IPSEC Azure tunnel to 2 sites
I have little trouble settings up an IPSEC tunnel from Azure to 2 sites.
A little background:
WAN: Static IP
FW: pfsense (latest)
WAN: Static IP
FW: pfsense (latest)
Site 3 (Azure):
Address space: 184.108.40.206/22
Subnet 1 (usageable sub for vm): 220.127.116.11/24
Gateway (sub used for communication): 18.104.22.168/24
IPsec tunnel 1:
site 1 <-> site 2
IPsec tunnel 2:
site 1 <-> site 3
Now I've configured the Azure tunnel with the following tutorial: https://knowledge.zomers.eu/pfsense/Pages/How-to-connect-an-Azure-cloud-to-pfSense-over-IPSec.aspx
The problem is that I want traffic from site 2 to site 3 (and visa versa), If possible through IPsec tunnel 1 & 2
Now I've added the sub ranges to the phase 2 of both the IPsec tunnels but I can't create any traffic.
Am I doing something wrong? Or do I need to create a tunnel between site 2 & site 3? Because on Azure I can't take same local network, so I would have to recreate all my VM's then.
Thanks for the help!
After a night without sleep, I finally found a solution. I'll descripe the bullet points here, if someone needs more info then give me a sign and I'll write a tut for it.
First: Static gateway route in Azure is not supported, you have to change it a dynamic gateway.
Follow these steps: https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-multi-site/
Then in pfsense use the following settings:
- key exchange: v2
- authentication: Mutual PSK
- My iden: My IP
- Peer iden: Peer IP
- Encryp algo: 3DES
- Hash algo: SHA1
- DH Key: 2 (1024)
- Lifetime: 28800
- Disable rekey (not sure if needed)
- Disable reauth (not sure if needed)
- DPD with 10 & 5
- local: lan sub
- remote: usageable subnet, not the whole
- protocol: esp
- encryption algo: AES Auto & 3DES
- Hash algo: MD5 & SHA1
- PFS: group 1
- lifetime: 3600
Then create a pre-shared key onder the preshared keys tab
- identifier: IP address of the azure dynamic gateway
- type: psk
- pre-shared key: as configured
Now the tunnel will connect and you have multiple sites connected to Azure
dtobal last edited by
I tried to do this Site 2 Site between Azure ARM and Pfsense 2.2.6, and I didnt have succesfull.
The log shows IKE CONNECTING and DESTROYING.
In the Azure, I see CONNECTED, and few secconds, I see UNKNOW in the Conection Status.
In the Pfsense IKE Log, I am getting that PreShared Key was sucessful authenticated… but the next message is "bypasslan missing no alternative config found" or something like that.
I already tried many kind of VPN setup in Azure ARM.
Do you have any tip? In Pre-shared Key tabs... did you use IP or FQDN like identifier?
How did you create your VPN S2S in Azure? Route or Policy? IP Static or Dynamic?
strigona last edited by
I'm running pfSense 2.3.1_5 and I have a somewhat similar setup..
Site 1: Office (pfSense)
Site 2: Azure 1
Site 3: Azure 2
We started with only Site 1 & 2 (no Azure 2) and had a Site to Site VPN working 100% fine.
We later added Azure 2 (Site 3) and wanted to connect it to Site 1 & 2. Connecting Site 1 & Site 3 was trivial, pretty much duplicated the Phase 1 & 2 settings and just updated the IPs as required.
Where I think things started to fall off the rails was when connecting Site 2 & 3 together. We created another Site to Site VPN between the two networks. Traffic between them is fine, but traffic to/from Azure & Office is terrible and pfSense reports high packet loss on the WAN Gateway for some reason.
From your knowledge, is what I'm doing not the proper way? Should I be setting up a Multi-Site VPN on Azure instead of 2 Site to Site VPNs (per site)? Does pfSense handle Azure's Dynamic Routing?
Thanks in advance!