Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,543 questions
Azure site to site VPN to OPNSense VPN
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 13%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMR%3C/text%3E%3C/svg%3E)
Max Ricketts
5
Reputation points
I have an Azure Site to Site VPN to an OPNSense using IPsec. I have tried a multitude of configurations and its not quite working. When I manually start the VPN it states that it is up in OPNSense but no data is being transferred. If I use ssh on a device on-prem to a vm in azure it opens the connection and I can log on to the azure VM. After while it seems the connection stops (still shows as up in OPNSense and Azure) If i try to ssh from the azure VM to the device on-prem it doesn't work and the connection times out. If I do the reverse again (on prem VM to azure vm) and try to ssh the connection opens and all is ok for a while.
UDP ports 500 and 4500 are allowed through the OPNSense Firewall rules
Here are my current settings. I have tried many.
OPN Sense - Version 24.7.4_1-amd64
Phase 1
Proposals - aes256-sha384-ecp384[DH20, NIST EC]
Version - IKEv2
MOBIKE - checked
Re-auth time - 86400
Re-key - 1440
DPD Delays - 30
DPD Timeout - 120
Phase 2
aes256gcm16-sha256-ecp384[DH20, NIST EC]
Policies - enabled
Start action - Start
Close action - None
DPD action - Start
Rekey time - 14400
Azure connection configs
Phase1
Encryption - AES256
Integrity/PRF - SHA384
DH Group - ECP384
Phase 2
IPSec Encryption - GCMAES256
IPSec Integrity - GCMAES256
PFS Group - ECP384
IPSec SA lifetime in seconds - 86400
DPD timeout - 45
Connection mode - Default.
Has anyone seen or have this combination of Azure Network gateway and OPNSense Firewall working well.
The only way I can keep the connection up is using a device on-prem doing an icmp request to a device in azure.
Kind regards
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 71%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGP%3C/text%3E%3C/svg%3E)
Ganesh Patapati 735 Reputation points Microsoft Vendor2024-10-15T18:58:52.06+00:00 Hi Max Ricketts,
Greetings,
Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
It sounds like you're facing a challenging issue with your Azure Site-to-Site VPN connection to OPNSense using IPsec.
Currently The circumstances: VPN Status: Data transit is irregular, although the VPN appears to be "up" on OPNSense and Azure.
SSH Connectivity: After a while, you won't be able to SSH from an Azure virtual machine to an on-premises system.
Firewall Rules: The OPNSense firewall permits traffic on UDP ports 500 and 4500.
Keep-Alive: Only when ICMP requests are delivered from on-premises to Azure does the connection stay steady.
To further troubleshoot the issue:
- Adjust IPsec SA Lifetime:
- Consider reducing the IPSec SA lifetime on both sides to 3600 seconds (1 hour) instead of 86400 seconds. This can help in re-establishing the connection more frequently.
- Review Firewall Rules: Ensure that there are no other firewall rules on OPNSense that might be blocking traffic after the initial connection is established. Check for any stateful rules that might be affecting the return traffic.
- Packet Capture:
- Perform packet captures on both the OPNSense and Azure sides to analyze the traffic. Look for any dropped packets or errors that might indicate where the connection is failing. Workaround
- ICMP Keep-Alive: While using ICMP requests to keep the connection alive is a temporary solution, it indicates that the connection is dropping due to inactivity. Focus on resolving the underlying issues to avoid relying on this workaround.
- Recreating the VPN Connection: Sometimes starting fresh with a new configuration can help eliminate hidden issues.
Please ask if you need any more help or explanation on any of the interprets!
With regards,
Ganesh
- Adjust IPsec SA Lifetime:
-
Max Ricketts 5 Reputation points
2024-10-16T08:50:20.2233333+00:00 Thank you for the reply. I will go through this and test and let you know.
-
Max Ricketts 5 Reputation points
2024-10-16T14:12:45.6433333+00:00 The Azure DPD settings in azure I change to 120 which is what is what is configured on a VPN that is connecting UPCloud to OPNsense which works all ok.
I also changed the other settings as you suggested.
After a restart of the VPN service VM in Azure still can't initiate the connections to on-prem. But the other way round VM on prem trying to SSH to Azure creates the connection.
I'll look into the packet capture on the azure side as well and see what I can see. Seems like this should be a simple solution to setup. We have configured these in AWS and UPcloud to OPNSense with no issues.
-
Ganesh Patapati 735 Reputation points Microsoft Vendor
2024-10-17T15:18:02.85+00:00 Hello Max Ricketts,
We appreciate for your Patience!
I have no idea about your On-prem device, and I will not recommend any suggestions for your On-prem device but from azure side these are the logs available you check it out here in below:
Validated VPN devices and device configuration guides:
Refer: https://zcusa.951200.xyz/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices#devicetable
I don't see it in the validated devices "OpenSense VPN".
I will mostly recommend you to please check the azure Diagonostic logs in below.
Refer: https://zcusa.951200.xyz/en-us/azure/vpn-gateway/troubleshoot-vpn-with-azure-diagnostics
Cheers,
Ganesh
-
Ganesh Patapati 735 Reputation points Microsoft Vendor
2024-10-18T15:02:04.9533333+00:00 Hello Max Ricketts,
Greetings of the day!
I would like to follow up with the thread.
Just checking in to see if you had a chance to see my response to your question. Please tell us if it was helpful and feel free to reach out to us if you have any queries.
Looking forward to your response and appreciate your time on this.
Cheers,
Ganesh
Sign in to comment
Sign in to answer