[Solved] Azure IPsec Basic VNG with Non-Legacy Connection

Started by Aergan, November 22, 2023, 12:10:31 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 22, 2023, 12:10:31 PM Last Edit: December 02, 2023, 11:03:48 PM by Aergan
Hi there,

I've found that Azure Virtual Network Gateway configured as Basic SKU / Gateway 1 is incompatible with any of the options present in the new method of IKE proposals:

Azure Basic Gateway 1 (Gw1) / Generation 1
QuoteIKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024

OPNsense default internal
Quote
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CHACHA20_POLY1305/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048

Annoyingly, custom IKE policies to find parity for OPNsense are only supported by Gateway 2 (Gw2) / Generation 2 and higher in Azure. The cost difference for me for my own use is approx. £28 a month for Gw1 and £68 for 4 days on Gw2 (which quickly exhausted my spending limits).

I can revert to using Legacy for now but I'm concerned that this will be deprecated / removed at some point.
November 24, 2023, 12:22:58 AM #1
I see AES256 / SHA256 no PRF was added to the list of proposals with the latest update.

Would it be possible to please add:
QuoteIKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
November 26, 2023, 03:02:23 AM #2 Last Edit: November 26, 2023, 06:54:00 PM by allan
This might be a regional difference, but I just checked my portal and I am running on Generation 1 and SKU VpnGw1. I have the following parameters configured - OPNsense 23.7.8_1. This is under the new Connections GUI.

  • Proposals: aes256-sha384-ecp384 [DH20, NIST EC]
  • Version: IKEv2
  • MOBIKE: checked
  • Rekey time: 28800
  • DPD delay: 45
  • sha256_96: unchecked
  • Mode: Tunnel
  • Policies: checked
  • Start action: Trap+start
  • DPD action: Clear
  • ESP proposals: default
  • Rekey time: 3600

I hope this helps.

Update: I just remembered that I also set a custom IPsec/IKE policy on the Azure side. It is under the Connection resource > Configuration (same resource where you set the preshared key). I also added the rekey times under the Advanced setting above.

I have the following there:
IKE Phase 1

  • Encryption: AES256
  • Integrity/PRF: SHA384
  • DH Group: ECP384

IKE Phase 2(IPsec)

  • IPsec Encryption: GCMAES256
  • IPsec Integrity: GCMAES256
  • PFS Group: None


  • IPsec SA lifetime in KiloBytes: 0
  • IPsec SA lifetime in seconds: 3600
  • Use policy based traffic selector: Enable
  • DPD timeout in seconds: 45
  • Connection Mode: Default
  • Use custom traffic selectors: Disabled
  • IKE Protocol: IKEv2

I basically followed the Suite-B-GCM-256 specification in RFC6379 to maximize compatibility with third-party devices.
November 26, 2023, 04:15:19 AM #3
It doesn't appear to be in my offers (UK South) but I'll give it a try in a few days when my balance resets for December. Thanks for taking the time to post 👍
November 26, 2023, 06:28:23 PM #4
Your comment made me remember that I tweaked the Azure Connection resource. You're correct; it was not part of the standard Azure proposals. I updated my post with that information. It has been some time since I set all this up.
November 28, 2023, 05:12:43 AM #5
Ta for the update
Could you confirm this was on the Basic SKU / Azure GW1 please? From what I have access to, custom IPSec/IKE are only available starting from Azure GW2
November 28, 2023, 07:23:23 PM #6
It shows my SKU to be GW1. It is definitely not Basic so that might be the difference.

Code Select

SkuText  : {
        "Capacity": 2,
        "Name": "VpnGw1",
        "Tier": "VpnGw1"
        }
December 01, 2023, 08:49:38 AM #7
Basic has gone from mine after setting it up again from scratch, so I assume it was a legacy/grandfathered configuration within my Azure tenant. I can set custom policy now. :)

I followed your settings and all is working - many thanks!

For the Phase 2 proposals, could you supply what you have selected exactly please as I wasn't able to find
QuoteIKE Phase 2(IPsec)
IPsec Encryption: GCMAES256
IPsec Integrity: GCMAES256
PFS Group: None

I have left it as default which in the logs has selected
Quoteselected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ
December 01, 2023, 05:02:28 PM #8
That great! For Phase 2, I have the settings you quoted (GCMAES256-GCMAES256-None) set on Azure, and "default" for ESP Proposals in OPNsense. Every thing else on that dropdown specifies a PFS Group. If you are not using PFS, "default" is your only option.
December 02, 2023, 11:03:02 PM #9
Excellent, thanks! 👍
Print
Go Up Pages1
User actions