Share via

Azure site to site VPN to OPNSense VPN

Max Ricketts 40 Reputation points
2024-10-15T12:16:45.3566667+00:00

I have an Azure Site to Site VPN to an OPNSense using IPsec. I have tried a multitude of configurations and its not quite working. When I manually start the VPN it states that it is up in OPNSense but no data is being transferred. If I use ssh on a device on-prem to a vm in azure it opens the connection and I can log on to the azure VM. After while it seems the connection stops (still shows as up in OPNSense and Azure) If i try to ssh from the azure VM to the device on-prem it doesn't work and the connection times out. If I do the reverse again (on prem VM to azure vm) and try to ssh the connection opens and all is ok for a while.

UDP ports 500 and 4500 are allowed through the OPNSense Firewall rules

Here are my current settings. I have tried many.

OPN Sense - Version 24.7.4_1-amd64

Phase 1
Proposals - aes256-sha384-ecp384[DH20, NIST EC]
Version - IKEv2
MOBIKE - checked
Re-auth time - 86400
Re-key - 1440
DPD Delays - 30
DPD Timeout - 120

Phase 2
aes256gcm16-sha256-ecp384[DH20, NIST EC]
Policies - enabled
Start action - Start
Close action - None
DPD action - Start
Rekey time - 14400

Azure connection configs
Phase1
Encryption - AES256
Integrity/PRF - SHA384
DH Group - ECP384

Phase 2
IPSec Encryption - GCMAES256
IPSec Integrity - GCMAES256
PFS Group - ECP384

IPSec SA lifetime in seconds - 86400
DPD timeout - 45

Connection mode - Default.

Has anyone seen or have this combination of Azure Network gateway and OPNSense Firewall working well.

The only way I can keep the connection up is using a device on-prem doing an icmp request to a device in azure.

Kind regards

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,566 questions
Accepted answer
  1. Ganesh Patapati 1,745 Reputation points Microsoft Vendor
    2024-10-17T15:18:02.85+00:00

    Hello Max Ricketts,

    We appreciate for your Patience!

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I have no idea about your On-prem device, and I will not recommend any suggestions for your On-prem device but from azure side these are the logs available you check it out here in below:

    Validated VPN devices and device configuration guides:

    Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices#devicetable

    I don't see it in the validated devices "OpenSense VPN".

    I will mostly recommend you to please check the azure Diagonostic logs in below.

    Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/troubleshoot-vpn-with-azure-diagnostics

    1. Can you ping on prem IP from azure and see whether it is reaching or not.
    2. From On-prem also ping azure vpn gateway IP and check the IKE logs.
    3. If Traffic reaches azure VPN IP, then try to do VPN gateway reset.

    Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/troubleshoot-vpn-with-azure-diagnostics

    Hope this clarifies,

    Thanks

    Ganesh

    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.