IPSEC Azure tunnel to 2 sites
-
Hoi All,
I have little trouble settings up an IPSEC tunnel from Azure to 2 sites.
A little background:Site 1:
Network: 192.168.2.0/24
WAN: Static IP
FW: pfsense (latest)Site 2
Network: 192.168.10.0/24
WAN: Static IP
FW: pfsense (latest)Site 3 (Azure):
Address space: 172.0.0.0/22
Subnet 1 (usageable sub for vm): 172.0.0.0/24
Gateway (sub used for communication): 172.0.1.0/24IPsec tunnel 1:
site 1 <-> site 2IPsec tunnel 2:
site 1 <-> site 3Now I've configured the Azure tunnel with the following tutorial: https://knowledge.zomers.eu/pfsense/Pages/How-to-connect-an-Azure-cloud-to-pfSense-over-IPSec.aspx
The problem is that I want traffic from site 2 to site 3 (and visa versa), If possible through IPsec tunnel 1 & 2Now I've added the sub ranges to the phase 2 of both the IPsec tunnels but I can't create any traffic.
Am I doing something wrong? Or do I need to create a tunnel between site 2 & site 3? Because on Azure I can't take same local network, so I would have to recreate all my VM's then.
Thanks for the help!
-
After a night without sleep, I finally found a solution. I'll descripe the bullet points here, if someone needs more info then give me a sign and I'll write a tut for it.
First: Static gateway route in Azure is not supported, you have to change it a dynamic gateway.
Follow these steps: https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-multi-site/
Then in pfsense use the following settings:phase 1:
- key exchange: v2
- authentication: Mutual PSK
- My iden: My IP
- Peer iden: Peer IP
- Encryp algo: 3DES
- Hash algo: SHA1
- DH Key: 2 (1024)
- Lifetime: 28800
- Disable rekey (not sure if needed)
- Disable reauth (not sure if needed)
- DPD with 10 & 5
phase 2: - local: lan sub
- remote: usageable subnet, not the whole
- protocol: esp
- encryption algo: AES Auto & 3DES
- Hash algo: MD5 & SHA1
- PFS: group 1
- lifetime: 3600
Then create a pre-shared key onder the preshared keys tab
- identifier: IP address of the azure dynamic gateway
- type: psk
- pre-shared key: as configured
Now the tunnel will connect and you have multiple sites connected to Azure
-
-
Hi Anvar,
I tried to do this Site 2 Site between Azure ARM and Pfsense 2.2.6, and I didnt have succesfull.
The log shows IKE CONNECTING and DESTROYING.
In the Azure, I see CONNECTED, and few secconds, I see UNKNOW in the Conection Status.In the Pfsense IKE Log, I am getting that PreShared Key was sucessful authenticated… but the next message is "bypasslan missing no alternative config found" or something like that.
I already tried many kind of VPN setup in Azure ARM.
Do you have any tip? In Pre-shared Key tabs... did you use IP or FQDN like identifier?
How did you create your VPN S2S in Azure? Route or Policy? IP Static or Dynamic?Thanks
Tobal -
Hey Anvar,
I'm running pfSense 2.3.1_5 and I have a somewhat similar setup..
Site 1: Office (pfSense)
Site 2: Azure 1
Site 3: Azure 2
We started with only Site 1 & 2 (no Azure 2) and had a Site to Site VPN working 100% fine.
We later added Azure 2 (Site 3) and wanted to connect it to Site 1 & 2. Connecting Site 1 & Site 3 was trivial, pretty much duplicated the Phase 1 & 2 settings and just updated the IPs as required.
Where I think things started to fall off the rails was when connecting Site 2 & 3 together. We created another Site to Site VPN between the two networks. Traffic between them is fine, but traffic to/from Azure & Office is terrible and pfSense reports high packet loss on the WAN Gateway for some reason.
From your knowledge, is what I'm doing not the proper way? Should I be setting up a Multi-Site VPN on Azure instead of 2 Site to Site VPNs (per site)? Does pfSense handle Azure's Dynamic Routing?
Thanks in advance!