Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Single Interface IPSec in Azure

    Scheduled Pinned Locked Moved IPsec
    5 Posts 4 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      domf
      last edited by

      Hi,

      I'm struggling to get a pfSense Office to pfSense Azure Tunnel forwarding traffic through a single interface pfSense server in Azure.

      The setup is as follows:

      Office - pfSense 2.3.2-RELEASE-p1 - 6 Interfaces
      Azure - pfSense 2.3.2-RELEASE-p1 - 1 Interface

      The Azure server is a single interface server connected to 10.10.0.0/24 (Nat from external IP)
      The office server is multiple interfaces with all internal addresses in subnets from 192.168.0.0/16

      Working:

      1. Phase 1 and Phase 2 IPSEC come up ok
      2. Office PFsense (and office servers) can ping Azure WAN Address (10.10.0.5) from both default interface and any other interface as source IP.
      3. Azure Pfsense can ping other hosts on 10.10.0.0/24 network

      With firewall on pfsense and other azure hosts disabled:

      1. Office host can ping Azure Pfsense IP 10.10.0.5 OK
      2. Office host can NOT ping other hosts on Azure LAN e.g. 10.10.0.x

      I initially assumed this was a route issue on the Azure hosts failing to route return traffic to the pfSense but Packet Capture on Azure pfSense shows
      a) ICMP Packet received OK on IPSec Interface
      b) ICMP Packet sent OK on WAN Interface
      whilst
      c) tcpdump on other Azure hosts show no ICMP packet received.  The servers in question are Centos 7 and this is with firewalld stopped.

      Any and all ideas welcomed…..

      Dom

      1 Reply Last reply Reply Quote 0
      • D
        domf
        last edited by

        In case anyone else has this option by default Azure will block and traffic from an Azure host sent from an IP not associated with the host.  So when the pfsense tries to send traffic with a source IP of a remote host (as a layer 3 router does) then Azure will discard it.  The answer is to:

        1. Enable "IP Forwarding" on the interface attached to the pfsense host.
        2. Create a "Route Table" that is attached to the subnet associated with the LAN.  That results in traffic sent to the default g/w getting an ICMP redirect for traffic in the route table so it is correctly routed via the pfsense.

        Hope this is useful to someone.

        Dom

        1 Reply Last reply Reply Quote 0
        • T
          tourist
          last edited by

          Thanks for posting your resolution. I am currently hitting the same issue.

          To clarify 2) You created the route table in Azure? What settings did you use for the route table under 'next virtual hop'?

          1 Reply Last reply Reply Quote 0
          • O
            ordinaryorange
            last edited by

            Have a read through this post, I found it invaluable when I built my single NIC pfSense box in Azure. Been running for a couple of years now just nicely.
            http://vaggeliskappas.com/2015/07/23/running-pfsense-as-an-azure-iaas-virtual-machine/

            1 Reply Last reply Reply Quote 0
            • S
              sheepthief
              last edited by

              @domf:

              1. Enable "IP Forwarding" on the interface attached to the pfsense host.

              Bingo. I've been banging my head on my desk for two days, and this has solved my problem. Thankyou!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.