Azure network + ipsec traffic from virtual appliance

Question

I need to setup a virtual vpn appliance (long story need multiple policy vpn tunnels and don't want to shell out for the higher priced vpn when a pfsense virtual appliance should do!)

I have the route table setup with routes to the subnets on site 1&2 hitting the pfsense box as the next hope and vpn works from site 1 -> azure and site 2 -> azure via the pfsense vpn virtual appliance, but I'm experiencing some odd behavior.

Azure vm's traffic -> site 1/2 traffic works fine, but none of the machines on site 1/2 can ping azure vms or do other things like rdp.

doing packet captures I see the traffic going over the ipsec tunnel, and leaving the azure lan interface on the azure pfsense virtual appliance, but it never reaches the azure vm. When i packet trace on the azure vm it never sees it.

I removed all NSG's and turned off windows firewall but still nothing. What in the world is eating my traffic between the virtual appliance internal azure lan interface and the vm (same subnet!).

Thanks,

Answer 1

Hey Gitarani,

The end solution was odd but I figured it out thanks to a reddit post.

To allow on prem to get to azure resources you need to do the following:

On the pfsense virtual appliance, I removed the lan interface (make sure you have some rules for management on the wan). Then add in static routes to your ON PREM networks via the azure wan gateway (10.0.1.1 or similar).

I had setup a separate subnet for the pfsense vpn gateway vs vms in azure.

For Azure traffic -> on prem make sure your routing tables in azure have the route to on prem pointing at your pfsense wan interface.

It honestly still doesn't make sense to me as it's completely counter intuitive to normal networking/Cisco based stuff.