1
23.7 Production Series / [Solved] Azure IPsec Basic VNG with Non-Legacy Connection
« on: November 22, 2023, 12:10:31 pm »
Hi there,
I've found that Azure Virtual Network Gateway configured as Basic SKU / Gateway 1 is incompatible with any of the options present in the new method of IKE proposals:
Azure Basic Gateway 1 (Gw1) / Generation 1
OPNsense default internal
Annoyingly, custom IKE policies to find parity for OPNsense are only supported by Gateway 2 (Gw2) / Generation 2 and higher in Azure. The cost difference for me for my own use is approx. £28 a month for Gw1 and £68 for 4 days on Gw2 (which quickly exhausted my spending limits).
I can revert to using Legacy for now but I'm concerned that this will be deprecated / removed at some point.
I've found that Azure Virtual Network Gateway configured as Basic SKU / Gateway 1 is incompatible with any of the options present in the new method of IKE proposals:
Azure Basic Gateway 1 (Gw1) / Generation 1
Quote
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
OPNsense default internal
Quote
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CHACHA20_POLY1305/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Annoyingly, custom IKE policies to find parity for OPNsense are only supported by Gateway 2 (Gw2) / Generation 2 and higher in Azure. The cost difference for me for my own use is approx. £28 a month for Gw1 and £68 for 4 days on Gw2 (which quickly exhausted my spending limits).
I can revert to using Legacy for now but I'm concerned that this will be deprecated / removed at some point.