Microsoft Azure Route-based VPN

Microsoft Azure offers three VPN types:

  • policy-based (restricted to a single S2S connection)
  • route-based
  • route-based with BGP (not available in the virtual network gateway SKU “Basic”)

This how-to covers setting up a route-based S2S VPN.

Before you start

Before starting with the configuration of an IPsec tunnel you need to have a working OPNsense installation and an Azure virtual network setup with a unique LAN IP subnets for each side of your connection (your local networks need to be different from your remote networks).

For setting up a Microsoft Azure virtual network and virtual network gateway refer to the Microsoft Azure documentation:

Sample Setup

This sample configuration uses an OPNsense box and the basic Azure virtual network gateway, with the following configuration:


Hostname OPNsense
LAN Network


Hostname Azure
Virtual Network Gateway Public IP
Virtual Network Address Space

Firewall Rules OPNsense

To allow IPsec tunnel connections, the following should be allowed on WAN for on sites (under Firewall ‣ Rules ‣ WAN):

  • Protocol ESP
  • UDP Traffic on port 500 (ISAKMP)
  • UDP Traffic on port 4500 (NAT-T)


You can further limit the traffic by the source IP of the remote host.

Step 1 - Phase 1 OPNsense

(Under VPN ‣ IPsec ‣ Tunnel Settings Press +) We will use the following settings:

General information

Connection method Respond only  
Key Exchange version V2  
Internet Protocol IPv4  
Interface WAN Choose the interface connected to the internet
Remote gateway The public IP address of your Azure virtual network
Description IPsec Azure Freely chosen description

Phase 1 proposal (Authentication)

Authentication method Mutual PSK Using a Pre-shared Key
My identifier My IP address Simple identification for fixed IP
Peer identifier Peer IP address Simple identification for fixed IP
Pre-Shared Key At4aDMOAOub2NwT6gMHA Random key. CREATE YOUR OWN!

Phase 1 proposal (Algorithms)

Encryption algorithm AES 256 refer to Azure docs for details
Hash algoritm SHA256  
DH key group 2 (1024 bit)  
Lifetime 28800 sec Lifetime before renegotiation

Advanced Options

Install Policy Unchecked This has to be unchecked since we want plain routing
Disable Rekey Unchecked Renegotiate when connection is about to expire
Disable Reauth Unchecked For IKEv2 only re-authenticate peer on rekeying
NAT Traversal Disable For IKEv2 NAT traversal is always enabled
Dead Peer Detection Unchecked  

Save your setting by pressing:


Step 2 - Phase 2 OPNsense

Press the button that says ‘+ Show 0 Phase-2 entries’


You will see an empty list:


Now press the + at the right of this list to add a Phase 2 entry. As we do not define a local and remote network, we just use tunnel addresses, you might already know from OpenVPN. In this example we use and These will be the gateway addresses used for routing

General information

Mode Route-based Select Route-based
Description Azure VNET Freely chosen description

Tunnel Network

Local Address Local Tunnel IP Set IP
Remote Address Remote Tunnel IP Set IP

Phase 2 proposal (SA/Key Exchange)

Protocol ESP Choose ESP for encryption
Encryption algorithms AES / 256 refer to Azure docs for details
Hash algortihms SHA256  
PFS Key group off Not supported
Lifetime 27000 sec  

Save your settings by pressing:


Enable IPsec for OPNsense, select:




And apply changes:


Step 3 - Set MSS Clamping

(Under Interfaces ‣ IPsec Azure) We will use the following settings:


MSS 1350 Required

Leave the other settings as per default.



You are almost done configuring OPNsense (only some firewall settings remain, which will be addressed later). We will now proceed setting up Azure.

Step 4 - Azure: Setup local network gateway

(Under All resources press + Add, then search and Create Local network gateway) We will use the following settings:


Name lng.opnsense Freely chosen name
IP address The public IP address of your remote OPNsense
Address space LAN Network
Address space Local Tunnel IP

Press the button that says ‘Create’:


Step 5 - Azure: Setup VPN connection

(Under All resources –> Virtual network gateway –> Connections Press + Add) We will use the following settings:

General setup

Name vpn.opnsense Freely chosen name
Connection type Site-to-site (IPsec)  
Virtual network gateway Select virtual network gateway
Local network gateway lng.opnsense Select local network gateway
Shared Key (PSK) At4aDMOAOub2NwT6gMHA Random key. CREATE YOUR OWN!

Press the button that says ‘OK’:


Firewall Rules OPNsense

To allow traffic passing to your LAN subnet you need to add a rule to the IPsec interface (under Firewall ‣ Rules ‣ IPsec).


IPsec Tunnel Ready

The tunnel should now be up and routing the both networks. Go to VPN ‣ IPsec ‣ Status Overview to see current status.

Step 6 - Define Gateways

Now that you have the VPN up and running you have to set up a gateway. Go to System ‣ Gateways ‣ Single and add a new gateway.


Name VPNGW Set a name for your gateway
Interface IPSEC1000 Choose the IPsec interface
IP Address Set the peer IP address
Far Gateway Checked This has to be checked as it is a point-to-point connection

Step 7 - Add Static Routes

When the gateway is set up you can add a route for the Azure virtual network pointing to the new gateway. Go to System ‣ Routes ‣ Configuration.

Route OPNsense

Network Address Azure virtual network
Gateway VPNGW Select the VPN gateway

Now you are all set!