! + Enable BGP: False
! + Azure BGP ASN: VNG_ASN
! > On-premises network / LNG
! + On premises BGP ASN: LNG_ASN
! + On premises BGP IP: LNG_BGPIP
!
! ------------------------------------------------------------------------------
! ACL rules
!
! Some VPN devices require explicit ACL rules to allow cross-premises traffic:
!
! 1. Allow traffic between on premises address ranges and VNet address ranges
! 2. Allow IKE traffic (UDP:500) between on premises VPN devices and Azure VPN gateway
! 3. Allow IPsec traffic (Proto:ESP) between on premises VPN devices and Azure VPN gateway
access-list 101 permit ip 192.168.10.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 101 permit ip 192.168.20.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 101 permit ip 192.168.30.0 0.0.0.255 10.1.0.0 0.0.255.255
! ==============================================================================
! Internet Key Exchange (IKE) configuration
! - IKE Phase 1 / Main mode configuration
! - Encryption/integrity algorithms, Diffie-Hellman group, pre-shared key
crypto ikev2 proposal VNet1toSite1-proposal
encryption aes-cbc-256
integrity sha1
group 2
exit
crypto ikev2 policy VNet1toSite1-policy
proposal VNet1toSite1-proposal
match address local 176.165.131.115
exit
crypto ikev2 keyring VNet1toSite1-keyring
peer 4.178.211.95
address 4.178.211.95
pre-shared-key abc123
exit
peer 4.178.242.10
address 4.178.242.10
pre-shared-key abc123
exit
exit
crypto ikev2 profile VNet1toSite1-profile
match address local 176.165.131.115
match identity remote address 4.178.211.95 255.255.255.255
match identity remote address 4.178.242.10 255.255.255.255
authentication remote pre-share
authentication local pre-share
lifetime 3600
keyring local VNet1toSite1-keyring
exit
! ------------------------------------------------------------------------------
! IPsec configuration
! - IPsec (or IKE Phase 2 / Quick Mode) configuration
! - Transform Set: IPsec encryption/integrity algorithms, IPsec ESP mode
crypto ipsec transform-set VNet1toSite1-TransformSet esp-gcm 256
mode tunnel
exit
crypto ipsec profile VNet1toSite1-IPsecProfile
set transform-set VNet1toSite1-TransformSet
set ikev2-profile VNet1toSite1-profile
set security-association lifetime seconds 3600
exit
! ------------------------------------------------------------------------------
! Tunnel interface (VTI) configuration
! - Create/configure a tunnel interface
! - Configure an APIPA (169.254.x.x) address that does NOT overlap with any
! other address on this device. This is not visible from the Azure gateway.
! * REPLACE: Tunnel interface number and APIPA IP address below
! * In active-active configuration, there will be two tunnel interfaces below
int tunnel 11
ip address 169.254.0.1 255.255.255.252
tunnel mode ipsec ipv4
ip tcp adjust-mss 1350
tunnel source 176.165.131.115
tunnel destination 4.178.211.95
tunnel protection ipsec profile VNet1toSite1-IPsecProfile
exit
int tunnel 12
ip address 169.254.0.2 255.255.255.252
tunnel mode ipsec ipv4
ip tcp adjust-mss 1350
tunnel source 176.165.131.115
tunnel destination 4.178.242.10
tunnel protection ipsec profile VNet1toSite1-IPsecProfile
exit
! ------------------------------------------------------------------------------
! BGP configuration
! - BGP configuration if enabled for the connection
! * REPLACE: Loopback interface number(s)
! * REPLACE: Local routes and netmasks to advertise - LOCAL_ROUTE and LOCAL_MASK
! ------------------------------------------------------------------------------
! Static routes
! - Adding the static routes to point the VNet prefixes to the IPsec tunnels
! * REPLACE: Tunnel interface number(s)
ip route 10.1.0.0 255.255.0.0 Tunnel 11
ip route 10.1.0.0 255.255.0.0 Tunnel 12
