Microsoft Azure Route-based VPN

Microsoft Azure offers three VPN types:

  • policy-based (restricted to a single S2S connection)

  • route-based

  • route-based with BGP (not available in the virtual network gateway SKU “Basic”)

This how-to covers setting up a route-based S2S VPN.

Before you start

Before starting with the configuration of an IPsec tunnel you need to have a working OPNsense installation and an Azure virtual network setup with a unique LAN IP subnets for each side of your connection (your local networks need to be different from your remote networks).

For setting up a Microsoft Azure virtual network and virtual network gateway refer to the Microsoft Azure documentation:

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal

Sample Setup

This sample configuration uses an OPNsense box and the basic Azure virtual network gateway, with the following configuration:

OPNsense

Hostname

OPNsense

WAN IP

1.2.3.4

LAN Network

192.168.1.1/24



Azure

Hostname

Azure

Virtual Network Gateway Public IP

4.3.2.1

Virtual Network Address Space

192.168.2.0/24



Firewall Rules OPNsense

To allow IPsec tunnel connections, the following should be allowed on WAN for on sites (under Firewall ‣ Rules ‣ WAN):

  • Protocol ESP

  • UDP Traffic on port 500 (ISAKMP)

  • UDP Traffic on port 4500 (NAT-T)

../../_images/ipsec_wan_rules.png

Note

You can further limit the traffic by the source IP of the remote host.

Step 1 - Phase 1 OPNsense

(Under VPN ‣ IPsec ‣ Tunnel Settings Press +) We will use the following settings:

General information

Connection method

Respond only

Key Exchange version

V2

Internet Protocol

IPv4

Interface

WAN

Choose the interface connected to the internet

Remote gateway

4.3.2.1

The public IP address of your Azure virtual network

Description

IPsec Azure

Freely chosen description

Phase 1 proposal (Authentication)

Authentication method

Mutual PSK

Using a Pre-shared Key

My identifier

My IP address

Simple identification for fixed IP

Peer identifier

Peer IP address

Simple identification for fixed IP

Pre-Shared Key

At4aDMOAOub2NwT6gMHA

Random key. CREATE YOUR OWN!

Phase 1 proposal (Algorithms)

Encryption algorithm

AES 256

refer to Azure docs for details

Hash algoritm

SHA256

DH key group

2 (1024 bit)

Lifetime

28800 sec

Lifetime before renegotiation

Advanced Options

Install Policy

Unchecked

This has to be unchecked since we want plain routing

Disable Rekey

Unchecked

Renegotiate when connection is about to expire

Disable Reauth

Unchecked

For IKEv2 only re-authenticate peer on rekeying

NAT Traversal

Disable

For IKEv2 NAT traversal is always enabled

Dead Peer Detection

Unchecked

Save your setting by pressing:

../../_images/btn_save.png

Step 2 - Phase 2 OPNsense

Press the button that says ‘+ Show 0 Phase-2 entries’

../../_images/ipsec_s2s_vpn_p1a_show_p2.png

You will see an empty list:

../../_images/ipsec_s2s_vpn_p1a_p2_empty.png

Now press the + at the right of this list to add a Phase 2 entry. As we do not define a local and remote network, we just use tunnel addresses, you might already know from OpenVPN. In this example we use 10.111.1.1 and 10.111.1.2. These will be the gateway addresses used for routing

General information

Mode

Route-based

Select Route-based

Description

Azure VNET

Freely chosen description

Tunnel Network

Local Address

Local Tunnel IP

Set IP 10.111.1.1

Remote Address

Remote Tunnel IP

Set IP 10.111.1.2

Phase 2 proposal (SA/Key Exchange)

Protocol

ESP

Choose ESP for encryption

Encryption algorithms

AES / 256

refer to Azure docs for details

Hash algortihms

SHA256

PFS Key group

off

Not supported

Lifetime

27000 sec

Save your settings by pressing:

../../_images/btn_save.png

Enable IPsec for OPNsense, select:

../../_images/ipsec_s2s_vpn_p1a_enable.png

Save:

../../_images/btn_save.png

And apply changes:

../../_images/ipsec_s2s_vpn_p1a_apply.png
../../_images/ipsec_s2s_vpn_p1a_success.png

Step 3 - Set MSS Clamping

(Under Interfaces ‣ IPsec Azure) We will use the following settings:

Setup

MSS

1350

Required

Leave the other settings as per default.

Save:

../../_images/btn_save.png

You are almost done configuring OPNsense (only some firewall settings remain, which will be addressed later). We will now proceed setting up Azure.


Step 4 - Azure: Setup local network gateway

(Under All resources press + Add, then search and Create Local network gateway) We will use the following settings:

Setup

Name

lng.opnsense

Freely chosen name

IP address

1.2.3.4

The public IP address of your remote OPNsense

Address space

192.168.1.0/24

LAN Network

Address space

10.111.1.1/32

Local Tunnel IP

Press the button that says ‘Create’:

../../_images/ipsec_s2s_route_azure_lng.png

Step 5 - Azure: Setup VPN connection

(Under All resources –> Virtual network gateway –> Connections Press + Add) We will use the following settings:

General setup

Name

vpn.opnsense

Freely chosen name

Connection type

Site-to-site (IPsec)

Virtual network gateway

vpn.gw

Select virtual network gateway

Local network gateway

lng.opnsense

Select local network gateway

Shared Key (PSK)

At4aDMOAOub2NwT6gMHA

Random key. CREATE YOUR OWN!

Press the button that says ‘OK’:

../../_images/ipsec_s2s_route_azure_conn.png

Firewall Rules OPNsense

To allow traffic passing to your LAN subnet you need to add a rule to the IPsec interface (under Firewall ‣ Rules ‣ IPsec).

../../_images/ipsec_ipsec_lan_rule.png

IPsec Tunnel Ready

The tunnel should now be up and routing the both networks. Go to VPN ‣ IPsec ‣ Status Overview to see current status.

Step 6 - Define Gateways

Now that you have the VPN up and running you have to set up a gateway. Go to System ‣ Gateways ‣ Single and add a new gateway.

OPNsense

Name

VPNGW

Set a name for your gateway

Interface

IPSEC1000

Choose the IPsec interface

IP Address

10.111.1.2

Set the peer IP address

Far Gateway

Checked

This has to be checked as it is a point-to-point connection

Step 7 - Add Static Routes

When the gateway is set up you can add a route for the Azure virtual network pointing to the new gateway. Go to System ‣ Routes ‣ Configuration.

Route OPNsense

Network Address

192.168.2.0/24

Azure virtual network

Gateway

VPNGW

Select the VPN gateway

Now you are all set!