IPSec VPN from Azure to Oracle Cloud Using PfSense on Azure

tharu.rtk · Jun 5, 2019, 3:58 AM

Hi All,

I am new to PfSense, i already deployed the PfSense VM on Azure and i am trying to establish IPSec VPN tunnel between Azure and Oracle cloud using PfSense. But i am getting a below error message.

My configuration as below:

WAN :192.168.2.4/24
LAN : 192.168.1.4/24 (Public IP/IP Forwarding is enabled)

Destination Network (Oracle) : 10.1.0.0/24

I am not sure i am facing a routing issue or IPSec configuration issue. I need some help to resolve this issue.

Error Log:

Jun 5 11:51:46 charon 13[CFG] <6942> no acceptable INTEGRITY_ALGORITHM found
Jun 5 11:51:46 charon 13[CFG] <6942> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_768, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_768, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_768, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1536, IKE:AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_768, IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP
Jun 5 11:51:46 charon 13[CFG] <6942> configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Jun 5 11:51:46 charon 13[IKE] <6942> no proposal found

JeGr · Jun 5, 2019, 10:32 AM

Thats IPSEC Phase 1 error, as you have nothing configured, that is matching the proposal from the remote site.

Yours is: AES 128 (CBC) with SHA256 and DH Group 6(? 2048bits).

They need at least: AES 192, better AES-256 (CBC, not GCM from that string) with SHA256 or SHA384 (I'd use 384 at least) and a DH Group of LOUSY 1536 bits or lower.

You should really check if that other side (oracle I suppose) could be configured to higher standards. Anything DH below 2k shouldn't be in use anymore. Even better use elliptic curves (DH Group 28-31 for example).

For them to have max DH Group to 1536 bits and even offering as low as 768 and offering SHA1 is really really disheartening from a security standpoint.

tharu.rtk · Jun 5, 2019, 1:50 PM

Hi Je,

Thanks for the quick response. Actually i changed the configuration as you suggested and it worked and i was able to established the VPN connection. Unfortunately from Oracle side there is no way to change the VPN configuration. My configuration shown below;

Phase I
Encryption Algorithm: AES
Key Length : 256
Hash : Sha1
DH Group : Group 5 (1536 bit)
Peer Detection : Disable

Phase II
Protocol : ESP
Encryption Algorithm : AES 256 Bit
Hash Algorithm : SHA 1
PFS Key Group : 5

Cheers mate. Thank you so much for the support :)

JeGr · Jun 5, 2019, 3:22 PM

No problems. A pity that the oracle side is such a downgrade in security... SHA1 and anything smaller then 3k in PFS Key Groups should be shamed in 2019. And we haven't even talked about supporting AES-GCM yet...

Anyway nice you got it working with that.

Cheers,
Jens