IPSec VPN from Azure to Oracle Cloud Using PfSense on Azure



  • Hi All,

    I am new to PfSense, i already deployed the PfSense VM on Azure and i am trying to establish IPSec VPN tunnel between Azure and Oracle cloud using PfSense. But i am getting a below error message.

    My configuration as below:

    WAN :192.168.2.4/24
    LAN : 192.168.1.4/24 (Public IP/IP Forwarding is enabled)

    Destination Network (Oracle) : 10.1.0.0/24

    I am not sure i am facing a routing issue or IPSec configuration issue. I need some help to resolve this issue.

    Error Log:

    Jun 5 11:51:46 charon 13[CFG] <6942> no acceptable INTEGRITY_ALGORITHM found
    Jun 5 11:51:46 charon 13[CFG] <6942> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_768, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_768, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_768, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1536, IKE:AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_768, IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP
    Jun 5 11:51:46 charon 13[CFG] <6942> configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
    Jun 5 11:51:46 charon 13[IKE] <6942> no proposal found


  • LAYER 8 Moderator

    Thats IPSEC Phase 1 error, as you have nothing configured, that is matching the proposal from the remote site.

    Yours is: AES 128 (CBC) with SHA256 and DH Group 6(? 2048bits).

    They need at least: AES 192, better AES-256 (CBC, not GCM from that string) with SHA256 or SHA384 (I'd use 384 at least) and a DH Group of LOUSY 1536 bits or lower.

    You should really check if that other side (oracle I suppose) could be configured to higher standards. Anything DH below 2k shouldn't be in use anymore. Even better use elliptic curves (DH Group 28-31 for example).

    For them to have max DH Group to 1536 bits and even offering as low as 768 and offering SHA1 is really really disheartening from a security standpoint. 😢



  • Hi Je,

    Thanks for the quick response. Actually i changed the configuration as you suggested and it worked and i was able to established the VPN connection. Unfortunately from Oracle side there is no way to change the VPN configuration. My configuration shown below;

    Phase I
    Encryption Algorithm: AES
    Key Length : 256
    Hash : Sha1
    DH Group : Group 5 (1536 bit)
    Peer Detection : Disable

    Phase II
    Protocol : ESP
    Encryption Algorithm : AES 256 Bit
    Hash Algorithm : SHA 1
    PFS Key Group : 5

    Cheers mate. Thank you so much for the support :)


  • LAYER 8 Moderator

    No problems. A pity that the oracle side is such a downgrade in security... SHA1 and anything smaller then 3k in PFS Key Groups should be shamed in 2019. And we haven't even talked about supporting AES-GCM yet... 🤦

    Anyway nice you got it working with that.

    Cheers,
    Jens


Log in to reply