Configuring Site to Site (S2S) connection between Azure and on-premise Homelab (NAT-T)

What do i want to achieve?

I want to be able to set up an ipsec vpn connection between my azure network “AzureInSKYNET” and my on-premise network “SKYNET” so i’ll be able to move some workload from my domain SKYNET into Azure.

My challenge is that i want to connect to my homelab which is using NAT. In production a VPN device with a PublicIP is required.

Being at home with only my ISP box facing internet i don’t have any vpn device so i need a VPN Appliance. I cannot use Windows 2012 R2 RRAS because it does not support NAT-T, with RRAS only the RRAS machine would be able to communicate with Azure but i want to be able to span all my homelab network.

So what ? Time to give up?

Not at all! By chance we have a perfect free Appliance for that : Pfsense 2.2.2

Pfsense 2.2.2 does support NAT-T and is a layer 3 Appliance so it should do the trick ! i’ll be using an Hyper-V VM to run pfsense 2.2.2

 


 

Let’s go for a try with Pfsense 2.2.2

I’m not going to reinvent the Wheel so i’ll share the sources i’ve found when i can about installation/configuration process.

Let’s start by creating a VM with Hyper-V.

Name it pfsense, choose Generation 2,  assign 256 MB, connect the NIC to your external network, create a 1 GB hard drive, do not turn on the machine.

Once the machine is created, edit it and then add a second NIC, assign it then to your internal network and mount the Pfsense installation iso into your VM.

Your VM configuration should look like this :

pfsenseVM

Ensure that all Advanced features are disabled on the 2 NIC

VMNICNow you can download pfsense from here , select AM64 if you are using Hyper-V and live CD with installer then choose a Mirror for download.

Regarding the installation process you can follow the guide in video below:

Ignore the comment about the VM Generation. Pfsense 2.2.2 supports generation 2 VMs

Once your pfsense VM is properly configured you can move to the next step and actually create the Gateway in azure, configure the IPSEC VPN in Pfsense and then connect both side.

Follow this guide in order to configure the Gateway in azure and then your pfsense VM : Create a S2S VPN with Azure and Pfsense

Don’t forget to configure your ISP box to forward IPSEC required ports to your WAN NIC on your pfsense (500 UDP , 4500 UDP/TCP), Enable also IPsec PassTrough on your box if you have the option.

After a few minutes you should be able to see from both sides that you are connected and can ping both side.

from pfsense onPrem: “Status”,”IPsec”

ConnectionStatusS2S

from Azure Gateway status:

StatusFromAzure

Ping from Azure VM to my onPrem DC

pingFromAzureToOnPremDCPing from my onPrem DC to my Azure VM

pingFromOnpremDCtoAzureVMAnd finaly i can then join my on-premise domain Skynet from my Azure VM

AzureVMDomainJoined


 

Possible Issues

I’ll try to cover some of the issues that you can get.

 You still cannot get your S2S connection in connected state.

  •  Ensure to properly configure your ISP box : forward ports 500 UDP and 4500 UDP/TCP to the WAN NIC on your pfsense
  •  Allow IPSec to PassThrough on your ISP box
  •  Do not forget to set your ISP Box internal IP as Gateway on the WAN NIC of pfsense
  • check your pfsense firewall settings on “Firewall” , “Rules”, “IPSec tab” , it should be as below

IPSecFirewallRule

Your S2S connection is in connected state but you cannot ping from on-Premise to your Azure VM. You can ping from Azure to your onPremise though.

  •  Ensure to configure your on premise VM with the new Gateway. Machines which have to communicate with Azure must use the LAN NIC Address of your pfsense as Gateway. It won’t work if they keep using your ISP Box as Gateway.

 

Your connection is in connected state but you cannot ping from Azure VM to your on- Premise machine

  •  Ensure that your networking in Azure is coherent. If your VM does not have a route to your Azure Gateway because of wrong subnet setting the connection simply cannot work. You need to use routable addresses spaces.
  •  Don’t forget that you cannot change a network as long as it is in use (which means that if you’re network is properly configured you will have to recreate a network, a Gateway and redeploy a machine on that network)

For example:

my on-premise Network use 192.168.0.0/24 as address space my NIC LAN on pfsense is using 192.168.0.253/24

My Azure network use 172.16.0.0/24 as address space and my vm is on a subnet 172.16.0.0/27, my gateway is using 172.16.0.0/29

My networks are routable one to the other.

networkconfigAzure

AzureVMNetConfig

 

The most tricky one, Everything is connected and you can ping both side but when you attempt to join your domain you get an error. The machine is complaining about the network parth to the DC.

  •  Indeed this one happened to me, to issue is du to MTU and we need to do some tweaks in pfsense.
  •  Reproduce my pfsense config follwing the next screen shot if you are encountering this error.

Tweak Phase 1

from “VPN”,”IPSec”, edit “Phase 1” : modify Encyrption to AES 128K, Hash Algorythm to SHA1, activate DPD and NAT-Traversal to force

Phase1Tweak

Tweak phase 2

Set encryption algorithm to AES (Auto), Protocol (ESP), Hash algorithm (SHA1)

tweakPhase2

Go to Advanced setting and set the MSS Champing to 1350

MSSChamping

Save and apply the changes.

This is it for now, i hope that this post will be usefull to you.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

three × three =