IPSec Tunnel to virtual resources
-
Hey everyone,
So we do have a bit of pfsense experience, but we have a client that is asking for something we haven't really done before. Was hoping i might be able to get some direction on how best to troubleshoot something we are currently working on.Our client is using a pfsense device to manage mostly remote vpn connections to an internal network. We were tasked with setting up an environment in azure to connect to this network. We have successfully setup an IPSec tunnel between azure and the pfsense, and have stood up a virtual domain controller in azure that is properly syncing with the one behind the pfsense device. However, currently its not really allowing any other traffic between the two networks. What they want, is for these two networks to essentially act as a single local network they can remote into and get to any device regardless of whether it is a virtual server or physical. When we are connected to the pfsense via VPN, we cannot reach anything in the azure network, and when we are connected to the azure VPN (we set this up for testing and because we were initially under the impression that they wanted the two networks separate) we can reach the primary domain controller behind the pfsense device only IF we first remote into the virtual domain controller we just setup. We cannot ping any device on the other network when we are connected (even after allowing ICMP traffic on the server firewalls).
Severs on the virtual azure network are running on different subnets than the physical servers on the pfsense.
We did not setup any virtual network appliances on the azure side, maybe we need to do this and setup some static routes to the pfsense?
We do have pfsense experience, but this is sort of stumping us. Any ideas where we can start to set it up as requested? I was wondering if this was a routing issue since devices on opposite sides of the PFSense device are on separate IP networks? But they why are the domain controllers able to sync?
I realize you may need more information to help, so just let me know if i missed anything you need and I can provide you with any info.
-
So i did eventually figure this out in case anyone is interested. This was due to the configuration of the VPN server on the PFSense and the configuration of the network security gateway in azure. The client uses VPN servers for different groups so rather than just give everyone access to the LAN, they specified subnets people have access to. I needed to update the allowed subnets on the PFSense to include the subnet for azure resources, and then azure needed to be updated to allow the VPN users from the PFSense.
Which totally makes sense when you see the symptoms. Should have thought of it a while ago.