Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Using PFSense as ipsec Endpoint of Azure

    Scheduled Pinned Locked Moved General pfSense Questions
    13 Posts 4 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      larodar
      last edited by

      Hi, I am looking for some help. I want to try out an RDP-connection between my office and a Microsoft Server 2016 on Azure. To connect these two sites, I want to establish an IPsec connection between my Intra2net router at my office and the PFSense as a virtual machine on azure.

      What I did so far:
      Ip-address of vnet: 192.168.4.0/23
      Subnet1: 192.168.4.0/24
      Subnet2: 192.168.5.0/24
      Office-network: 192.168.125.0/24
      On subnet1 I set up 1 NIC for PFSense
      NIC 1: Public-IP:1.2.3.4 private-ip: 192.168.4.10
      On subnet 2 I set up 1 NIC for PFSense and set up Windows Server
      NIC 2: private-ip: 192.168.5.10
      Server-Ip: 192.168.5.100

      I already established an IPsec connection between my office and PFSense. I can ping the PFSense NIC2 from my office and can ping the different computers at my office from the PFSense. I also can ping my office from the windows server but I fail to ping or establish an rdp-connection from my office to windows server on azure.

      I have no idea how to get this done and hopefully someone can help me.

      Thank you very much

      Cheers

      Nik

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        If you can ping an office machine from the server then you have some sort of route to reach it. However it may be an asymmetric route via the Azure gateway in which case ICMP might be allowed whilst TCP is blocked. Can you open any TCP connection from the server in Azure to any device on your office subnet?

        It might be the local Windows firewall on the server blocking requests from outside it's subnet unless you've disabled that.

        Steve

        L 1 Reply Last reply Reply Quote 0
        • L
          larodar @stephenw10
          last edited by

          @stephenw10

          I was wrong. I can ping the server and the office machines from pfsense, but i can't ping the office machines from the azure server or the server from the office machines. Probably I made some routing mistakes in azure but I have no idea how to solve this.

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            The simplest solution, for just one server, might be to just add a route to the office subnet via the pfSense internal IP (192.168.5.10) on the server itself.
            If you only need to connect to the server you can also NAT the traffic leaving the interface in pfSense. That will allow the server to reply as all traffic will appear to be from it's own subnet. It's ugly though!

            Steve

            1 Reply Last reply Reply Quote 0
            • L
              larodar
              last edited by larodar

              Thanks Steve. I try my best to set up the routes.

              This is how my configuration looks like:

              PFSense:

              SPDs:
              192.168.125.0/24 -> 192.168.5.0/24 // Tunnel endpoints: public-ip-office -> 192.168.4.10
              192.168.5.0/24 -> 192.168.125.0/24 // Tunnel endpoints: 192.168.4.10 -> public-ip-office

              Azure:
              PFSense NIC1( 192.168.4.10):
              effective routes:
              192.168.4.0/23 -> virtual network
              0.0.0.0 /0 -> internet

              PFSense NIC2(192.168.5.10) + ip-forwarding-enabled:
              effective routes:
              192.168.4.0/23 -> virtual network
              192.168.125.0 -> virtual network
              0.0.0.0 /0 -> 192.168.5.10

              Server NIC(192.168.5.100):
              192.168.4.0/23 -> virtual network
              192.168.125.0 -> virtual network
              0.0.0.0 /0 -> 192.168.5.10

              It is still not working.^^

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                That /23 subnet seems suspect. That covers the subnets on both of the pfSense NICs. So how does pfSense know which NIC to use? You have the same route on two NICs there.

                However if you can ping the server from pfSense itself I expect it to work.

                You may have to run some packet captures to see where the pings are going once the come over the tunnel, or if they do come over the tunnel at all.

                Steve

                L 1 Reply Last reply Reply Quote 0
                • L
                  larodar @stephenw10
                  last edited by

                  @stephenw10

                  It was a wrong firewall setting. Now everything works fine. I just have to find out why the rdp ipsec connection is so slow.

                  Thank you very much

                  cheers nik

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    It's easy to get significant packet fragmentation over IPSec. Setting MSS clamping can improve things quite a bit if you tune it right with a packet capture.

                    Also make sure you're using the fastest encryption you can. IKEv2 with AES-GCM using AES-NI is usually what you want.

                    Enabling asynchronous-crypto in the IPSec advanced settings can dramatically improve speed on multicore CPUs but has been shown to cause issues in edge cases. Usually no traffic at all if you hit it.

                    Steve

                    1 Reply Last reply Reply Quote 0
                    • B
                      bbrendon
                      last edited by

                      Curious, did anyone ever get AES-GCM working with Azure? I tried and gave up.

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        With pfSense running in Azure? Which is was this thread is.

                        You can run any cipher you want, as long as the remote side supports it, Azure doesn't see that. It only sees the encrypted IPSec traffic.

                        Steve

                        1 Reply Last reply Reply Quote 0
                        • B
                          bbrendon
                          last edited by

                          Oh sorry. never mind then.

                          1 Reply Last reply Reply Quote 0
                          • A
                            andy905 Banned
                            last edited by andy905

                            This post is deleted!
                            1 Reply Last reply Reply Quote 0
                            • stephenw10S
                              stephenw10 Netgate Administrator
                              last edited by

                              I'm not aware of any issues using AES-GCM dircetly to Azure either. 😉

                              But, yeah, better to start a new thread for that.

                              Steve

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.