Messages

Also have this issue

Excellent, thanks! 👍

Basic has gone from mine after setting it up again from scratch, so I assume it was a legacy/grandfathered configuration within my Azure tenant. I can set custom policy now. :)

I followed your settings and all is working - many thanks!

For the Phase 2 proposals, could you supply what you have selected exactly please as I wasn't able to find

IKE Phase 2(IPsec)
IPsec Encryption: GCMAES256
IPsec Integrity: GCMAES256
PFS Group: None

I have left it as default which in the logs has selected

selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ

Ta for the update
Could you confirm this was on the Basic SKU / Azure GW1 please? From what I have access to, custom IPSec/IKE are only available starting from Azure GW2

It doesn't appear to be in my offers (UK South) but I'll give it a try in a few days when my balance resets for December. Thanks for taking the time to post 👍

I see AES256 / SHA256 no PRF was added to the list of proposals with the latest update.

Would it be possible to please add:

IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024

Hi there,

I've found that Azure Virtual Network Gateway configured as Basic SKU / Gateway 1 is incompatible with any of the options present in the new method of IKE proposals:

Azure Basic Gateway 1 (Gw1) / Generation 1

IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024

OPNsense default internal

IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CHACHA20_POLY1305/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048

Annoyingly, custom IKE policies to find parity for OPNsense are only supported by Gateway 2 (Gw2) / Generation 2 and higher in Azure. The cost difference for me for my own use is approx. £28 a month for Gw1 and £68 for 4 days on Gw2 (which quickly exhausted my spending limits).

I can revert to using Legacy for now but I'm concerned that this will be deprecated / removed at some point.

Also noticing the issue. Enabling it triggers a refresh that never completes. Reloading Live View seems to hang until it times out.

Cheers - just competed the upgrade and so far so good!

Any update on this?

Having the same issue, have logged an issue to GitHub:
https://github.com/opnsense/plugins/issues/2440

I set a Firewall normalisation rule for my IPSEC interface and set all traffic to Max MSS 1350 for that interface. That resolved it for my IPSEC tunnel to Azure (gleamed from their documentation).

Have been running opnSENSE for a few years on Hyper-V and Generation 2 since support was added to BSD. Other than the interrupt for the guided installation, I have been fine except for a few issues related to particular updates; none of which have stopped the instance from working.

Hi there, currently testing and so far it's been up for 14hrs with no issue on 18.1.15. Shall see how it fairs after a reboot later on

Looks about right, reboot sorts it etc. Thanks for finding a probably cause, appreciated

I'm on OpenSSL