IPsec S2S with Azure VPN Gateway Basic SKU - IKE Proposal

Started by flyingbird76, February 09, 2025, 01:52:16 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 09, 2025, 01:52:16 PM
Hi there,

I've been using a route-based IPsec S2S tunnel with Azure VPN Gateway (Basic SKU) for a while now. It's been working great, but I recently upgraded to version 25.1 and thought it was a good idea to switch to the new IPsec connections. I'm worried that the legacy tunnel settings might become deprecated soon, so I wanted to make the switch before it's too late.

I'm using the Basic SKU for Azure VPN, so I can't customise the IKE policies on the Azure side. I'm stuck with the settings that Microsoft allows by default.

I've tried setting up the new connection, but I keep getting an error saying that there are no valid IKE proposals available. Azure says that the following proposals are available:

IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024

None of these proposals are available when I use the new IPsec connections, but they are available in the legacy tunnel settings.

Is it possible to add these proposals to OPNsense? If so, does anyone know how to do it?

Thanks a bunch!
FB
February 13, 2025, 07:06:34 PM #1
Update....got it sorted. I had to create the connection using override.conf file in /usr/local/etc/swanctl/conf.d

This allowed me to set the required proposal. Only minor drawback is the connection doesn't show up in the UI.

Tunnel is now up and I can route traffic from LAN to Azure, but not Azure to LAN :-(

February 17, 2025, 09:26:24 AM #2
We had exactly the same problem with a new OPNsense setup. I settled with using the legacy Tunnel Settings.

Having the same worries, that the legacy Interface will be deprecated at some point, it would be great to have a Azure Basic SKU compatible proposal available in Connections.

Is there a reason why it was changed from the more flexible way of setting the parameters (encryption, hash, dh) seperatly to these predefined combinations?
Besides missing combinations, I personally find it more inconvenient to find the desired combination in that huge list of options.
Print
Go Up Pages1
User actions