Azure IPsec Strongswan

[msmarcapo]

Hello,
we want to setup an routebased Ipsec Site2Site VPN to Azure from our Opnsense 24.7.7 with the new strongswan config.
Unfortunately we got some major problems. Azure and Opnsense show the connection is estabilshed but we cant send successful traffic between the networks.
For us it seams that the problem is that the AzureGateway tunnel local address (169.254.0.2) isnt reachable from our Opnsense.

The complete weird thing we noticed is. If we disable the VTI. We can successful send traffic over the VPN even if we disable the route and gateway, as long as we keep the Ipsec-Service enabled. If we stop the service, we cant sent traffic through. If we restart the service it works again. In addition we noticed a packet loss of 30%.
How can this be possible?!



Our topology looks like:
Local Side = Opnsense
Local Network: 192.168.18.0/25
Azure Network: 10.100.2.0/24
Tunnel Network: 169.254.0.0/30

Here are screens from our Configuration:
You cannot view this attachment.
You cannot view this attachment.
You cannot view this attachment.
You cannot view this attachment.



Here are output from the opnsense:

Code Select Expand

root@firewall-02:~ # netstat -rn | grep 10.100.
10.100.2.0/24      169.254.0.2        UGS      ipsec1

root@firewall-02:~ # netstat -rn | grep 169.
10.100.2.0/24      169.254.0.2        UGS      ipsec1
169.254.0.1        link#7             UHS         lo0
169.254.0.2        link#32            UH       ipsec1

root@firewall-02:~ # ping 169.254.0.2
PING 169.254.0.2 (169.254.0.2): 56 data bytes
^C
--- 169.254.0.2 ping statistics ---
6 packets transmitted, 0 packets received, 100.0% packet loss



root@firewall-02:~ # ipsec statusall
no files found matching '/usr/local/etc/strongswan.opnsense.d/*.conf'
Status of IKE charon daemon (strongSwan 5.9.14, FreeBSD 14.1-RELEASE-p5, amd64):
  uptime: 4 hours, since Feb 13 11:40:49 2025
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl pkcs8 fips-prf curve25519 xcbc cmac hmac kdf gcm drbg curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam whitelist addrblock counters
Listening IP addresses:
XXXX
Connections:
36c26b9b-2e4d-4d06-adab-748b1534ed2b:  our public ip...azure public ip  IKEv2
36c26b9b-2e4d-4d06-adab-748b1534ed2b:   local:  uses pre-shared key authentication
36c26b9b-2e4d-4d06-adab-748b1534ed2b:   remote: uses pre-shared key authentication
90a2b6c9-8228-4a19-878f-44ef0772cb85:   child:  192.168.18.0/25 === 10.100.2.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
36c26b9b-2e4d-4d06-adab-748b1534ed2b[3]: ESTABLISHED 49 minutes ago, our public ip[our public ip]...azure public ip[azure public ip]
36c26b9b-2e4d-4d06-adab-748b1534ed2b[3]: IKEv2 SPIs: 1f3a277449d04e35_i* 6ba351ab189fc286_r, rekeying in 2 hours
36c26b9b-2e4d-4d06-adab-748b1534ed2b[3]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
90a2b6c9-8228-4a19-878f-44ef0772cb85{8}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c35d318e_i 127bdf6e_o
90a2b6c9-8228-4a19-878f-44ef0772cb85{8}:  AES_CBC_256/HMAC_SHA2_256_128/ECP_384, 261156 bytes_i (3109 pkts, 1s ago), 520556 bytes_o (3337 pkts, 1s ago), rekeying in 9 minutes
90a2b6c9-8228-4a19-878f-44ef0772cb85{8}:   192.168.18.0/25 === 10.100.2.0/24


[msmarcapo]

Further Config
You cannot view this attachment.
You cannot view this attachment.
You cannot view this attachment.
You cannot view this attachment.