Pfsense IPSec IKEv2 Tunnel to Azure - Traffic not routed to azure except from pfsense itself



  • Hi,

    before bashing me, I already read all posts I've found in WWW.... :-(

    My configuration:

    Azure VNET: 10.0.0.0/16
    Azure GW subnet: 10.0.0.0/24
    Azure client subnet: 10.0.254.0/24

    Local Subnet (on prem): 192.168.2.0/24

    I configured my tunnel phase 1 & 2 settings based on: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices

    Azure: Tunnel is up and running...
    PFSense: Tunnel is up and running...
    Which means the site-to-site connection is working fine.

    Firewall Rules local interface to Azure: allow ALL/ALL
    Firewall Rules IPSEC to local: allow ALL/ALL

    My PFsense WAN interface has a static public WAN IP via my ISP.

    The issue::

    Pinging the Azure client from my local client: Nope Nope Nope Nope.... whaaat?!??!
    I don't understand, why pinging or any form of access just won't work from the on prem infrastructure to my Azure infrastructure, when the other way around just works fine.

    Troubleshooting so far:

    Ping from Azure client to local client: yeeehaaa... working fine...
    Ping from PFsense to Azure client: yeeeeeeeeehaaaaaa... working fine....
    tracert from Azure to local: first hop responds with a *, second hop responds with the local IP address.
    tracert from local to Azure: all hops respond with *

    I'll try to configure Point-To-Site configuration just for testing my Azure config but I'm sure everything is configured correctly on the cloud-side.

    If you have any hints, ideas, whatever just feel free...

    Thanks!

    BR
    Martin


Log in to reply