================================================ IPsec VTI - connect to Microsoft Azure ================================================ Microsoft Azure offers three VPN types: * policy-based (restricted to a single S2S connection) * route-based * route-based with BGP (not available in the virtual network gateway SKU "Basic") This how-to covers setting up a route-based S2S VPN. ---------------- Before you start ---------------- Before starting with the configuration of an IPsec tunnel you need to have a working OPNsense installation and an Azure virtual network setup with a unique LAN IP subnets for each side of your connection (your local networks need to be different from your remote networks). For setting up a Microsoft Azure virtual network and virtual network gateway refer to the Microsoft Azure documentation: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal ------------ Sample Setup ------------ This sample configuration uses an OPNsense box and the basic Azure virtual network gateway, with the following configuration: OPNsense -------- ==================== ============================= **Hostname** OPNsense **WAN IP** 1.2.3.4 **LAN Network** 192.168.1.1/24 ==================== ============================= | ----------------------------- Azure ----- ====================================== ============================= **Hostname** Azure **Virtual Network Gateway Public IP** 4.3.2.1 **Virtual Network Address Space** 192.168.2.0/24 ====================================== ============================= | ----------------------------- ----------------------- Firewall Rules OPNsense ----------------------- To allow IPsec tunnel connections, the following should be allowed on WAN for on sites (under :menuselection:`Firewall --> Rules --> WAN`): * Protocol ESP * UDP Traffic on port 500 (ISAKMP) * UDP Traffic on port 4500 (NAT-T) .. image:: images/ipsec_wan_rules.png :width: 100% .. Note:: You can further limit the traffic by the source IP of the remote host. ------------------------- Step 1 - Phase 1 OPNsense ------------------------- (Under :menuselection:`VPN --> IPsec --> Tunnel Settings` Press **+**) We will use the following settings: General information ------------------- ========================= ============== ====================================================== **Connection method** Respond only **Key Exchange version** V2 **Internet Protocol** IPv4 **Interface** WAN *Choose the interface connected to the internet* **Remote gateway** 4.3.2.1 *The public IP address of your Azure virtual network* **Description** IPsec Azure *Freely chosen description* ========================= ============== ====================================================== Phase 1 proposal (Authentication) --------------------------------- =========================== ====================== ====================================== **Authentication method** Mutual PSK *Using a Pre-shared Key* **My identifier** My IP address *Simple identification for fixed IP* **Peer identifier** Peer IP address *Simple identification for fixed IP* **Pre-Shared Key** At4aDMOAOub2NwT6gMHA *Random key*. **CREATE YOUR OWN!** =========================== ====================== ====================================== Phase 1 proposal (Algorithms) ----------------------------- ========================== =============== =========================================== **Encryption algorithm** AES 256 *refer to Azure docs for details* **Hash algoritm** SHA256 **DH key group** 2 (1024 bit) **Lifetime** 28800 sec *Lifetime before renegotiation* ========================== =============== =========================================== .. Note:: Possible parameters are listed here: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices Advanced Options ---------------- ======================= =========== ======================================================== **Install Policy** Unchecked *This has to be unchecked since we want plain routing* **Disable Rekey** Unchecked *Renegotiate when connection is about to expire* **Disable Reauth** Unchecked *For IKEv2 only re-authenticate peer on rekeying* **NAT Traversal** Disable *For IKEv2 NAT traversal is always enabled* **Dead Peer Detection** Unchecked ======================= =========== ======================================================== Save your setting by pressing: .. image:: images/btn_save.png ------------------------- Step 2 - Phase 2 OPNsense ------------------------- Press the button *+* in front of the phase 1 entry to add a new phase 2. As we do not define a local and remote network, we just use tunnel addresses, you might already know from OpenVPN. In this example we use ``10.111.1.1`` and ``10.111.1.2``. These will be the gateway addresses used for routing General information ------------------- ======================= =================== ============================= **Mode** Route-based *Select Route-based* **Description** Azure VNET *Freely chosen description* ======================= =================== ============================= Tunnel Network -------------- ======================= ================== ===================== **Local Address** Local Tunnel IP *Set IP 10.111.1.1* **Remote Address** Remote Tunnel IP *Set IP 10.111.1.2* ======================= ================== ===================== Phase 2 proposal (SA/Key Exchange) ---------------------------------- ========================== =========== =================================== **Protocol** ESP *Choose ESP for encryption* **Encryption algorithms** AES / 256 *refer to Azure docs for details* **Hash algortihms** SHA256 **PFS Key group** off *Not supported* **Lifetime** 27000 sec ========================== =========== =================================== Save your settings by pressing: .. image:: images/btn_save.png ----------------------------- Enable IPsec for OPNsense, select: .. image:: images/ipsec_s2s_vpn_p1a_enable.png Save: .. image:: images/btn_save.png And apply changes: .. image:: images/ipsec_s2s_vpn_p1a_apply.png :width: 100% ------------------ .. image:: images/ipsec_s2s_vpn_p1a_success.png :width: 100% ------------------------- Step 3 - Set MSS Clamping ------------------------- (Under :menuselection:`Interfaces --> IPsec Azure`) We will use the following settings: Setup ------------------- =================================== ====================== ================================================== **MSS** 1350 *Required* =================================== ====================== ================================================== Leave the other settings as per default. Save: .. image:: images/btn_save.png **You are almost done configuring OPNsense (only some firewall settings remain, which will be addressed later).** **We will now proceed setting up Azure.** ----------------------------- ------------------------------------------- Step 4 - Azure: Setup local network gateway ------------------------------------------- (Under `All resources` press **+ Add**, then search and **Create** `Local network gateway`) We will use the following settings: Setup ------------------- =================================== ====================== ================================================== **Name** lng.opnsense *Freely chosen name* **IP address** 1.2.3.4 *The public IP address of your remote OPNsense* **Address space** 192.168.1.0/24 *LAN Network* **Address space** 10.111.1.1/32 *Local Tunnel IP* =================================== ====================== ================================================== Press the button that says 'Create': .. image:: images/ipsec_s2s_route_azure_lng.png ------------------------------------ Step 5 - Azure: Setup VPN connection ------------------------------------ (Under `All resources --> Virtual network gateway --> Connections` Press **+ Add**) We will use the following settings: General setup ------------------- =================================== ====================== ================================================== **Name** vpn.opnsense *Freely chosen name* **Connection type** Site-to-site (IPsec) **Virtual network gateway** vpn.gw *Select virtual network gateway* **Local network gateway** lng.opnsense *Select local network gateway* **Shared Key (PSK)** At4aDMOAOub2NwT6gMHA *Random key*. **CREATE YOUR OWN!** =================================== ====================== ================================================== Press the button that says 'OK': .. image:: images/ipsec_s2s_route_azure_conn.png ----------------------- Firewall Rules OPNsense ----------------------- To allow traffic passing to your LAN subnet you need to add a rule to the IPsec interface (under :menuselection:`Firewall --> Rules --> IPsec`). .. image:: images/ipsec_ipsec_lan_rule.png :width: 100% ------------------ IPsec Tunnel Ready ------------------ The tunnel should now be up and routing the both networks. Go to :menuselection:`VPN --> IPsec --> Status Overview` to see current status. ------------------------ Step 6 - Define Gateways ------------------------ Now that you have the VPN up and running you have to set up a gateway. Go to :menuselection:`System --> Gateways --> Configuration` and add a new gateway. OPNsense -------- ================= ============ =============================================================== **Name** VPNGW *Set a name for your gateway* **Interface** IPSEC1000 *Choose the IPsec interface* **IP Address** 10.111.1.2 *Set the peer IP address* **Far Gateway** Checked *This has to be checked as it is a point-to-point connection* ================= ============ =============================================================== -------------------------- Step 7 - Add Static Routes -------------------------- When the gateway is set up you can add a route for the Azure virtual network pointing to the new gateway. Go to :menuselection:`System --> Routes --> Configuration`. Route OPNsense -------------- ===================== ================ ============================= **Network Address** 192.168.2.0/24 *Azure virtual network* **Gateway** VPNGW *Select the VPN gateway* ===================== ================ ============================= Now you are all set!