IPSEC Azure tunnel to 2 sites

  • Hoi All,

    I have little trouble settings up an IPSEC tunnel from Azure to 2 sites.
    A little background:

    Site 1:
    WAN: Static IP
    FW: pfsense (latest)

    Site 2
    WAN: Static IP
    FW: pfsense (latest)

    Site 3 (Azure):
    Address space:
    Subnet 1 (usageable sub for vm):
    Gateway (sub used for communication):

    IPsec tunnel 1:
    site 1 <-> site 2

    IPsec tunnel 2:
    site 1 <-> site 3

    Now I've configured the Azure tunnel with the following tutorial: https://knowledge.zomers.eu/pfsense/Pages/How-to-connect-an-Azure-cloud-to-pfSense-over-IPSec.aspx
    The problem is that I want traffic from site 2 to site 3 (and visa versa), If possible through IPsec tunnel 1 & 2

    Now I've added the sub ranges to the phase 2 of both the IPsec tunnels but I can't create any traffic.

    Am I doing something wrong? Or do I need to create a tunnel between site 2 & site 3? Because on Azure I can't take same local network, so I would have to recreate all my VM's then.

    Thanks for the help!

  • After a night without sleep, I finally found a solution. I'll descripe the bullet points here, if someone needs more info then give me a sign and I'll write a tut for it.

    First: Static gateway route in Azure is not supported, you have to change it a dynamic gateway.

    Follow these steps: https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-multi-site/
    Then in pfsense use the following settings:

    phase 1:

    • key exchange: v2
    • authentication: Mutual PSK
    • My iden: My IP
    • Peer iden: Peer IP
    • Encryp algo: 3DES
    • Hash algo: SHA1
    • DH Key: 2 (1024)
    • Lifetime: 28800
    • Disable rekey (not sure if needed)
    • Disable reauth (not sure if needed)
    • DPD with 10 & 5
      phase 2:
    • local: lan sub
    • remote: usageable subnet, not the whole
    • protocol: esp
    • encryption algo: AES Auto & 3DES
    • Hash algo: MD5 & SHA1
    • PFS: group 1
    • lifetime: 3600

    Then create a pre-shared key onder the preshared keys tab

    • identifier: IP address of the azure dynamic gateway
    • type: psk
    • pre-shared key: as configured

    Now the tunnel will connect and you have multiple sites connected to Azure

  • Hi Anvar,

    I tried to do this Site 2 Site between Azure ARM and Pfsense 2.2.6, and I didnt have succesfull.

    The log shows IKE CONNECTING and DESTROYING.
    In the Azure, I see CONNECTED, and few secconds, I see UNKNOW in the Conection Status.

    In the Pfsense IKE Log, I am getting that PreShared Key was sucessful authenticated… but the next message is "bypasslan missing no alternative config found" or something like that.

    I already tried many kind of VPN setup in Azure ARM.

    Do you have any tip? In Pre-shared Key tabs... did you use IP or FQDN like identifier?
    How did you create your VPN S2S in Azure? Route or Policy? IP Static or Dynamic?


  • Hey Anvar,

    I'm running pfSense 2.3.1_5 and I have a somewhat similar setup..

    Site 1: Office (pfSense)

    Site 2: Azure 1

    Site 3: Azure 2

    We started with only Site 1 & 2 (no Azure 2) and had a Site to Site VPN working 100% fine.

    We later added Azure 2 (Site 3) and wanted to connect it to Site 1 & 2. Connecting Site 1 & Site 3 was trivial, pretty much duplicated the Phase 1 & 2 settings and just updated the IPs as required.

    Where I think things started to fall off the rails was when connecting Site 2 & 3 together. We created another Site to Site VPN between the two networks. Traffic between them is fine, but traffic to/from Azure & Office is terrible and pfSense reports high packet loss on the WAN Gateway for some reason.

    From your knowledge, is what I'm doing not the proper way? Should I be setting up a Multi-Site VPN on Azure instead of 2 Site to Site VPNs (per site)? Does pfSense handle Azure's Dynamic Routing?

    Thanks in advance!

Log in to reply