Last modified at 9/17/2014 1:38 PM by Koen Zomers

​Updated in February 2014: I have updated the steps and some screenshots to reflect the current situation on Azure as of February 2014 as a few crucial settings have changed since I initially wrote this article. With the settings and steps mentioned in this article, you should be good to go again.

As Azure keeps expaning rapidly, it now also allows you to connect your Azure cloud network to your local (company) network using a pfSense server. It will create a secure IPSec connection between. Follow the steps below in order to set up this connection. I assume you already have an Azure account. I have used my MSDN Ultimate subscription which includes free use of the Azure services. The screenshots and steps are valid at this time of writing and might change as Azure changes rapidly. The steps should stay pretty much similar though.

  1. Go to the Azure management portal by surfing to www.azure.com and clicking on the Portal link at the right top

    pfSense-Azure-IPSec-LoginToAzurePortal.png
  2. Once logged in, your Azure dashboard will appear with an overview of all you have running in your Azure cloud already. I'm starting from a blank Azure environment. I only have two storage containers in my environment, which are irrelevant for this tutorial so they can be ignored.

    pfSense-Azure-IPSec-EmptyAzurePortal.png
  3. In the left bar, click on Networks

    pfSense-Azure-IPSec-AzurePortalNetworks.png
  4. Click on the Create a virtual network link

    pfSense-Azure-IPSec-AzureNetworksCreateVirtualNetworkLink.png
  5. In the Create a virtual network wizard, enter a name you wish to assign to your virtual network which will reside in your Azure cloud. If you don't have an affinity group yet, select Create a new affinity group, select the region closest to you and provide a name for your new affinity group. You can also reuse an existing affinity group, if you created one previously. Click on the arrow at the right bottom to continue with step 2.

    What are affinity groups?

    An affinity group defines a set of Azure items which will all be hosted as close to each other as possible. This means that when you have several virtual machines in Azure and they're all in the same affinity group, they will be hosted on servers geograpically close to each other (i.e. same data center, or even the same rack in the same datacenter) whereas placing them both in a different affinity group but both in the same region could result in both virtual machines being hosted in different datacenters in different countries within the same region, thus their links in between to be slower.

    pfSense-Azure-IPSec-AzureNetworksCreateVirtualNetworkStep1.png
  6. In the next step, input the DNS server(s) you have on your local network so Azure can utilize these once the VPN connection is established. Make sure you tick the box for the site-to-site VPN option.

    pfSense-Azure-IPSec-AzureSetDNSServers.png
  7. In the Name box, enter some name that identifies the network to you on your side where you are going to connect to from Azure via VPN. It is just an identifier in Azure and doesn't have to relate to anything.

    In the VPN Device IP Address field, enter the public IPv4 address of your pfSense box that Azure can connect to.

    In the Address Space section you need to specify an IP range that is in use on your on-premise network and the Azure instances should route traffic to. It is used to build up the routing table so the Virtual Machines running on your Azure virtual network will know what traffic to route over the VPN connection to your on-premise environment and what traffic to route through the Azure gateway to the internet.

    In my scenario, I have chosen the IP range 192.168.0.0 - 192.168.127.255 (192.168.0.0/17). This leaves me with anything between 192.168.128.0 and 192.168.254.255 to assign within Azure. We'll do that in the next step.

    Click on the arrow at the right bottom once done to continue with step 4.



  8. The Virtual Network Address Spaces is meant to provide an assignment of one or more IPv4 address blocks that you wish to make available within your Azure environment. I.e. if you spin up a new Virtual Machine in Azure and assign it to the virtual Azure network you specified earlier on in this wizard, that virtual machine will receive an IPv4 address from within this range and will allow it to use the VPN connection we're currently setting up to connect to your on-premise environment.

    In my situation I have set up the IPv4 range 192.168.128.0 - 192.168.128.255 (192.168.128.0/24) that now can be used within Azure.

    You also need to create a small subnet used for the IPSec routing towards your on-premise environment. To do this, click on the add gateway subnet button. I chose to make the range 192.168.128.200 - 192.168.128.207 (192.168.128.200/29) available for this.

    Click on the V mark icon at the right bottom to complete the wizard.



  9. You will return to the Azure networks dashboard where you will see your new network being created. Just wait for at most a few minutes and the network will automatically show up as being created and available for use. Click on the arrow to enter the virtual network.

    pfSense-Azure-IPSec-AzureNetworksCreateVirtualNetworkCreated.png
  10. You will notice that your Azure and local (company) network are not connected yet. Let's continue with setting that part up.

    pfSense-Azure-IPSec-AzureNetworksVirtualNetworkDisconnected2.png
  11. Click on the Create Gateway button at the bottom and choose Static Routing

    pfSense-Azure-IPSec-AzureNetworksVirtualNetworkCreateGatewayButton.png
  12. At the bottom a bar will pop up asking you to confirm the operation. Click on Yes.

    pfSense-Azure-IPSec-AzureNetworksVirtualNetworkCreateGatewayConfirm.png
  13. A message will be shown in the same bar which notifies you that the gateway is being created.

    pfSense-Azure-IPSec-AzureNetworksVirtualNetworkCreateGatewayCreating.png

    Once it's done, it will show a notification similar to the one below.

    Azure-pfSense-VPN-GatewayCreated.png

  14. The gateway creation will take a couple of minutes to complete. It took about 10 minutes here.

    In the meantime, let's make a start with setting up pfSense for the IPSec connection. By clicking on the "Download VPN Device Script" link at the right a popup will be shown with scripts for a few IPSec routers which can be used to configure them for the Azure connection. Unfortunately pfSense is not among them, so we can't utilize that here, but just know its there as it might be expanded with scripts for other devices in the future.

    pfSense-Azure-IPSec-AzureNetworksVirtualNetworkDownloadButton.png
  15. Log on to your pfSense server and via the menu at the top, navigate to VPN -> IPsec

    pfSense-Azure-IPSec-pfSenseVPNIPSecMenu.png
  16. Make sure the IPsec service is running and you have IPsec funtionality enabled by checking the checkbox and the green icon at the right top.

    pfSense-Azure-IPSec-pfSenseVPNIPSecRunning.png
  17. Click on the + icon at the bottom to create a new IPsec entry

    pfSense-Azure-IPSec-pfSenseVPNIPSecCreateNewEntry.png
  18. Start filling out the page with the following information. The sections which differ from the defaults and thus need to be changed are marked with a red border. The remote gateway ip address and the pre-shared key will be generated by Azure once the gateway has been created. Just make sure the other fields are set correctly for now. Do note that you can't save this page without having the remote gateway and pre shared key filled in, so once done with the other fields, leave this browser page open and switch back to your Azure browser to see if the gateway has been created.

    pfSense-Azure-IPSec-pfSenseVPNIPSecPhase1Settings1.png
    pfSense-Azure-IPSec-pfSenseVPNIPSecPhase1Settings2.png
  19. Hopefully by now you should see the gateway having been created. If this is the case, you should now see a blue gateway and a gateway ip address being assigned to your Azure cloud as shown on the following screenshot. You don't have to refresh the page manually, it will be updated automatically once the gateway has been created.

    pfSense-Azure-IPSec-AzureNetworksVirtualNetworkConnecting.png
  20. Copy the gateway IP address in the Remote Gateway field of your pfSense IPsec phase 1 creation page you still have open from step 18. Do not click save at the bottom yet. Instead return back to your Azure browser.
  21. At the bottom, click on the Manage Key. Note that this button is only visible if the gateway has been created.

    pfSense-Azure-IPSec-AzureNetworksVirtualNetworkManageKeyButton.png
  22. In the dialog that is being shown, copy the value in the Manage shared key field and paste it into the Pre-Shared Key field of your pfSense IPsec phase 1 creation page you still have open from steps 18 and 20.

    pfSense-Azure-IPSec-AzureNetworksVirtualNetworkManageKeyDialog.png
  23. Back in your pfSense browser, click Save at the bottom to create the phase 1.
  24. In the VPN: IPsec overview of pfSense, you should now see a new entry been created. Click on the + button at the left to expand the phase 2 section for this phase 1.

    pfSense-Azure-IPSec-pfSenseVPNIPSecPhase2AddPhase1.png
    Now click on the + icon next to the row that shows up to add a new phase 2 entry.
    pfSense-Azure-IPSec-pfSenseVPNIPSecPhase2AddPhase2.png
  25. Fill out the fields as shown on the screenshot below. The fields that are different from the defaults and thus need to be changed are marked with a red box. In the Local Network section, enter the same network range you have used at step 7. In the Remote Network section, enter the same network range you have used at step 8. Click save at the bottom once done.


    pfSense-Azure-IPSec-pfSenseVPNIPSecPhase2Settings2.png
  26. Back on the VPN: IPsec page, click the Apply changes to submit the new IPsec registration to pfSense.

    pfSense-Azure-IPSec-pfSenseVPNIPSecApplyChanges.png
  27. pfSense and Azure now start connecting to each other. You can verify this by going to the Status menu and then to the IPSec menu option.


    It may take a couple of minutes for it to successfully connect. If you find it still not to be able to connect, so there's no green icon next to the status row, go to the pfSense Status menu at the top, select System Logs, go to the IPSec tab and check what information is being logged there. It should give you at least some idea where you might have made a mistake.
    pfSense-Azure-IPSec-pfSenseIPSecSystemLog.png

    Do not forget to set up your firewall rules to allow traffic from and to Azure.

    While pfSense might indicate the connection has already been established, it may take the Azure dashboard a few minutes more to confirm the same. Just be patient and check it again in a few minutes after which it should show a connected blue/green colored line between the left square representing your Azure virtual network and the right square representing your on-premise network.

    pfSense-Azure-IPSec-AzureNetworksVirtualNetworkConnected.png
  28. I won't go through the steps of creating a virtual machine in Azure since this is pretty straight forward. There are a few important steps to mention though. You cannot use the Quick Create option as that will not allow you to select the virtual network to attach the new instance to. Instead, choose to create a new VM From Gallery and go through the steps. On the fourth step you then get to select your virtual network. Only if you select this virtual network, this VM will get assigned an IPv4 address from the range you have specified above and only then it will be able to communicate over the VPN connection between Azure and your on-premise network. Once created with the wrong option, there is no way to revert this. You will need to rebuild your virtual machine from scratch, so beware for this!

    pfSense-Azure-IPSec-AzureNetworksCreateVirtualMachine.png

    You can verify if you have configured it correctly once the virtual machine has been created by going into the virtual machine on the Azure dashboard and checking the Internal IP Address field at the right. It should show an IPv4 address from within the range you have specified in the steps above.

    pfSense-Azure-IPSec-AzureNetworksCreateVirtualMachineInternalIP.png
  29. Once this virtual machine has been created, I can now conduct a ping from my Azure virtual machine to a private IPv4 address on my local (company) network utilizing the IPsec link between Azure and pfSense. Cool stuff!

    pfSense-Azure-IPSec-AzureNetworksCreateVirtualMachinePing.png

    If this doesn't work yet, there are a few things to verify and doublecheck:

    Is the IPsec link up and running? Check this at both the Azure dashboard and pfSense IPsec pages. Remember that it might take a few minutes before it works after configuring it. It might also already work while the Azure dashboard still shows connecting. Therefore prefer to check it on the pfSense side as this reflects real time.

    Do you have the correct pfSense firewall rules in place to allow traffic from and to Azure?

    In case you're trying a ping, is the Windows firewall allowing ping replies? By default this isn't the case. You need to explicitly allow this in the Windows firewal with Advanced Security editor inside Windows by enabling the rule "File and Printer Sharing (Echo Request - ICMPv4-In)"