Azure IPSEC to PFSense connected but no traffic
we have some issues in our environment connecting a Azure Environment to our other Datacenter. Scenario:
1x PFSense 2.4.4 - Datacenter 1 - Subnet 100.xxx.xxx.0/23
1x PFSense 2.4.4 - Office - Subnet 10.xx.xx.0/24
1x Virtual Network Gateway - Azure - 100.xxx.xxx.0/16 (Subnet 100.xxx.x.0/16)
Azure -> IPSEC -> Office = connected, ICMP and other Services working both ways <->
Azure -> IPSEC -> Datacenter 1 = connected, ICMP and other Services not working
(Office has 2 other IPSEC Tunnels - one from Datacenter 1 to Office and one from another Azure Instance to Office, both working) + (Datacenter 1 has 1 other IPSEC Tunnel to Office, working)
The IPSEC Tunnel are connected, Phase1 and Phase 2 is configured, exact the same way on Datacenter 1 and Office.
IKEv2 Tunnel, Mutual PSK, Pre-Shared Key, AES 256 bits, SHA256, DH Group 2 (1024 bit)
Tunel IPv4, ESP, AES 256bits, SHA1, PFS key group - off
Firewall Rules on both PFSense are configured like:
- Tab IPsec:
Allow IPv4 * - Source 100.xxx.x.0/16 - Port * - Destination * - Port * - Gateway *
In the firewall Log there is following on Datacenter 1:
- BLOCK IPsec 100.xxx.x.10:44699 10.xx.xx.x:80 TCP:A
- ALLOW ► LAN1_SAFE let out anything IPv4 from firewall host itself (1000010015) 100.xxx.x.x:26498 10.xx.xx.x:5900 TCP:SEC
How can i unblock this on Datacenter 1? There is the Rule on the IPSEC Tab that should allow this Subnet??
And what is the Rule on Office "let out anything IPv4 from firewall host itself".
On Datacenter 1: Diagnostics -> Test Port -> Hostname 100.xxx.x.40, Port 3389 from Source LAN_1 -> Port test to host: 100.xxx.x.40 Port: 3389 successful.
kind regards and many thanks!
Solution was soo simple!
The Servers on Datacenter 1 had a static route in the network configuration to go over the external Firewall for this kind of subnet...
Changed the static routing with -p and all worked!