Friday, January 6, 2017

VPN Site-to-Site connection between Azure VPN Gateway and pfSense: Important Details

When implementing an IaaS solution on Azure for, let's say, hosting a web application, it is important to have a controlled secure access to the Azure network from the office site in order to limit an exposure of the Azure virtual machines to the public Internet and prevent unauthorized access to the Azure network resources. Standard solution for this requirement is a site-to-site VPN that allows continuous encrypted connection between two networks: a physical office network and a virtual network on Azure.

 There is an out of the box Azure solution for the site-to-site VPN: virtual network Gateway. It's a fairly straightforward IaaS component that supports site-to-site VPN over IPSec protocol and point-to-site VPN access point. It's well documented on Azure https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal.

In the scope of this article I will not be explaining basics of this solution but rather focus on some specific details of implementing this solution for one particular scenario: in the office site the VPN is implemented on pfSense firewall. Specifics of such an implementation are those:
  • Azure does not have a standard VPN gateway configuration to connect with pfSense;
  • Azure requires IPSec to be used for site-ti-site VPN which is rather tricky to configure on pfSense;
  • Particulars of IPSec configuration are not documented.
There are articles written about this scenario on the Internet (just do a search) but even with the most detailed explanation and screenshots it may take some time and debugging efforts in order to make it work. On a flip side, once it works it most likely will be very reliable and trouble-free. Let's waist no more time and get right to the matter.

Start from creating an configuring a VPN gateway on Azure as this is a prerequisite. Follow the Azure documentation in the list below:
  • https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-site-to-site-create
  • https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices
  • https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-configure-vpn-gateway-mp
Once you have the VPN gateway created and the VPN device configured, it's time to configure the pfSense. Keep in mind that because the pfSense is not a supported Azure VPN device you won't be able to get technical help form Azure, so pay attention to the details.

Step 1. Configure pfSense VPN IPSec Phase 1

Step 2. Configure pfSense VPN IPSec Phase 2

Step 3. Connect and enjoy

If you configured everything exactly how it's shown on the screenshots the connection should be established and stay connected.


If pfSense and Azure gateway cannot connect most likely there is a mistake in a configuration. Verify thoroughly that all the pfSesnse settings are exactly as shown on the screenshots. If you don't see required options in the settings your pfSense is outdated and you need to upgrade to a more recent version that supports all the required protocols and algorithms.

No comments:

Post a Comment