Routed IPsec (VTI) to Azure - Does it work?

  • Hi,

    Has anyone been successful in establishing a routed IPsec connection (VTI) between pfSense and the Microsoft Azure VPN gateway? Tunnel mode works fine for me, but I can't get routed mode working for the life of me. I guess my main question is how to configure the local and remote addresses/networks in the pfSense side phase 2 connection.

    The closest I've got so far is by setting the local network to a small private range, and the remote address to the private address for the Azure VPN gateway (i.e. the GatewaySubnet address). With this configuration in place, I can establish a BGP session between pfSense and Azure, so there's some basic connectivity there. If I try to connect from pfSense to a host on the Azure side though, I see packets leaving the ipsec2000 interface, but nothing coming back.

    It's not obviously a routing problem because I see my BGP advertised routes in the effective routes table in the Azure portal for my VM. And I don't think it's a firewall or security group problem because the same rules work fine when I'm using tunnel mode.

    Has anyone managed to get this to work?


  • Hi Richard,

    Did you ever get this working?


Log in to reply