Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec VPN from Azure to Oracle Cloud Using PfSense on Azure

    Scheduled Pinned Locked Moved Routing and Multi WAN
    4 Posts 2 Posters 608 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tharu.rtk
      last edited by

      Hi All,

      I am new to PfSense, i already deployed the PfSense VM on Azure and i am trying to establish IPSec VPN tunnel between Azure and Oracle cloud using PfSense. But i am getting a below error message.

      My configuration as below:

      WAN :192.168.2.4/24
      LAN : 192.168.1.4/24 (Public IP/IP Forwarding is enabled)

      Destination Network (Oracle) : 10.1.0.0/24

      I am not sure i am facing a routing issue or IPSec configuration issue. I need some help to resolve this issue.

      Error Log:

      Jun 5 11:51:46 charon 13[CFG] <6942> no acceptable INTEGRITY_ALGORITHM found
      Jun 5 11:51:46 charon 13[CFG] <6942> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_768, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_768, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_768, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1536, IKE:AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_768, IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP
      Jun 5 11:51:46 charon 13[CFG] <6942> configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
      Jun 5 11:51:46 charon 13[IKE] <6942> no proposal found

      1 Reply Last reply Reply Quote 0
      • JeGrJ
        JeGr LAYER 8 Moderator
        last edited by

        Thats IPSEC Phase 1 error, as you have nothing configured, that is matching the proposal from the remote site.

        Yours is: AES 128 (CBC) with SHA256 and DH Group 6(? 2048bits).

        They need at least: AES 192, better AES-256 (CBC, not GCM from that string) with SHA256 or SHA384 (I'd use 384 at least) and a DH Group of LOUSY 1536 bits or lower.

        You should really check if that other side (oracle I suppose) could be configured to higher standards. Anything DH below 2k shouldn't be in use anymore. Even better use elliptic curves (DH Group 28-31 for example).

        For them to have max DH Group to 1536 bits and even offering as low as 768 and offering SHA1 is really really disheartening from a security standpoint. ๐Ÿ˜ข

        Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

        If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

        1 Reply Last reply Reply Quote 1
        • T
          tharu.rtk
          last edited by

          Hi Je,

          Thanks for the quick response. Actually i changed the configuration as you suggested and it worked and i was able to established the VPN connection. Unfortunately from Oracle side there is no way to change the VPN configuration. My configuration shown below;

          Phase I
          Encryption Algorithm: AES
          Key Length : 256
          Hash : Sha1
          DH Group : Group 5 (1536 bit)
          Peer Detection : Disable

          Phase II
          Protocol : ESP
          Encryption Algorithm : AES 256 Bit
          Hash Algorithm : SHA 1
          PFS Key Group : 5

          Cheers mate. Thank you so much for the support :)

          1 Reply Last reply Reply Quote 0
          • JeGrJ
            JeGr LAYER 8 Moderator
            last edited by

            No problems. A pity that the oracle side is such a downgrade in security... SHA1 and anything smaller then 3k in PFS Key Groups should be shamed in 2019. And we haven't even talked about supporting AES-GCM yet... ๐Ÿคฆ

            Anyway nice you got it working with that.

            Cheers,
            Jens

            Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

            If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.