Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
OPNsense firewall in Azure - traffic not able to pass site2site IPsec connection
« previous
next »
Print
Pages: [
1
]
Author
Topic: OPNsense firewall in Azure - traffic not able to pass site2site IPsec connection (Read 1338 times)
mkonecny
Newbie
Posts: 5
Karma: 0
OPNsense firewall in Azure - traffic not able to pass site2site IPsec connection
«
on:
March 16, 2022, 05:10:18 pm »
I'm currently testing an Azure environment with an OPNsense firewall for external communication. The OPNsense was deployed by
https://github.com/dmauser/opnazure/
with two network interfaces. The initial configuration with Let's Encrypt WebGUI cerificate was successfull and the appliance is accessible by external interface and WebGUI. After creating a site2site IPsec tunnel between the OPNsense and another external firewall the tunnel is successfully comming up, but it's not possible to access internal ressources behind the OPnsense. We are running a lot of site2site IPsec connections on virtual OPNsense appliances (Hyper-V, ESX) without any problems and a similar Azure environment with Sophos XG is working properly. Any ideas about the reason for this issue?
Thanks and regards,Mike
Logged
schnipp
Sr. Member
Posts: 371
Karma: 19
Re: OPNsense firewall in Azure - traffic not able to pass site2site IPsec connection
«
Reply #1 on:
March 17, 2022, 10:12:44 pm »
According to the deployment diagram your NSG is only configured for incoming traffic on TCP ports 22 and 443. For IPsec connections you need UDP port 500 for ISAKMP and ESP for the tunnel (respectively UDP port 4500 when using NAT-T for the tunnel)
Logged
OPNsense 24.7.1-amd64
mkonecny
Newbie
Posts: 5
Karma: 0
Re: OPNsense firewall in Azure - traffic not able to pass site2site IPsec connection
«
Reply #2 on:
March 18, 2022, 10:07:33 pm »
I´ve configured on the WAN interface the standard three rules - 500 (ISAKMP) 4500 (NAT-T), ESP and the tunnel is comming up properly. The behaviour is quite strange - the traffic can pass the tunnel in direction from OPNsense to the external firewall (Sophos UTM). From Sophos UTM towards OPNsense the traffic is not able not pass the tunnel. I can neither access the WebGUI nor ressources behind the OPNsense.
Logged
schnipp
Sr. Member
Posts: 371
Karma: 19
Re: OPNsense firewall in Azure - traffic not able to pass site2site IPsec connection
«
Reply #3 on:
March 20, 2022, 11:59:12 am »
Configuring the WAN interface and port forwarding is not enough. As I had already mentioned, please check the configuration of the network security group.
BTW what is the intended use of such a setup like depicted in the drawing? I do not recommend applying the same NSG to the untrusted and trusted subnet. Furthermore, it is not good idea that SSH and WebGUI are directly accessible over the internet (especially with such a creepy password).
Logged
OPNsense 24.7.1-amd64
mkonecny
Newbie
Posts: 5
Karma: 0
Re: OPNsense firewall in Azure - traffic not able to pass site2site IPsec connection
«
Reply #4 on:
March 25, 2022, 12:36:51 pm »
I have found the reason for this problem, I had transposed digits in the firewall rule for incoming IPsec traffic. The rest was ok - now the traffic is passing the tunnel in both direction
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
OPNsense firewall in Azure - traffic not able to pass site2site IPsec connection