Single Interface IPSec in Azure



  • Hi,

    I'm struggling to get a pfSense Office to pfSense Azure Tunnel forwarding traffic through a single interface pfSense server in Azure.

    The setup is as follows:

    Office - pfSense 2.3.2-RELEASE-p1 - 6 Interfaces
    Azure - pfSense 2.3.2-RELEASE-p1 - 1 Interface

    The Azure server is a single interface server connected to 10.10.0.0/24 (Nat from external IP)
    The office server is multiple interfaces with all internal addresses in subnets from 192.168.0.0/16

    Working:

    1. Phase 1 and Phase 2 IPSEC come up ok
    2. Office PFsense (and office servers) can ping Azure WAN Address (10.10.0.5) from both default interface and any other interface as source IP.
    3. Azure Pfsense can ping other hosts on 10.10.0.0/24 network

    With firewall on pfsense and other azure hosts disabled:

    1. Office host can ping Azure Pfsense IP 10.10.0.5 OK
    2. Office host can NOT ping other hosts on Azure LAN e.g. 10.10.0.x

    I initially assumed this was a route issue on the Azure hosts failing to route return traffic to the pfSense but Packet Capture on Azure pfSense shows
    a) ICMP Packet received OK on IPSec Interface
    b) ICMP Packet sent OK on WAN Interface
    whilst
    c) tcpdump on other Azure hosts show no ICMP packet received.  The servers in question are Centos 7 and this is with firewalld stopped.

    Any and all ideas welcomed…..

    Dom



  • In case anyone else has this option by default Azure will block and traffic from an Azure host sent from an IP not associated with the host.  So when the pfsense tries to send traffic with a source IP of a remote host (as a layer 3 router does) then Azure will discard it.  The answer is to:

    1. Enable "IP Forwarding" on the interface attached to the pfsense host.
    2. Create a "Route Table" that is attached to the subnet associated with the LAN.  That results in traffic sent to the default g/w getting an ICMP redirect for traffic in the route table so it is correctly routed via the pfsense.

    Hope this is useful to someone.

    Dom



  • Thanks for posting your resolution. I am currently hitting the same issue.

    To clarify 2) You created the route table in Azure? What settings did you use for the route table under 'next virtual hop'?



  • Have a read through this post, I found it invaluable when I built my single NIC pfSense box in Azure. Been running for a couple of years now just nicely.
    http://vaggeliskappas.com/2015/07/23/running-pfsense-as-an-azure-iaas-virtual-machine/



  • @domf:

    1. Enable "IP Forwarding" on the interface attached to the pfsense host.

    Bingo. I've been banging my head on my desk for two days, and this has solved my problem. Thankyou!