VPN site-to-site IPsec VTI entre Azure et OPNsense — tunnel UP mais pas de trafi

Started by tchoufang, August 08, 2025, 08:18:46 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 08, 2025, 08:18:46 PM Last Edit: August 08, 2025, 08:21:03 PM by tchoufang
Bonjour
Je bloque sur une configuration VPN site-à-site IPsec en VTI (route-based) entre Azure et un pare-feu OPNsense. Le tunnel est monté et actif, mais aucun trafic ne passe (ping, SSH, etc.).

Contexte de configuration :
Côté Azure :
VNet : 10.1.0.0/16
Subnet : 10.1.0.0/24, GatewaySubnet : 10.1.1.0/24
Azure VPN Gateway : active/active, route-based, IKEv2
IPs : 4.178.211.95 et 4.178.242.10
Routes UDR : OK, associées au subnet
Fichier Azure généré : utilisé

Côté OPNsense :
IP WAN : 176.165.131.115
LANs : 192.168.10.0/24, 192.168.20.0/24, 192.168.30.0/24
VTI IPsec tunnel : actif, avec interface virtuelle auto-créée
VTI IPs : 169.254.21.1 <-> 169.254.21.2
Route statique vers 10.1.0.0/16 via 169.254.21.2
Passerelle définie
Règles firewall configurées pour autoriser le trafic
Aucun NAT

Symptômes :
Tunnel monté, logs charon/IKE OK
Aucun ping vers Azure ou depuis Azure
Aucun paquet ne transite par l'interface VTI
Impossible d'assigner une IP manuellement à l'interface VTI

Merci d'avance pour toute aide

ci-après, le fichier Azure

! Microsoft Corporation
! ------------------------------------------------------------------------------
! Sample VPN tunnel configuration template for Cisco IOS-based devices
!
! ##############################################################################
! !!! Search for "REPLACE" to find the values that require special
! !!! considerations
! !!!
! !!! (1) ACL/access-list rule numbers
! !!! (2) Tunnel interface number
! !!! (3) Tunnel interface IP address
! !!! (4) BGP routes to advertise (if BGP is enabled)
! !!! (5) BGP peer IP address on the device - loopback interface number
! ##############################################################################
!
!
  • Device infomration
!
!   > Device vendor:    Cisco
!   > Device family:    IOS-based (ASR, ISR)
!   > Firmware version: IOS 15.1 or beyond
!   > Test platform:    Cisco ISR 2911, version 15.2
!
! [1] Network parameters
!
!   > Connection name:       VNet1toSite1
!   > VPN Gateway name:      51c20034-46ea-4072-91c5-894348cc58f6
!   > Public IP addresses:   
!     + Public IP 1:         4.178.211.95
!     + Public IP 2:         4.178.242.10
!   > Virtual network address space:
!     + CIDR: 10.1.0.0/16
!       - Prefix:   10.1.0.0
!       - Netmask:  255.255.0.0
!       - Wildcard: 0.0.255.255
!   > Local network gateway: Site1
!   > On-premises VPN IP:    176.165.131.115
!   > On-premises address prefixes:
!     + CIDR: 192.168.10.0/24
!       - Prefix:   192.168.10.0
!       - Netmask:  255.255.255.0
!       - Wildcard: 0.0.0.255
!     + CIDR: 192.168.20.0/24
!       - Prefix:   192.168.20.0
!       - Netmask:  255.255.255.0
!       - Wildcard: 0.0.0.255
!     + CIDR: 192.168.30.0/24
!       - Prefix:   192.168.30.0
!       - Netmask:  255.255.255.0
!       - Wildcard: 0.0.0.255
!
! [2] IPsec/IKE parameters
!
!   > IKE version:             IKEv2
!     + Encryption algorithm:  aes-cbc-256
!     + Integrityalgorithm:    sha1
!     + Diffie-Hellman group:  2
!     + SA lifetime (seconds): 3600
!     + Pre-shared key:        abc123
!     + UsePolicyBasedTS:      False
!
!   > IPsec
!     + Encryption algorithm:  esp-gcm 256
!     + Integrity algorithm:   
!     + PFS Group:             none
!     + SA lifetime (seconds): 3600
!
! [3] BGP parameters - Azure VPN gateway
!
!   > Azure virtual network
!     + Enable BGP:            False
!     + Azure BGP ASN:         VNG_ASN
!   > On-premises network / LNG
!     + On premises BGP ASN:   LNG_ASN
!     + On premises BGP IP:    LNG_BGPIP
!
! ------------------------------------------------------------------------------
! ACL rules
!
! Some VPN devices require explicit ACL rules to allow cross-premises traffic:
!
! 1. Allow traffic between on premises address ranges and VNet address ranges
! 2. Allow IKE traffic (UDP:500) between on premises VPN devices and Azure VPN gateway
! 3. Allow IPsec traffic (Proto:ESP) between on premises VPN devices and Azure VPN gateway

access-list 101 permit ip 192.168.10.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 101 permit ip 192.168.20.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 101 permit ip 192.168.30.0 0.0.0.255 10.1.0.0 0.0.255.255

! ==============================================================================
! Internet Key Exchange (IKE) configuration
! - IKE Phase 1 / Main mode configuration
! - Encryption/integrity algorithms, Diffie-Hellman group, pre-shared key

crypto ikev2 proposal VNet1toSite1-proposal
  encryption aes-cbc-256
  integrity  sha1
  group      2
  exit

crypto ikev2 policy VNet1toSite1-policy
  proposal VNet1toSite1-proposal
  match address local 176.165.131.115
  exit
 
crypto ikev2 keyring VNet1toSite1-keyring
  peer 4.178.211.95
    address 4.178.211.95
    pre-shared-key abc123
    exit
  peer 4.178.242.10
    address 4.178.242.10
    pre-shared-key abc123
    exit
  exit

crypto ikev2 profile VNet1toSite1-profile
  match address  local 176.165.131.115
  match identity remote address 4.178.211.95 255.255.255.255
  match identity remote address 4.178.242.10 255.255.255.255
  authentication remote pre-share
  authentication local  pre-share
  lifetime       3600
  keyring local  VNet1toSite1-keyring
  exit

! ------------------------------------------------------------------------------
! IPsec configuration
! - IPsec (or IKE Phase 2 / Quick Mode) configuration
! - Transform Set: IPsec encryption/integrity algorithms, IPsec ESP mode

crypto ipsec transform-set VNet1toSite1-TransformSet esp-gcm 256
  mode tunnel
  exit

crypto ipsec profile VNet1toSite1-IPsecProfile
  set transform-set  VNet1toSite1-TransformSet
  set ikev2-profile  VNet1toSite1-profile
  set security-association lifetime seconds 3600
  exit

! ------------------------------------------------------------------------------
! Tunnel interface (VTI) configuration
! - Create/configure a tunnel interface
! - Configure an APIPA (169.254.x.x) address that does NOT overlap with any
!   other address on this device. This is not visible from the Azure gateway.
! * REPLACE: Tunnel interface number and APIPA IP address below
! * In active-active configuration, there will be two tunnel interfaces below

int tunnel 11
  ip address 169.254.0.1 255.255.255.252
  tunnel mode ipsec ipv4
  ip tcp adjust-mss 1350
  tunnel source 176.165.131.115
  tunnel destination 4.178.211.95
  tunnel protection ipsec profile VNet1toSite1-IPsecProfile
  exit

int tunnel 12
  ip address 169.254.0.2 255.255.255.252
  tunnel mode ipsec ipv4
  ip tcp adjust-mss 1350
  tunnel source 176.165.131.115
  tunnel destination 4.178.242.10
  tunnel protection ipsec profile VNet1toSite1-IPsecProfile
  exit

! ------------------------------------------------------------------------------
! BGP configuration
! - BGP configuration if enabled for the connection
! * REPLACE: Loopback interface number(s)
! * REPLACE: Local routes and netmasks to advertise - LOCAL_ROUTE and LOCAL_MASK


! ------------------------------------------------------------------------------
! Static routes
! - Adding the static routes to point the VNet prefixes to the IPsec tunnels
! * REPLACE: Tunnel interface number(s)

ip route 10.1.0.0 255.255.0.0 Tunnel 11
ip route 10.1.0.0 255.255.0.0 Tunnel 12
Print
Go Up Pages1
User actions