<![CDATA[IPsec Tunnel to Azure Not Working Since 21.02]]>I have two pfSense devices, a SG-3100 which was upgraded to 21.02-p1, and a XG-7100 2.4.5-p1. Both connect via IPsec to Azure. Both have identical configuration. Once the SG-3100 was upgraded, it immediately stopped connecting. In other threads, jimp linked to 6 hotfixes; all of them have been applied, the SG-3100 still cannot connect.

Here’s my configuration on Azure, I’m using PowerShell to ensure the exact same policy is applied to both tunnels:

New-AzIpsecPolicy -IkeEncryption AES256 -IkeIntegrity SHA384 -DhGroup ECP384 -IpsecEncryption GCMAES256 -IpsecIntegrity GCMAES256 -PfsGroup ECP384 -SALifeTimeSeconds 3600 -SADataSizeKilobytes 500000

/var/etc/ipsec/swanctl.conf from the SG-3100

# This file is automatically generated. Do not edit
connections {
	bypass {
		remote_addrs = 127.0.0.1
		children {
			bypasslan {
				local_ts = <Internal Network>
				remote_ts = <Internal Network>
				mode = pass
				start_action = trap
			}
		}
	}
	con1000 {
		fragmentation = yes
		unique = replace
		strictcrlpolicy = yes
		version = 2
		proposals = aes256-sha384-ecp384
		dpd_delay = 10s
		dpd_timeout = 60s
		rekey_time = 3240s
		reauth_time = 0s
		over_time = 360s
		rand_time = 360s
		encap = no
		mobike = no
		local_addrs = <PF IP>
		remote_addrs = <Azure VNG IP>
		pools = 
		local {
			id = <PF IP>
			auth = psk
		}
		remote {
			id =  <Azure VNG IP>
			auth = psk
		}
		children {
			con1000 {
				dpd_action = trap
				mode = tunnel
				policies = yes
				life_time = 3600s
				rekey_time = 3240s
				rand_time = 360s
				start_action = trap
				remote_ts = <Azure Network>
				local_ts = <Internal Network>
				esp_proposals = aes256gcm128-ecp384
			}
		}
	}
}
secrets {
	ike-0 {
		secret = <PSK>
		id-0 = %any
		id-1 = <Azure VNG IP>
	}
}

/var/etc/ipsec/ipsec.conf from the XG-7100

# This file is automatically generated. Do not edit
connections {
	bypass {
		remote_addrs = 127.0.0.1
		children {
			bypasslan {
				local_ts = <Internal Network>
				remote_ts = <Internal Network>
				mode = pass
				start_action = trap
			}
		}
	}
	con1000 {
		fragmentation = yes
		unique = replace
		strictcrlpolicy = yes
		version = 2
		proposals = aes256-sha384-ecp384
		dpd_delay = 10s
		dpd_timeout = 60s
		rekey_time = 3240s
		reauth_time = 0s
		over_time = 360s
		rand_time = 360s
		encap = no
		mobike = no
		local_addrs = <PF IP>
		remote_addrs = <Azure VNG IP>
		pools = 
		local {
			id = <PF IP>
			auth = psk
		}
		remote {
			id =  <Azure VNG IP>
			auth = psk
		}
		children {
			con1000 {
				dpd_action = trap
				mode = tunnel
				policies = yes
				life_time = 3600s
				rekey_time = 3240s
				rand_time = 360s
				start_action = trap
				remote_ts = <Azure Network>
				local_ts = <Internal Network>
				esp_proposals = aes256gcm128-ecp384
			}
		}
	}
}
secrets {
	ike-0 {
		secret = <PSK>
		id-0 = %any
		id-1 = <Azure VNG IP>
	}
}

IPsec log from the SG-3100

Feb 27 10:34:22	charon	24787	14[NET] <2521> received packet: from <Azure VNG IP>[500] to <PF IP>[500] (376 bytes)
Feb 27 10:34:22	charon	24787	14[ENC] <2521> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Feb 27 10:34:22	charon	24787	14[CFG] <2521> looking for an IKEv2 config for <PF IP>...<Azure VNG IP>
Feb 27 10:34:22	charon	24787	14[IKE] <2521> no IKE config found for <PF IP>...<Azure VNG IP>, sending NO_PROPOSAL_CHOSEN
Feb 27 10:34:22	charon	24787	14[ENC] <2521> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Feb 27 10:34:22	charon	24787	14[NET] <2521> sending packet: from <PF IP>[500] to <Azure VNG IP>[500] (36 bytes)
Feb 27 10:34:22	charon	24787	14[IKE] <2521> IKE_SA (unnamed)[2521] state change: CREATED => DESTROYING
]]>https://forum.netgate.com/topic/161507/ipsec-tunnel-to-azure-not-working-since-21-02RSS for NodeSat, 18 Apr 2026 04:56:18 GMTSat, 27 Feb 2021 18:50:55 GMT60<![CDATA[Reply to IPsec Tunnel to Azure Not Working Since 21.02 on Sun, 28 Feb 2021 02:16:31 GMT]]>https://redmine.pfsense.org/issues/11526

]]>https://forum.netgate.com/post/968868https://forum.netgate.com/post/968868Sun, 28 Feb 2021 02:16:31 GMT<![CDATA[Reply to IPsec Tunnel to Azure Not Working Since 21.02 on Sun, 28 Feb 2021 02:15:46 GMT]]>Figured it out. Once I disabled "Strict CRL Checking", the connection started working. Both the SG-3100 running 21.02-p1, and the XG-7100 running 2.4.5-p1 had Strict CRL Checking enabled. Looks like the behavior changed between the two versions.

@jimp I'd consider this a bug, since it'd be impossible to ever verify CRLs on a PSK, so a global CRL setting should have no effect on a PSK-based IPsec tunnels.

]]>https://forum.netgate.com/post/968867https://forum.netgate.com/post/968867Sun, 28 Feb 2021 02:15:46 GMT<![CDATA[Reply to IPsec Tunnel to Azure Not Working Since 21.02 on Sat, 27 Feb 2021 22:51:44 GMT]]>Here's the view from the Azure portal, and using PowerShell:
AzureIPsec.png

Here's from the pfSense GUI:
AzureP1.png
AzureP2.png

Again, the XG-7100 is configured identically, the only difference (besides the model) is the XG-7100 is running 2.4.5-p1.

]]>https://forum.netgate.com/post/968836https://forum.netgate.com/post/968836Sat, 27 Feb 2021 22:51:44 GMT