Azure IPSEC to PFSense connected but no traffic

  • Hey there,

    we have some issues in our environment connecting a Azure Environment to our other Datacenter. Scenario:

    1x PFSense 2.4.4 - Datacenter 1 - Subnet
    1x PFSense 2.4.4 - Office - Subnet 10.xx.xx.0/24
    1x Virtual Network Gateway - Azure - (Subnet

    Azure -> IPSEC -> Office = connected, ICMP and other Services working both ways <->

    Azure -> IPSEC -> Datacenter 1 = connected, ICMP and other Services not working

    (Office has 2 other IPSEC Tunnels - one from Datacenter 1 to Office and one from another Azure Instance to Office, both working) + (Datacenter 1 has 1 other IPSEC Tunnel to Office, working)

    The IPSEC Tunnel are connected, Phase1 and Phase 2 is configured, exact the same way on Datacenter 1 and Office.

    • Phase1:
      IKEv2 Tunnel, Mutual PSK, Pre-Shared Key, AES 256 bits, SHA256, DH Group 2 (1024 bit)
    • Phase2:
      Tunel IPv4, ESP, AES 256bits, SHA1, PFS key group - off

    Firewall Rules on both PFSense are configured like:

    • Tab IPsec:
      Allow IPv4 * - Source - Port * - Destination * - Port * - Gateway *

    In the firewall Log there is following on Datacenter 1:

    • BLOCK IPsec 10.xx.xx.x:80 TCP:A


    • ALLOW ► LAN1_SAFE let out anything IPv4 from firewall host itself (1000010015) 10.xx.xx.x:5900 TCP:SEC

    How can i unblock this on Datacenter 1? There is the Rule on the IPSEC Tab that should allow this Subnet??
    And what is the Rule on Office "let out anything IPv4 from firewall host itself".

    On Datacenter 1: Diagnostics -> Test Port -> Hostname, Port 3389 from Source LAN_1 -> Port test to host: Port: 3389 successful.

    kind regards and many thanks!

  • @genesis_mp

    Solution was soo simple! 😌

    The Servers on Datacenter 1 had a static route in the network configuration to go over the external Firewall for this kind of subnet...

    Changed the static routing with -p and all worked! 😀

Log in to reply