Messages

1

23.7 Legacy Series / Re: Azure IPsec Basic VNG with Non-Legacy Connection

« on: December 02, 2023, 11:03:02 pm »

Excellent, thanks! 👍

2

23.7 Legacy Series / Re: Azure IPsec Basic VNG with Non-Legacy Connection

« on: December 01, 2023, 08:49:38 am »

Basic has gone from mine after setting it up again from scratch, so I assume it was a legacy/grandfathered configuration within my Azure tenant. I can set custom policy now.

I followed your settings and all is working - many thanks!

For the Phase 2 proposals, could you supply what you have selected exactly please as I wasn't able to find

IKE Phase 2(IPsec)
IPsec Encryption: GCMAES256
IPsec Integrity: GCMAES256
PFS Group: None

I have left it as default which in the logs has selected

selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ

3

23.7 Legacy Series / Re: Azure IPsec Basic VNG with Non-Legacy Connection

« on: November 28, 2023, 05:12:43 am »

Ta for the update
Could you confirm this was on the Basic SKU / Azure GW1 please? From what I have access to, custom IPSec/IKE are only available starting from Azure GW2

4

23.7 Legacy Series / Re: Azure IPsec Basic VNG with Non-Legacy Connection

« on: November 26, 2023, 04:15:19 am »

It doesn't appear to be in my offers (UK South) but I'll give it a try in a few days when my balance resets for December. Thanks for taking the time to post 👍

5

23.7 Legacy Series / Re: Azure IPsec Basic VNG with Non-Legacy Connection

« on: November 24, 2023, 12:22:58 am »

I see AES256 / SHA256 no PRF was added to the list of proposals with the latest update.

Would it be possible to please add:

IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024

6

23.7 Legacy Series / [Solved] Azure IPsec Basic VNG with Non-Legacy Connection

« on: November 22, 2023, 12:10:31 pm »

Hi there,

I've found that Azure Virtual Network Gateway configured as Basic SKU / Gateway 1 is incompatible with any of the options present in the new method of IKE proposals:

Azure Basic Gateway 1 (Gw1) / Generation 1

IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024

OPNsense default internal

IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CHACHA20_POLY1305/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048

Annoyingly, custom IKE policies to find parity for OPNsense are only supported by Gateway 2 (Gw2) / Generation 2 and higher in Azure. The cost difference for me for my own use is approx. £28 a month for Gw1 and £68 for 4 days on Gw2 (which quickly exhausted my spending limits).

I can revert to using Legacy for now but I'm concerned that this will be deprecated / removed at some point.

7

22.7 Legacy Series / Re: "Lookup hostnames" no longer works in Firewall: Log Files: Live View

« on: November 16, 2022, 04:03:17 pm »

Also noticing the issue. Enabling it triggers a refresh that never completes. Reloading Live View seems to hang until it times out.

8

22.1 Legacy Series / Re: 22.1rc1 slow in Hyper-V

« on: February 14, 2022, 11:10:18 pm »

Cheers - just competed the upgrade and so far so good!

9

22.1 Legacy Series / Re: 22.1rc1 slow in Hyper-V

« on: February 14, 2022, 02:45:26 pm »

Any update on this?

10

21.1 Legacy Series / Re: 21.1.7 - DNSCrypt stopped logging

« on: June 23, 2021, 12:12:08 pm »

Having the same issue, have logged an issue to GitHub:
https://github.com/opnsense/plugins/issues/2440

11

21.1 Legacy Series / Re: MSS and IPSEC

« on: April 10, 2021, 11:07:15 am »

I set a Firewall normalisation rule for my IPSEC interface and set all traffic to Max MSS 1350 for that interface. That resolved it for my IPSEC tunnel to Azure (gleamed from their documentation).

12

20.7 Legacy Series / Re: Installer for 20.7 hangs at "Select Task" on Hyper-V Server 2019 Generation 2 VM

« on: January 18, 2021, 11:25:27 am »

Have been running opnSENSE for a few years on Hyper-V and Generation 2 since support was added to BSD. Other than the interrupt for the guided installation, I have been fine except for a few issues related to particular updates; none of which have stopped the instance from working.

13

18.1 Legacy Series / Re: IPSec Azure Issue 18.1.4

« on: March 22, 2018, 06:30:38 pm »

Hi there, currently testing and so far it's been up for 14hrs with no issue on 18.1.15. Shall see how it fairs after a reboot later on

14

18.1 Legacy Series / Re: IPSec Azure Issue 18.1.4

« on: March 14, 2018, 11:46:10 pm »

Looks about right, reboot sorts it etc. Thanks for finding a probably cause, appreciated

I'm on OpenSSL

15

18.1 Legacy Series / Re: IPSec Azure Issue 18.1.4

« on: March 13, 2018, 08:32:58 am »

Just to confirm, no configuration changes and tunnel is still up and working correctly.