OPNsense firewall in Azure - traffic not able to pass site2site IPsec connection

Started by mkonecny, March 16, 2022, 05:10:18 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 16, 2022, 05:10:18 PM
I'm currently testing an Azure environment with an OPNsense firewall for external communication. The OPNsense was deployed by https://github.com/dmauser/opnazure/ with two network interfaces. The initial configuration with Let's Encrypt WebGUI cerificate was successfull and the appliance is accessible by external interface and WebGUI. After creating a site2site IPsec tunnel between the OPNsense and another external firewall the tunnel is successfully comming up, but it's not possible to access internal ressources behind the OPnsense. We are running a lot of site2site IPsec connections on virtual OPNsense appliances (Hyper-V, ESX) without any problems and a similar Azure environment with Sophos XG is working properly. Any ideas about the reason for this issue?

Thanks and regards,Mike
March 17, 2022, 10:12:44 PM #1
According to the deployment diagram your NSG is only configured for incoming traffic on TCP ports 22 and 443. For IPsec connections you need UDP port 500 for ISAKMP and ESP for the tunnel (respectively UDP port 4500 when using NAT-T for the tunnel)
OPNsense 24.7.11_2-amd64
March 18, 2022, 10:07:33 PM #2
I´ve configured on the WAN interface the standard three rules - 500 (ISAKMP) 4500 (NAT-T), ESP and the tunnel is comming up properly. The behaviour is quite strange - the traffic can pass the tunnel in direction from OPNsense to the external firewall (Sophos UTM). From Sophos UTM towards OPNsense the traffic is not able not pass the tunnel. I can neither access the WebGUI nor ressources behind the OPNsense.
March 20, 2022, 11:59:12 AM #3
Configuring the WAN interface and port forwarding is not enough. As I had already mentioned, please check the configuration of the network security group.

BTW what is the intended use of such a setup like depicted in the drawing? I do not recommend applying the same NSG to the untrusted and trusted subnet. Furthermore, it is not good idea that SSH and WebGUI are directly accessible over the internet (especially with such a creepy password).  :'(
OPNsense 24.7.11_2-amd64
March 25, 2022, 12:36:51 PM #4
I have found the reason for this problem, I had transposed digits in the firewall rule for incoming IPsec traffic. The rest was ok - now the traffic is passing the tunnel in both direction
Print
Go Up Pages1
User actions