Using PFSense as ipsec Endpoint of Azure

larodar

Hi, I am looking for some help. I want to try out an RDP-connection between my office and a Microsoft Server 2016 on Azure. To connect these two sites, I want to establish an IPsec connection between my Intra2net router at my office and the PFSense as a virtual machine on azure.

What I did so far:
Ip-address of vnet: 192.168.4.0/23
Subnet1: 192.168.4.0/24
Subnet2: 192.168.5.0/24
Office-network: 192.168.125.0/24
On subnet1 I set up 1 NIC for PFSense
NIC 1: Public-IP:1.2.3.4 private-ip: 192.168.4.10
On subnet 2 I set up 1 NIC for PFSense and set up Windows Server
NIC 2: private-ip: 192.168.5.10
Server-Ip: 192.168.5.100

I already established an IPsec connection between my office and PFSense. I can ping the PFSense NIC2 from my office and can ping the different computers at my office from the PFSense. I also can ping my office from the windows server but I fail to ping or establish an rdp-connection from my office to windows server on azure.

I have no idea how to get this done and hopefully someone can help me.

Thank you very much

Cheers

Nik

stephenw10

If you can ping an office machine from the server then you have some sort of route to reach it. However it may be an asymmetric route via the Azure gateway in which case ICMP might be allowed whilst TCP is blocked. Can you open any TCP connection from the server in Azure to any device on your office subnet?

It might be the local Windows firewall on the server blocking requests from outside it's subnet unless you've disabled that.

Steve

larodar

@stephenw10

I was wrong. I can ping the server and the office machines from pfsense, but i can't ping the office machines from the azure server or the server from the office machines. Probably I made some routing mistakes in azure but I have no idea how to solve this.

stephenw10

The simplest solution, for just one server, might be to just add a route to the office subnet via the pfSense internal IP (192.168.5.10) on the server itself.
If you only need to connect to the server you can also NAT the traffic leaving the interface in pfSense. That will allow the server to reply as all traffic will appear to be from it's own subnet. It's ugly though!

Steve

larodar

Thanks Steve. I try my best to set up the routes.

This is how my configuration looks like:

PFSense:

SPDs:
192.168.125.0/24 -> 192.168.5.0/24 // Tunnel endpoints: public-ip-office -> 192.168.4.10
192.168.5.0/24 -> 192.168.125.0/24 // Tunnel endpoints: 192.168.4.10 -> public-ip-office

Azure:
PFSense NIC1( 192.168.4.10):
effective routes:
192.168.4.0/23 -> virtual network
0.0.0.0 /0 -> internet

PFSense NIC2(192.168.5.10) + ip-forwarding-enabled:
effective routes:
192.168.4.0/23 -> virtual network
192.168.125.0 -> virtual network
0.0.0.0 /0 -> 192.168.5.10

Server NIC(192.168.5.100):
192.168.4.0/23 -> virtual network
192.168.125.0 -> virtual network
0.0.0.0 /0 -> 192.168.5.10

It is still not working.^^

stephenw10

That /23 subnet seems suspect. That covers the subnets on both of the pfSense NICs. So how does pfSense know which NIC to use? You have the same route on two NICs there.

However if you can ping the server from pfSense itself I expect it to work.

You may have to run some packet captures to see where the pings are going once the come over the tunnel, or if they do come over the tunnel at all.

Steve

larodar

@stephenw10

It was a wrong firewall setting. Now everything works fine. I just have to find out why the rdp ipsec connection is so slow.

Thank you very much

cheers nik

stephenw10

It's easy to get significant packet fragmentation over IPSec. Setting MSS clamping can improve things quite a bit if you tune it right with a packet capture.

Also make sure you're using the fastest encryption you can. IKEv2 with AES-GCM using AES-NI is usually what you want.

Enabling asynchronous-crypto in the IPSec advanced settings can dramatically improve speed on multicore CPUs but has been shown to cause issues in edge cases. Usually no traffic at all if you hit it.

Steve

bbrendon

Curious, did anyone ever get AES-GCM working with Azure? I tried and gave up.

stephenw10

With pfSense running in Azure? Which is was this thread is.

You can run any cipher you want, as long as the remote side supports it, Azure doesn't see that. It only sees the encrypted IPSec traffic.

Steve

bbrendon

Oh sorry. never mind then.

andy905

This post is deleted!

stephenw10

I'm not aware of any issues using AES-GCM dircetly to Azure either.

But, yeah, better to start a new thread for that.

Steve