Månad: november 2014

Copied a article to save it for future referense, credit to the author !

In this entry I´ll explain how to connect your on-premises infrastructure with Microsoft Azure using a free firewall called pfsense.
I´m going to split the entry in 3 parts (all are here so don´t worry):

PART 1: MICROSOFT AZURE
Everything related to Azure, creating a virtual network and setting up the base of our VPN.
PART 2: PFSENSE
Everything related to pfsense. Bringing it all together so the VPN is complete and functional.
PART 3: TESTING, VALIDATING & EXTRAS
Validating connectivity and some tips about troubleshooting any errors.

PART 1: MICROSOFT AZURE

First of all we will create a new network, we could use an existing one but let´s do this from scratch. So, go to Neworks > Create a virtual network

The virtual Network Wizard opens. Give your network a descriptive name and select or create an affinity group.
Note: You cannot use spaces when naming a network, so use dashes instead. Example: ”BG-Azure-VPN-Virtual-Network” (without quotes ;)). Click on the arrow to move to the next step.

If you want you can add your on-premises DNS servers IP addresses but at this point those values are optional and can be added later. Here the important thing to do is select the checkbox that says ”Configure a site-to-site VPN”. By doing so an extra step gets added to the wizard and the network preview gets a little more interesting. Click on the arrow to move to the next step.

In this step you´ll need to fill in the fields with your on-premises info.

NAME: Anything you want really. For example: On-premises-VMNET
VPN DEVICE IP ADDRESS: The public IP address of your internet facing firewall. You can use https://www.yougetsignal.com/what-is-my-ip-address/ or https://www.whatsmyip.org/ to display your public IP address. Here I used a dummy IP address because I don´t want you to know my public IP address :P.
ADDRESS SPACE (AS): This is the on-premises address space that you use in your company or lab environment. For example: 10.10.10.0/24. If you use more than one address space you can click the strategically well named green button that says ”add address space” and do so. If you want to remove an address space just hover your mouse pointer over the address space you want to remove and click the X that appears at the far right side.

Ok, so far so goodÔǪ let´s continue by clicking next.
In this screen you are going to create a virtual network address space for your Microsoft Azure VMs. The important thing to remember is to NOT use the same address space than the one you use for your on-premise VMs. In simpler words make sure your Microsoft Azure and on-premise address spaces do not overlap with each other.
In this example I´m going to give my Microsoft Azure VMs the address space 172.16.100.0/24 and after that I´m creating a subnet ”/25ÔÇ│ and a gateway ”/29ÔÇ│. The gateway is required and you cannot end the wizard without one. Do not take this decision lightly (the address space and the sub-netting) because if you later on want to change it you´ll need to redo everything and a lot more due to the way Microsoft Azure works (at least at the time of this writing).

Click the checkmark and let Microsoft Azure do its things

321 (It actually takes more than 3 seconds)

Now check the Networks tab and verify the VNET is there. Now click the name of VNET to access its properties.

¡Welcome to the dashboard of the newly created VNET! If you find any errors then revisit the previous steps and try again

Now, you may have noticed that a warning sign says ”The gateway was not created.”ÔǪ That´s true since we haven´t done anything other than creating the basic structure that will support our VPNÔǪ Thanks Microsoft for the reminder!
To get rid of that message click on the big button at the bottom of the screen that says ”+CREATE GATEWAY” and select ”Static Routing” (you gotta love the way Microsoft uses UPPER CAPS and lower caps all over the place in a randomly fashion )
Ok, let´s get back to topicÔǪ here´s a pic to help you locate the option.

After that a confirmation message shows up asking you if you want to create a gateway, you might think that the question is kinda silly (it is tbh) but since creating a gateway and using it means that you are going to get charged for it then I guess the option is there to prevent you from creating a gateway by mistake. Anyways, click yes.

The process of creating the gateway takes a while so feel free to do something else for the next 10 minutes or so but don´t forget to come back. May I suggest to go play Spelunky or another time killer game during that time? Don´t forget to come back! Once the process finishes you´ll get a message like this:

And the virtual network diagram should have changed to this:

Here you can see one of those rare events messages that Microsoft Azure display. Anyways, I´ve change the public IP address that Microsoft Azure assigned me to ”MS PUBLIC IP ADDRESS” but you should get a public IPv4 address in that space
As you can see we are not done yet (there´s no traffic in or out), but we´ll fix that in a moment. Now, I just want you to know that Microsoft does indeed supports some devices which you can find here: https://msdn.microsoft.com/en-us/library/azure/jj156075.aspx. When using a supported script all you need to do in order to setup your on-premise device is download and run a script and boom you´re done.

Since pfsense is not one of those supported devices (that´s why you are here after all) but it does support IPSec I´ll show you how to make those two talk to each other.

But before proceeding we are going to need one more thing from the Microsoft Azure console the PSK or preshare key (Microsof calls it Manage key). You can find it at the bottom of the dashboard of the virtual network, now click on manage key and copy the key to a text file or something. Also, as you can see you can regenerate the key at any point in time.

We are done with Microsoft Azure for now.

PART 2: PFSENSE

Now we are going to focus on pfsense and I´m going to assume that you have it properly configured and up and running.
Go to the VPN > IPsec. Make sure IPsec is enabled and then click the add phase1 entry button.

Now, instead of boring you with a bunch of values just replace the following values with the ones for your environment and match the rest as it is in the screenshot.

Note: The WAN interface is the one that´s connected to the internet and has the public IP address you provided in the Site-To-Site Connectivity step when we were creating the Microsoft Azure virtual network.

Don´t forget to click save and apply the changes when you´re done.

Now, IPsec is a 2-phase process, so we need to setup phase 2. Click on the big [ + ] button to add a phase 2 config.

Same as before, just match the settings you see in the pic.

Save and apply the changes.
One more thing to do before testing the VPN is to create an IPsec rule so traffic can flow freely between both networks. To do that you must go Firewall > Rules > IPsec. In my lab I created a rule that allows all traffic (IPv4*) between the networks as shown in the screenshot. You can, if you want create specific rules. It´s up to you.

At this point the VPN is created and it should have connected automatically.

PART 3: TESTING, VALIDATING & EXTRAS

In this part I´ll show you how you can validate that the VPN is created and it is operating as it should.
The first thing to do is to make sure that the pfsense end of the VPN is connected, to do so go to Status > IPsec and verify that the status shows a green arrow. If it´s not green then start up the VPN by clicking the gear icon next to the status column. The image below shows that the connections is a success from pfsense to Microsoft Azure.

Now check the VPN connection from Microsoft Azure´s point of view. If the status is connecting then give it a minute or so. The dashboard refresh is not in real time. If the status is disconnected then click ”Connect” at the bottom of the dashboard and wait a few minutes.
This image shows that the connection is successful from Azure to the pfsense.

As you can see I created a VM and assigned it the AZUREPROD subnet, so the next logical step is do a simple ping test between this VM and one on-premises.
Here are some screenshots that show exactly that.

From Microsoft Azure to my lab.

This is the config of the network card of my Azure VM. As you can see it has the DNS of my local domain. From this VM I´m going to ping one my DNS servers.

The ping is successful!

From my on-premises lab to Microsoft Azure.

 

It works just fine.
Now for some troubleshooting tips. I´m going to be honest with you, Microsoft Azure doesn┬┤t provide any logs or an event viewer of the Microsoft Azure platform so you are left in the dark with meaningless messages when an error occurs (at least at the time of this writing), so with that said you must rely on pfsense´s IPsec logs. In order to access them you go to Status > IPsec > Logs. If there´s an error review the logs and resolve them. If you need even more verbose like logs you can start racoon in debug mode (racoon is the IPsec service name in pfsense) located in System > Advanced > Miscellaneous, keep in mind that starting racoon in debug mode requires to restart the service.
Finally here´s an extra just for youÔǪ Adding DNS servers to an Azure network. It is a simple process, you go to the virtual network that you want to add the DNS servers, open it up, then select the ”Configure” tab and in the DNS Servers section you add the DNS servers Name|IP. Is that simple. The downside of doing this is that any VM that has assigned the virtual network that you are modifying must be restarted in order to get the changes.

So, that´s it, this is how you setup a VPN between Microsoft Azure and your on-premise infrastructure using the free firewall pfsense.