Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec Tunnel to Azure Not Working Since 21.02

    Scheduled Pinned Locked Moved IPsec
    4 Posts 2 Posters 634 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      KStarRunner
      last edited by KStarRunner

      I have two pfSense devices, a SG-3100 which was upgraded to 21.02-p1, and a XG-7100 2.4.5-p1. Both connect via IPsec to Azure. Both have identical configuration. Once the SG-3100 was upgraded, it immediately stopped connecting. In other threads, jimp linked to 6 hotfixes; all of them have been applied, the SG-3100 still cannot connect.

      Here’s my configuration on Azure, I’m using PowerShell to ensure the exact same policy is applied to both tunnels:

      New-AzIpsecPolicy -IkeEncryption AES256 -IkeIntegrity SHA384 -DhGroup ECP384 -IpsecEncryption GCMAES256 -IpsecIntegrity GCMAES256 -PfsGroup ECP384 -SALifeTimeSeconds 3600 -SADataSizeKilobytes 500000

      /var/etc/ipsec/swanctl.conf from the SG-3100

      # This file is automatically generated. Do not edit
connections {
	bypass {
		remote_addrs = 127.0.0.1
		children {
			bypasslan {
				local_ts = <Internal Network>
				remote_ts = <Internal Network>
				mode = pass
				start_action = trap
			}
		}
	}
	con1000 {
		fragmentation = yes
		unique = replace
		strictcrlpolicy = yes
		version = 2
		proposals = aes256-sha384-ecp384
		dpd_delay = 10s
		dpd_timeout = 60s
		rekey_time = 3240s
		reauth_time = 0s
		over_time = 360s
		rand_time = 360s
		encap = no
		mobike = no
		local_addrs = <PF IP>
		remote_addrs = <Azure VNG IP>
		pools = 
		local {
			id = <PF IP>
			auth = psk
		}
		remote {
			id =  <Azure VNG IP>
			auth = psk
		}
		children {
			con1000 {
				dpd_action = trap
				mode = tunnel
				policies = yes
				life_time = 3600s
				rekey_time = 3240s
				rand_time = 360s
				start_action = trap
				remote_ts = <Azure Network>
				local_ts = <Internal Network>
				esp_proposals = aes256gcm128-ecp384
			}
		}
	}
}
secrets {
	ike-0 {
		secret = <PSK>
		id-0 = %any
		id-1 = <Azure VNG IP>
	}
}

      /var/etc/ipsec/ipsec.conf from the XG-7100

      # This file is automatically generated. Do not edit
connections {
	bypass {
		remote_addrs = 127.0.0.1
		children {
			bypasslan {
				local_ts = <Internal Network>
				remote_ts = <Internal Network>
				mode = pass
				start_action = trap
			}
		}
	}
	con1000 {
		fragmentation = yes
		unique = replace
		strictcrlpolicy = yes
		version = 2
		proposals = aes256-sha384-ecp384
		dpd_delay = 10s
		dpd_timeout = 60s
		rekey_time = 3240s
		reauth_time = 0s
		over_time = 360s
		rand_time = 360s
		encap = no
		mobike = no
		local_addrs = <PF IP>
		remote_addrs = <Azure VNG IP>
		pools = 
		local {
			id = <PF IP>
			auth = psk
		}
		remote {
			id =  <Azure VNG IP>
			auth = psk
		}
		children {
			con1000 {
				dpd_action = trap
				mode = tunnel
				policies = yes
				life_time = 3600s
				rekey_time = 3240s
				rand_time = 360s
				start_action = trap
				remote_ts = <Azure Network>
				local_ts = <Internal Network>
				esp_proposals = aes256gcm128-ecp384
			}
		}
	}
}
secrets {
	ike-0 {
		secret = <PSK>
		id-0 = %any
		id-1 = <Azure VNG IP>
	}
}

      IPsec log from the SG-3100

      Feb 27 10:34:22	charon	24787	14[NET] <2521> received packet: from <Azure VNG IP>[500] to <PF IP>[500] (376 bytes)
Feb 27 10:34:22	charon	24787	14[ENC] <2521> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Feb 27 10:34:22	charon	24787	14[CFG] <2521> looking for an IKEv2 config for <PF IP>...<Azure VNG IP>
Feb 27 10:34:22	charon	24787	14[IKE] <2521> no IKE config found for <PF IP>...<Azure VNG IP>, sending NO_PROPOSAL_CHOSEN
Feb 27 10:34:22	charon	24787	14[ENC] <2521> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Feb 27 10:34:22	charon	24787	14[NET] <2521> sending packet: from <PF IP>[500] to <Azure VNG IP>[500] (36 bytes)
Feb 27 10:34:22	charon	24787	14[IKE] <2521> IKE_SA (unnamed)[2521] state change: CREATED => DESTROYING
      K 1 Reply Last reply Reply Quote 0
      • K
        KStarRunner @KStarRunner
        last edited by

        Here's the view from the Azure portal, and using PowerShell:
        AzureIPsec.png

        Here's from the pfSense GUI:
        AzureP1.png
        AzureP2.png

        Again, the XG-7100 is configured identically, the only difference (besides the model) is the XG-7100 is running 2.4.5-p1.

        K 1 Reply Last reply Reply Quote 0
        • K
          KStarRunner @KStarRunner
          last edited by

          Figured it out. Once I disabled "Strict CRL Checking", the connection started working. Both the SG-3100 running 21.02-p1, and the XG-7100 running 2.4.5-p1 had Strict CRL Checking enabled. Looks like the behavior changed between the two versions.

          @jimp I'd consider this a bug, since it'd be impossible to ever verify CRLs on a PSK, so a global CRL setting should have no effect on a PSK-based IPsec tunnels.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            https://redmine.pfsense.org/issues/11526

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 1
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.