Archive > 22.7 Legacy Series

Azure Routed Based IPSec rekey issue

(1/2) > >>

FingerlessGloves:
Hi Guys,

I've configured a IPSec S2S tunnel to Azure and I'm having issues at rekey, I've double checked my settings and they all match what they should be set too. We have another IPSec tunnel with the same settings to another Firewall vendor and the settings work fine, so I know there's something not quite right on the OPNsense side.

I've noticed during the rekey I end up getting "integrity check failed" messages in the IPSec log of OPNsense.

I've got the tunnel setup using AES256-GCM for both phase1 and phase2. Luckily the tunnel restarts eventually and the tunnel comes backup for the lifetime of the SA's, then rekey happens fails and then restarts again after some "integrity check failed" messages. This courses about 2-3 minutes of no traffic to pass.

Has anyone get any experience using AES GCM with IPSec to Azure?

I shall attach my OPNsense settings, encase the issue is obvious to someone when they look at them.

danderson:
ive had the same issue with the remote end a Cisco ASA.  I use DPD and it restarts in under a minute, PITA though.

amichel:
Hi,
iin my case I use different Settings.
In Phase I use "default " as connection method instead "response only"
In Phase 2 I use Sha265 as hash algorithm, you use none.
My Azure Settings are attached. Hope that helps

FingerlessGloves:

--- Quote from: amichel on September 23, 2022, 11:05:27 pm ---Hi,
iin my case I use different Settings.
In Phase I use "default " as connection method instead "response only"
In Phase 2 I use Sha265 as hash algorithm, you use none.
My Azure Settings are attached. Hope that helps

--- End quote ---

I've changed from AESGCM to AES, to see if that's the problem.

FingerlessGloves:
I've disabled reauth, and so far no rekey issues

Navigation

[0] Message Index

[#] Next page