Trying to use Azure Global Secure Access

[derresh]

So im trying to work out using azure global secure access, it has a few interesting features we might use at work.

The problem is that it uses VPN settings that i can seem to set for phase 2

https://learn.microsoft.com/en-us/entra/global-secure-access/reference-remote-network-configurations

How can i put in the Ph2 settings ? integrity of GCMASE128/192/256 dose not seem to be a option in OpnSense.

[netnut]

Try this in Phase2:

Code: [Select]

aes128gcm16 or

Code: [Select]

aes256gcm16
See also:
https://docs.strongswan.org/docs/5.9/config/IKEv2CipherSuites.html

[derresh]

I can set it as the first part, so encryption, for integrity i can only select sha1/sha256/shar384/sha512/aex-xcbc

And form what i understand this has to also be aes256gcm16, when i set it to anything else its no traffic then.

I did it for testing to null/sha265 and that works then correctly but then setting to no encryption is a sound idea.

[netnut]

I did it for testing to null/sha265 and that works then correctly but then setting to no encryption is a sound idea.

It is ;-)

But regarding your initial question, you're trying to use AESGCM, that's an AEAD cipher which has integrity built in so there's nothing to select (that's IPSec, not OPNsense). You could/should only select a PRF, quote from previous  link:

AEAD (Authenticated Encryption with Associated Data) algorithms can’t be combined with classic encryption ciphers in the same proposal. No separate integrity algorithm must be proposed and therefore Pseudo-Random Functions (PRFs) have to be included explicitly in such proposals.

For reference, we use the following two p1/p2 combo's with AESGCM (at one site OPNsense)

Confidential:

Code: [Select]

P1: aes128gcm16-sha384-x25519
P2: aes128gcm16-x25519

Secret:

Code: [Select]

P1: aes256gcm16-sha512-x448
P2: aes256gcm16-x448

PS:

Did a quick read of your linked doc, if I read it correctly your problem isn't AESGCM, looks like there are people in Redmond that smoked some "weird" stuff: They do AESGCM with DHGroup24 (modp2048s256) by default.
I can't see any OpenSSL support for this DH group (see previous link). If it did, Strongswan recommends to disable this group (and others):

The following cryptographic algorithms are weak and prone to attacks and therefore must not be used.
https://docs.strongswan.org/docs/5.9/howtos/securityRecommendations.html

EDIT:

So you might want to submit a feature request and ask for modern DH Groups based on EC (NIST / Brainpool / Curve25119+448) or use "Combination 5" from your link with AES256-SHA256-DHGROUP2, but that's even more weird.

Looks like they support EC DH groups with some custom configuration (non Default). I don't know how you configure this stuff at the Microsoft side, but from OPNsense you could try the following two combo's for P1 & P2. Added the Enums for reference, but I'm also don't have a clue where these refer to ;-).

Option 1

Code: [Select]

P1: aes128gcm16-sha256-ecp256 [Enum 3/1/2]
P2: aes128gcm16-ecp256 [Enum 0/0/4]

Option 2

Code: [Select]

P1: aes256gcm16-sha384-ecp384 [Enum 4/1/3]
P2: aes256gcm16-ecp384 [Enum 2/2/5]

Really like to hear your results, interesting use-case which could become widly used if it's out of tech preview

[derresh]

Hello, So yes im not a expert in IPSec, but i know microsoft is wierd with this, especially with DH24, that seems to be considered insecure.

I managed to configure this set

P1: aes128gcm16-sha256-ecp256 [Enum 3/1/2]
P2: aes128gcm16-ecp256 [Enum 0/0/4]

Now i cant get the tunnel to start it errors out with this

Informational   charon   09[IKE] <84c349bc-f7a4-4267-b8c7-c6f94b98aefb|1352> received MS_NOTIFY_STATUS notify error   
Informational   charon   09[ENC] <84c349bc-f7a4-4267-b8c7-c6f94b98aefb|1352> parsed IKE_AUTH response 1 [ N(MS_STATUS(87)) ]

I am trying to use the new Connections interface to get this setup, so i might be doing something wrong with that one. But at least its not giving me now no proposlas errors, so I assume that part is correct now.

[netnut]

But at least its not giving me now no proposlas errors, so I assume that part is correct now.

That's nice!

You probably need to provide some more details about your config to say something useful. Those cryptic Microsoft error codes doesn't make much sense.

https://docs.strongswan.org/docs/5.9/interop/microsoftStatusNotify.html

[mimugmail]

Doesnt the custom setting state that there is no limitation to PFS?

[derresh]

Doesnt the custom setting state that there is no limitation to PFS?

With a *, * is whats on the dropdown, there is a choice of a few decent ones like ecp256, but it also lets you do things that i would consider irresponsible like DH2

That's nice!

You probably need to provide some more details about your config to say something useful. Those cryptic Microsoft error codes doesn't make much sense.

https://docs.strongswan.org/docs/5.9/interop/microsoftStatusNotify.html

So basically, typical microsoft error,

So for my configuration,
I am attempting to use the new connections menu, so thats what I am going for,

The attachment is what i setup on Azure side, they later on give me a XML with information on what the endpoint is, i set up a tunnel PH1, with the settings, then i add PSK validation, followed by setting up the PH2 and then a VTI tunel (i make sure to uncheck the policy install)

I can provide screenshots on the weekend when i get back home.

I really see interesting potential in this system, as I do have E5 licenses, i can just use this as a work form home access to certin company resources if i can get this working

as it will in the future even support UDP, i can possibly use this to access some on prem licensing systems ect and only have my firewall have a IPSec to direct VPNs to my end users and have to accept %any on the connections for vpn.

[derresh]

Update,

My inexperience with VTI tunnels shows, so... i tried using the old interface, saw that it made that both side of the PH2 ware 0.0.0.0/0 so i set it to that in connection and it dose connect tho now i have one way traffic

This is usually when something is wrong with the PH2 encryption settings since i had that before i did the insecure NA/SHA256 setting on PH2.

I do get this error in the logs now

<|1844> querying policy 0.0.0.0/0 === 0.0.0.0/0 out failed, not found

[netnut]

<|1844> querying policy 0.0.0.0/0 === 0.0.0.0/0 out failed, not found

So I guess your intial question is solved and the AESGCM proposals are being accepted.

Again, it helps if you provide some more info than just a single logline.

What did you configure ?
Did you applied all steps from the docs? : https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route-azure.html
Did you set the suggested tunables ?
Old or New style configuration with OPNsense ?
etc