First time setting up a site-to-site VPN on PfSense, so hopefully this is easy.
Configured the remote site to use IPsec and now configuring PfSense side following an article that says go to VPN/IPsec. This takes one to VPN/IPsec/Tunnels and I configure the P1 and P2 settings.
Then going to the stats display do not get the desired “ESTABLISHED”.
Instead, it has “Disconnected” and the informational message below says “IPsec is not enabled. Configure IPsec”. The “Configure IPsec” is a link back to the tunnel settings and I’m not finding an “enable” option. The Role, Timer and Algo are blank in the status.
Again, first time set up on PfSense so what’s the obvious that I’m missing?
Do I need to add rules to the Wan interface for IPsec?
Everything is properly configured in the firewall? ports etc?
I have a few different site-to-site configurations that are all working to the designated vlans. Even when using Wireshark all the traffic traverses correctly.
Did you follow a guide?
Follow an article about connecting Azure to PfSense. For PfSense it just talked about the P1 and P2 settings in vpn/IPsec/tunnels.
https://www.scom2k7.com/creating-a-site-to-site-azure-vpn-with-pfsense/#:~:text=Creating%20a%20site-to-site%20Azure%20VPN%20with%20PFSense%201,public%20IP%20Address%20for%20your%20Azure%20VPN%20
After I walked away from the PfSense, looking for references there is no enable for the IPsec so perhaps that’s an old setting.
Now finding this which says rules needed:
Virtual Private Networks — IPsec — IPsec and firewall rules | pfSense Documentation
Perhaps it is not Firewall rules as they should have been added as “hidden”. Also logs related to IPsec show a mismatch for encryption. (not sure what’s needed)
| Oct 2 18:38:18 |
charon |
37852 |
16[IKE] <686> IKE_SA (unnamed)[686] state change: CREATED => CONNECTING |
| Oct 2 18:38:18 |
charon |
37852 |
16[CFG] <686> selecting proposal: |
| Oct 2 18:38:18 |
charon |
37852 |
16[CFG] <686> no acceptable INTEGRITY_ALGORITHM found |
| Oct 2 18:38:18 |
charon |
37852 |
16[CFG] <686> selecting proposal: |
| Oct 2 18:38:18 |
charon |
37852 |
16[CFG] <686> no acceptable DIFFIE_HELLMAN_GROUP found |
| Oct 2 18:38:18 |
charon |
37852 |
16[CFG] <686> selecting proposal: |
| Oct 2 18:38:18 |
charon |
37852 |
16[CFG] <686> no acceptable ENCRYPTION_ALGORITHM found |
| Oct 2 18:38:18 |
charon |
37852 |
16[CFG] <686> selecting proposal: |
| Oct 2 18:38:18 |
charon |
37852 |
16[CFG] <686> no acceptable ENCRYPTION_ALGORITHM found |
| Oct 2 18:38:18 |
charon |
37852 |
16[CFG] <686> selecting proposal: |
| Oct 2 18:38:18 |
charon |
37852 |
16[CFG] <686> no acceptable ENCRYPTION_ALGORITHM found |
| Oct 2 18:38:18 |
charon |
37852 |
16[CFG] <686> selecting proposal: |
| Oct 2 18:38:18 |
charon |
37852 |
16[CFG] <686> no acceptable ENCRYPTION_ALGORITHM found |
| Oct 2 18:38:18 |
charon |
37852 |
16[CFG] <686> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024 |
| Oct 2 18:38:18 |
charon |
37852 |
16[CFG] <686> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 |
SUCCESS!
Azure wanted PfSense to use a DH group with 1024 instead of the default 2048.
(Might go back to Azure config another day.)