{"id":2891,"date":"2023-09-28T16:22:52","date_gmt":"2023-09-28T16:22:52","guid":{"rendered":"https:\/\/ionoslabs.com\/?p=2891"},"modified":"2023-09-29T15:36:59","modified_gmt":"2023-09-29T15:36:59","slug":"az-opnsense-vpn","status":"publish","type":"post","link":"https:\/\/ionoslabs.com\/index.php\/az-opnsense-vpn\/","title":{"rendered":""},"content":{"rendered":"<div class=\"fusion-fullwidth fullwidth-box fusion-builder-row-1 fusion-flex-container has-pattern-background has-mask-background nonhundred-percent-fullwidth non-hundred-percent-height-scrolling\" style=\"--awb-border-radius-top-left:0px;--awb-border-radius-top-right:0px;--awb-border-radius-bottom-right:0px;--awb-border-radius-bottom-left:0px;--awb-flex-wrap:wrap;\" ><div class=\"fusion-builder-row fusion-row fusion-flex-align-items-flex-start fusion-flex-content-wrap\" style=\"max-width:1289.6px;margin-left: calc(-4% \/ 2 );margin-right: calc(-4% \/ 2 );\"><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-0 fusion_builder_column_3_4 3_4 fusion-flex-column\" style=\"--awb-bg-size:cover;--awb-width-large:75%;--awb-margin-top-large:0px;--awb-spacing-right-large:2.56%;--awb-margin-bottom-large:20px;--awb-spacing-left-large:2.56%;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:1.92%;--awb-spacing-left-medium:1.92%;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:1.92%;--awb-spacing-left-small:1.92%;\"><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-flex-start fusion-content-layout-column\"><div ><a class=\"fusion-button button-flat fusion-button-default-size button-custom fusion-button-default button-1 fusion-button-default-span fusion-button-default-type\" style=\"--button_accent_color:#ffffff;--button_accent_hover_color:#ffffff;--button_border_hover_color:#ffffff;--button-border-radius-top-left:10px;--button-border-radius-top-right:10px;--button-border-radius-bottom-right:10px;--button-border-radius-bottom-left:10px;--button_gradient_start:9%;--button_gradient_top_color:#001b41;--button_gradient_bottom_color:#001b41;--button_gradient_top_color_hover:#11c7e6;--button_gradient_bottom_color_hover:#11c7e6;--button_typography-font-family:&quot;ionos-sans-regular&quot;;--button_typography-font-style:normal;--button_typography-font-weight:400;width:calc(100%);\" target=\"_self\" href=\"https:\/\/ionoslabs.com\/index.php\/ionos-az-1\/\"><span class=\"fusion-button-text\">Back to Connector Overview<\/span><\/a><\/div><div class=\"fusion-content-boxes content-boxes columns row fusion-columns-1 fusion-columns-total-1 fusion-content-boxes-1 content-boxes-icon-with-title content-left\" style=\"--awb-hover-accent-color:#ff8d61;--awb-circle-hover-accent-color:#ff8d61;--awb-item-margin-bottom:40px;\" data-animationOffset=\"top-into-view\"><div style=\"--awb-backgroundcolor:rgba(255,255,255,0);\" class=\"fusion-column content-box-column content-box-column content-box-column-1 col-lg-12 col-md-12 col-sm-12 fusion-content-box-hover content-box-column-last content-box-column-last-in-row\"><div class=\"col content-box-wrapper content-wrapper link-area-box link-type-text icon-hover-animation-fade\" data-link=\"https:\/\/docs.opnsense.org\/manual\/how-tos\/ipsec-s2s-route-azure.html\" data-link-target=\"_self\" data-animationOffset=\"top-into-view\"><div class=\"heading icon-left\"><a class=\"heading-link\" style=\"float:left;\" href=\"https:\/\/docs.opnsense.org\/manual\/how-tos\/ipsec-s2s-route-azure.html\" target=\"_self\"><\/a><\/div><div class=\"fusion-clearfix\"><\/div><div class=\"content-container\">\n<h1>IPsec VTI &#8211; connect to Microsoft Azure<\/h1>\n<p>Configure the connection between AZure VPN and your Connector Instance<\/p>\n<p>Microsoft Azure offers three VPN types:<\/p>\n<ul class=\"simple\">\n<li>policy-based (restricted to a single S2S connection)<\/li>\n<li>route-based<\/li>\n<li>route-based with BGP (not available in the virtual network gateway SKU \u201cBasic\u201d)<\/li>\n<\/ul>\n<p>This how-to covers setting up a route-based S2S VPN.<\/p>\n<div id=\"before-you-start\" class=\"section\">\n<h2>Before you start<\/h2>\n<p>Before starting with the configuration of an IPsec tunnel you need to have a working OPNsense installation and an Azure virtual network setup with a unique LAN IP subnets for each side of your connection (your local networks need to be different from your remote networks).<\/p>\n<p>For setting up a Microsoft Azure virtual network and virtual network gateway refer to the Microsoft Azure documentation:<\/p>\n<p><a class=\"reference external\" href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/vpn-gateway\/vpn-gateway-howto-site-to-site-resource-manager-portal\">https:\/\/docs.microsoft.com\/en-us\/azure\/vpn-gateway\/vpn-gateway-howto-site-to-site-resource-manager-portal<\/a><\/p>\n<\/div>\n<div id=\"sample-setup\" class=\"section\">\n<h2>Sample Setup<\/h2>\n<p>This sample configuration uses an OPNsense box and the basic Azure virtual network gateway, with the following configuration:<\/p>\n<div id=\"opnsense\" class=\"section\">\n<h3>OPNsense<\/h3>\n<div class=\"wy-table-responsive\">\n<table class=\"docutils align-default\">\n<colgroup>\n<col \/>\n<col \/><\/colgroup>\n<tbody>\n<tr class=\"row-odd\">\n<td><strong>Hostname<\/strong><\/td>\n<td>OPNsense<\/td>\n<\/tr>\n<tr class=\"row-even\">\n<td><strong>WAN IP<\/strong><\/td>\n<td>1.2.3.4<\/td>\n<\/tr>\n<tr class=\"row-odd\">\n<td><strong>LAN Network<\/strong><\/td>\n<td>192.168.1.1\/24<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<div class=\"line-block\">\n<div class=\"line\"><\/div>\n<\/div>\n<\/div>\n<hr class=\"docutils\" \/>\n<div id=\"azure\" class=\"section\">\n<h3>Azure<\/h3>\n<div class=\"wy-table-responsive\">\n<table class=\"docutils align-default\">\n<colgroup>\n<col \/>\n<col \/><\/colgroup>\n<tbody>\n<tr class=\"row-odd\">\n<td><strong>Hostname<\/strong><\/td>\n<td>Azure<\/td>\n<\/tr>\n<tr class=\"row-even\">\n<td><strong>Virtual Network Gateway Public IP<\/strong><\/td>\n<td>4.3.2.1<\/td>\n<\/tr>\n<tr class=\"row-odd\">\n<td><strong>Virtual Network Address Space<\/strong><\/td>\n<td>192.168.2.0\/24<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<div class=\"line-block\">\n<div class=\"line\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<hr class=\"docutils\" \/>\n<div id=\"firewall-rules-opnsense\" class=\"section\">\n<h2>Firewall Rules OPNsense<\/h2>\n<p>To allow IPsec tunnel connections, the following should be allowed on WAN for on sites (under\u00a0<span class=\"menuselection\">Firewall \u2023 Rules \u2023 WAN<\/span>):<\/p>\n<ul class=\"simple\">\n<li>Protocol ESP<\/li>\n<li>UDP Traffic on port 500 (ISAKMP)<\/li>\n<li>UDP Traffic on port 4500 (NAT-T)<\/li>\n<\/ul>\n<p><a class=\"reference internal image-reference\" href=\"https:\/\/docs.opnsense.org\/_images\/ipsec_wan_rules.png\"><img class=\"lazyload\" decoding=\"async\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" data-orig-src=\"https:\/\/docs.opnsense.org\/_images\/ipsec_wan_rules.png\" alt=\"..\/..\/_images\/ipsec_wan_rules.png\" \/><\/a><\/p>\n<div class=\"admonition note\">\n<p class=\"admonition-title\">Note<\/p>\n<p>You can further limit the traffic by the source IP of the remote host.<\/p>\n<\/div>\n<\/div>\n<div id=\"step-1-phase-1-opnsense\" class=\"section\">\n<h2>Step 1 &#8211; Phase 1 OPNsense<\/h2>\n<p>(Under\u00a0<span class=\"menuselection\">VPN \u2023 IPsec \u2023 Tunnel Settings<\/span>\u00a0Press\u00a0<strong>+<\/strong>) We will use the following settings:<\/p>\n<div id=\"general-information\" class=\"section\">\n<h3>General information<\/h3>\n<div class=\"wy-table-responsive\">\n<table class=\"docutils align-default\">\n<colgroup>\n<col \/>\n<col \/>\n<col \/><\/colgroup>\n<tbody>\n<tr class=\"row-odd\">\n<td><strong>Connection method<\/strong><\/td>\n<td>Respond only<\/td>\n<td><\/td>\n<\/tr>\n<tr class=\"row-even\">\n<td><strong>Key Exchange version<\/strong><\/td>\n<td>V2<\/td>\n<td><\/td>\n<\/tr>\n<tr class=\"row-odd\">\n<td><strong>Internet Protocol<\/strong><\/td>\n<td>IPv4<\/td>\n<td><\/td>\n<\/tr>\n<tr class=\"row-even\">\n<td><strong>Interface<\/strong><\/td>\n<td>WAN<\/td>\n<td><em>Choose the interface connected to the internet<\/em><\/td>\n<\/tr>\n<tr class=\"row-odd\">\n<td><strong>Remote gateway<\/strong><\/td>\n<td>4.3.2.1<\/td>\n<td><em>The public IP address of your Azure virtual network<\/em><\/td>\n<\/tr>\n<tr class=\"row-even\">\n<td><strong>Description<\/strong><\/td>\n<td>IPsec Azure<\/td>\n<td><em>Freely chosen description<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<div id=\"phase-1-proposal-authentication\" class=\"section\">\n<h3>Phase 1 proposal (Authentication)<\/h3>\n<div class=\"wy-table-responsive\">\n<table class=\"docutils align-default\">\n<colgroup>\n<col \/>\n<col \/>\n<col \/><\/colgroup>\n<tbody>\n<tr class=\"row-odd\">\n<td><strong>Authentication method<\/strong><\/td>\n<td>Mutual PSK<\/td>\n<td><em>Using a Pre-shared Key<\/em><\/td>\n<\/tr>\n<tr class=\"row-even\">\n<td><strong>My identifier<\/strong><\/td>\n<td>My IP address<\/td>\n<td><em>Simple identification for fixed IP<\/em><\/td>\n<\/tr>\n<tr class=\"row-odd\">\n<td><strong>Peer identifier<\/strong><\/td>\n<td>Peer IP address<\/td>\n<td><em>Simple identification for fixed IP<\/em><\/td>\n<\/tr>\n<tr class=\"row-even\">\n<td><strong>Pre-Shared Key<\/strong><\/td>\n<td>At4aDMOAOub2NwT6gMHA<\/td>\n<td><em>Random key<\/em>.\u00a0<strong>CREATE YOUR OWN!<\/strong><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<div id=\"phase-1-proposal-algorithms\" class=\"section\">\n<h3>Phase 1 proposal (Algorithms)<\/h3>\n<div class=\"wy-table-responsive\">\n<table class=\"docutils align-default\">\n<colgroup>\n<col \/>\n<col \/>\n<col \/><\/colgroup>\n<tbody>\n<tr class=\"row-odd\">\n<td><strong>Encryption algorithm<\/strong><\/td>\n<td>AES 256<\/td>\n<td><em>refer to Azure docs for details<\/em><\/td>\n<\/tr>\n<tr class=\"row-even\">\n<td><strong>Hash algoritm<\/strong><\/td>\n<td>SHA256<\/td>\n<td><\/td>\n<\/tr>\n<tr class=\"row-odd\">\n<td><strong>DH key group<\/strong><\/td>\n<td>2 (1024 bit)<\/td>\n<td><\/td>\n<\/tr>\n<tr class=\"row-even\">\n<td><strong>Lifetime<\/strong><\/td>\n<td>28800 sec<\/td>\n<td><em>Lifetime before renegotiation<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<div class=\"admonition note\">\n<p class=\"admonition-title\">Note<\/p>\n<p>Possible parameters are listed here:\u00a0<a class=\"reference external\" href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/vpn-gateway\/vpn-gateway-about-vpn-devices\">https:\/\/docs.microsoft.com\/en-us\/azure\/vpn-gateway\/vpn-gateway-about-vpn-devices<\/a><\/p>\n<\/div>\n<\/div>\n<div id=\"advanced-options\" class=\"section\">\n<h3>Advanced Options<\/h3>\n<div class=\"wy-table-responsive\">\n<table class=\"docutils align-default\">\n<colgroup>\n<col \/>\n<col \/>\n<col \/><\/colgroup>\n<tbody>\n<tr class=\"row-odd\">\n<td><strong>Install Policy<\/strong><\/td>\n<td>Unchecked<\/td>\n<td><em>This has to be unchecked since we want plain routing<\/em><\/td>\n<\/tr>\n<tr class=\"row-even\">\n<td><strong>Disable Rekey<\/strong><\/td>\n<td>Unchecked<\/td>\n<td><em>Renegotiate when connection is about to expire<\/em><\/td>\n<\/tr>\n<tr class=\"row-odd\">\n<td><strong>Disable Reauth<\/strong><\/td>\n<td>Unchecked<\/td>\n<td><em>For IKEv2 only re-authenticate peer on rekeying<\/em><\/td>\n<\/tr>\n<tr class=\"row-even\">\n<td><strong>NAT Traversal<\/strong><\/td>\n<td>Disable<\/td>\n<td><em>For IKEv2 NAT traversal is always enabled<\/em><\/td>\n<\/tr>\n<tr class=\"row-odd\">\n<td><strong>Dead Peer Detection<\/strong><\/td>\n<td>Unchecked<\/td>\n<td><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p>Save your setting by pressing:<\/p>\n<p><img class=\"lazyload\" decoding=\"async\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" data-orig-src=\"https:\/\/docs.opnsense.org\/_images\/btn_save.png\" alt=\"..\/..\/_images\/btn_save.png\" \/><\/p>\n<\/div>\n<\/div>\n<div id=\"step-2-phase-2-opnsense\" class=\"section\">\n<h2>Step 2 &#8211; Phase 2 OPNsense<\/h2>\n<p>Press the button\u00a0<em>+<\/em>\u00a0in front of the phase 1 entry to add a new phase 2.<\/p>\n<p>As we do not define a local and remote network, we just use tunnel addresses, you might already know from OpenVPN. In this example we use\u00a0<code class=\"docutils literal notranslate\"><span class=\"pre\">10.111.1.1<\/span><\/code>\u00a0and\u00a0<code class=\"docutils literal notranslate\"><span class=\"pre\">10.111.1.2<\/span><\/code>. These will be the gateway addresses used for routing<\/p>\n<div id=\"id1\" class=\"section\">\n<h3>General information<\/h3>\n<div class=\"wy-table-responsive\">\n<table class=\"docutils align-default\">\n<colgroup>\n<col \/>\n<col \/>\n<col \/><\/colgroup>\n<tbody>\n<tr class=\"row-odd\">\n<td><strong>Mode<\/strong><\/td>\n<td>Route-based<\/td>\n<td><em>Select Route-based<\/em><\/td>\n<\/tr>\n<tr class=\"row-even\">\n<td><strong>Description<\/strong><\/td>\n<td>Azure VNET<\/td>\n<td><em>Freely chosen description<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<div id=\"tunnel-network\" class=\"section\">\n<h3>Tunnel Network<\/h3>\n<div class=\"wy-table-responsive\">\n<table class=\"docutils align-default\">\n<colgroup>\n<col \/>\n<col \/>\n<col \/><\/colgroup>\n<tbody>\n<tr class=\"row-odd\">\n<td><strong>Local Address<\/strong><\/td>\n<td>Local Tunnel IP<\/td>\n<td><em>Set IP 10.111.1.1<\/em><\/td>\n<\/tr>\n<tr class=\"row-even\">\n<td><strong>Remote Address<\/strong><\/td>\n<td>Remote Tunnel IP<\/td>\n<td><em>Set IP 10.111.1.2<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<div id=\"phase-2-proposal-sa-key-exchange\" class=\"section\">\n<h3>Phase 2 proposal (SA\/Key Exchange)<\/h3>\n<div class=\"wy-table-responsive\">\n<table class=\"docutils align-default\">\n<colgroup>\n<col \/>\n<col \/>\n<col \/><\/colgroup>\n<tbody>\n<tr class=\"row-odd\">\n<td><strong>Protocol<\/strong><\/td>\n<td>ESP<\/td>\n<td><em>Choose ESP for encryption<\/em><\/td>\n<\/tr>\n<tr class=\"row-even\">\n<td><strong>Encryption algorithms<\/strong><\/td>\n<td>AES \/ 256<\/td>\n<td><em>refer to Azure docs for details<\/em><\/td>\n<\/tr>\n<tr class=\"row-odd\">\n<td><strong>Hash algortihms<\/strong><\/td>\n<td>SHA256<\/td>\n<td><\/td>\n<\/tr>\n<tr class=\"row-even\">\n<td><strong>PFS Key group<\/strong><\/td>\n<td>off<\/td>\n<td><em>Not supported<\/em><\/td>\n<\/tr>\n<tr class=\"row-odd\">\n<td><strong>Lifetime<\/strong><\/td>\n<td>27000 sec<\/td>\n<td><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p>Save your settings by pressing:<\/p>\n<p><img class=\"lazyload\" decoding=\"async\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" data-orig-src=\"https:\/\/docs.opnsense.org\/_images\/btn_save.png\" alt=\"..\/..\/_images\/btn_save.png\" \/><\/p>\n<hr class=\"docutils\" \/>\n<p>Enable IPsec for OPNsense, select:<\/p>\n<p><img class=\"lazyload\" decoding=\"async\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" data-orig-src=\"https:\/\/docs.opnsense.org\/_images\/ipsec_s2s_vpn_p1a_enable.png\" alt=\"..\/..\/_images\/ipsec_s2s_vpn_p1a_enable.png\" \/><\/p>\n<p>Save:<\/p>\n<p><img class=\"lazyload\" decoding=\"async\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" data-orig-src=\"https:\/\/docs.opnsense.org\/_images\/btn_save.png\" alt=\"..\/..\/_images\/btn_save.png\" \/><\/p>\n<p>And apply changes:<\/p>\n<p><a class=\"reference internal image-reference\" href=\"https:\/\/docs.opnsense.org\/_images\/ipsec_s2s_vpn_p1a_apply.png\"><img class=\"lazyload\" decoding=\"async\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" data-orig-src=\"https:\/\/docs.opnsense.org\/_images\/ipsec_s2s_vpn_p1a_apply.png\" alt=\"..\/..\/_images\/ipsec_s2s_vpn_p1a_apply.png\" \/><\/a><\/p>\n<hr class=\"docutils\" \/>\n<p><a class=\"reference internal image-reference\" href=\"https:\/\/docs.opnsense.org\/_images\/ipsec_s2s_vpn_p1a_success.png\"><img class=\"lazyload\" decoding=\"async\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" data-orig-src=\"https:\/\/docs.opnsense.org\/_images\/ipsec_s2s_vpn_p1a_success.png\" alt=\"..\/..\/_images\/ipsec_s2s_vpn_p1a_success.png\" \/><\/a><\/p>\n<\/div>\n<\/div>\n<div id=\"step-3-set-mss-clamping\" class=\"section\">\n<h2>Step 3 &#8211; Set MSS Clamping<\/h2>\n<p>(Under\u00a0<span class=\"menuselection\">Interfaces \u2023 IPsec Azure<\/span>) We will use the following settings:<\/p>\n<div id=\"setup\" class=\"section\">\n<h3>Setup<\/h3>\n<div class=\"wy-table-responsive\">\n<table class=\"docutils align-default\">\n<colgroup>\n<col \/>\n<col \/>\n<col \/><\/colgroup>\n<tbody>\n<tr class=\"row-odd\">\n<td><strong>MSS<\/strong><\/td>\n<td>1350<\/td>\n<td><em>Required<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p>Leave the other settings as per default.<\/p>\n<p>Save:<\/p>\n<p><img class=\"lazyload\" decoding=\"async\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" data-orig-src=\"https:\/\/docs.opnsense.org\/_images\/btn_save.png\" alt=\"..\/..\/_images\/btn_save.png\" \/><\/p>\n<p><strong>You are almost done configuring OPNsense (only some firewall settings remain, which will be addressed later).<\/strong>\u00a0<strong>We will now proceed setting up Azure.<\/strong><\/p>\n<\/div>\n<\/div>\n<hr class=\"docutils\" \/>\n<div id=\"step-4-azure-setup-local-network-gateway\" class=\"section\">\n<h2>Step 4 &#8211; Azure: Setup local network gateway<\/h2>\n<p>(Under\u00a0<cite>All resources<\/cite>\u00a0press\u00a0<strong>+ Add<\/strong>, then search and\u00a0<strong>Create<\/strong>\u00a0<cite>Local network gateway<\/cite>) We will use the following settings:<\/p>\n<div id=\"id2\" class=\"section\">\n<h3>Setup<\/h3>\n<div class=\"wy-table-responsive\">\n<table class=\"docutils align-default\">\n<colgroup>\n<col \/>\n<col \/>\n<col \/><\/colgroup>\n<tbody>\n<tr class=\"row-odd\">\n<td><strong>Name<\/strong><\/td>\n<td>lng.opnsense<\/td>\n<td><em>Freely chosen name<\/em><\/td>\n<\/tr>\n<tr class=\"row-even\">\n<td><strong>IP address<\/strong><\/td>\n<td>1.2.3.4<\/td>\n<td><em>The public IP address of your remote OPNsense<\/em><\/td>\n<\/tr>\n<tr class=\"row-odd\">\n<td><strong>Address space<\/strong><\/td>\n<td>192.168.1.0\/24<\/td>\n<td><em>LAN Network<\/em><\/td>\n<\/tr>\n<tr class=\"row-even\">\n<td><strong>Address space<\/strong><\/td>\n<td>10.111.1.1\/32<\/td>\n<td><em>Local Tunnel IP<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p>Press the button that says \u2018Create\u2019:<\/p>\n<p><img class=\"lazyload\" decoding=\"async\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" data-orig-src=\"https:\/\/docs.opnsense.org\/_images\/ipsec_s2s_route_azure_lng.png\" alt=\"..\/..\/_images\/ipsec_s2s_route_azure_lng.png\" \/><\/p>\n<\/div>\n<\/div>\n<div id=\"step-5-azure-setup-vpn-connection\" class=\"section\">\n<h2>Step 5 &#8211; Azure: Setup VPN connection<\/h2>\n<p>(Under\u00a0<cite>All resources \u2013&gt; Virtual network gateway \u2013&gt; Connections<\/cite>\u00a0Press\u00a0<strong>+ Add<\/strong>) We will use the following settings:<\/p>\n<div id=\"general-setup\" class=\"section\">\n<h3>General setup<\/h3>\n<div class=\"wy-table-responsive\">\n<table class=\"docutils align-default\">\n<colgroup>\n<col \/>\n<col \/>\n<col \/><\/colgroup>\n<tbody>\n<tr class=\"row-odd\">\n<td><strong>Name<\/strong><\/td>\n<td>vpn.opnsense<\/td>\n<td><em>Freely chosen name<\/em><\/td>\n<\/tr>\n<tr class=\"row-even\">\n<td><strong>Connection type<\/strong><\/td>\n<td>Site-to-site (IPsec)<\/td>\n<td><\/td>\n<\/tr>\n<tr class=\"row-odd\">\n<td><strong>Virtual network gateway<\/strong><\/td>\n<td>vpn.gw<\/td>\n<td><em>Select virtual network gateway<\/em><\/td>\n<\/tr>\n<tr class=\"row-even\">\n<td><strong>Local network gateway<\/strong><\/td>\n<td>lng.opnsense<\/td>\n<td><em>Select local network gateway<\/em><\/td>\n<\/tr>\n<tr class=\"row-odd\">\n<td><strong>Shared Key (PSK)<\/strong><\/td>\n<td>At4aDMOAOub2NwT6gMHA<\/td>\n<td><em>Random key<\/em>.\u00a0<strong>CREATE YOUR OWN!<\/strong><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p>Press the button that says \u2018OK\u2019:<\/p>\n<p><img class=\"lazyload\" decoding=\"async\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" data-orig-src=\"https:\/\/docs.opnsense.org\/_images\/ipsec_s2s_route_azure_conn.png\" alt=\"..\/..\/_images\/ipsec_s2s_route_azure_conn.png\" \/><\/p>\n<\/div>\n<\/div>\n<div id=\"id3\" class=\"section\">\n<h2>Firewall Rules OPNsense<\/h2>\n<p>To allow traffic passing to your LAN subnet you need to add a rule to the IPsec interface (under\u00a0<span class=\"menuselection\">Firewall \u2023 Rules \u2023 IPsec<\/span>).<\/p>\n<p><a class=\"reference internal image-reference\" href=\"https:\/\/docs.opnsense.org\/_images\/ipsec_ipsec_lan_rule.png\"><img class=\"lazyload\" decoding=\"async\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" data-orig-src=\"https:\/\/docs.opnsense.org\/_images\/ipsec_ipsec_lan_rule.png\" alt=\"..\/..\/_images\/ipsec_ipsec_lan_rule.png\" \/><\/a><\/p>\n<\/div>\n<div id=\"ipsec-tunnel-ready\" class=\"section\">\n<h2>IPsec Tunnel Ready<\/h2>\n<p>The tunnel should now be up and routing the both networks. Go to\u00a0<span class=\"menuselection\">VPN \u2023 IPsec \u2023 Status Overview<\/span>\u00a0to see current status.<\/p>\n<\/div>\n<div id=\"step-6-define-gateways\" class=\"section\">\n<h2>Step 6 &#8211; Define Gateways<\/h2>\n<p>Now that you have the VPN up and running you have to set up a gateway. Go to\u00a0<span class=\"menuselection\">System \u2023 Gateways \u2023 Single<\/span>\u00a0and add a new gateway.<\/p>\n<div id=\"id4\" class=\"section\">\n<h3>OPNsense<\/h3>\n<div class=\"wy-table-responsive\">\n<table class=\"docutils align-default\">\n<colgroup>\n<col \/>\n<col \/>\n<col \/><\/colgroup>\n<tbody>\n<tr class=\"row-odd\">\n<td><strong>Name<\/strong><\/td>\n<td>VPNGW<\/td>\n<td><em>Set a name for your gateway<\/em><\/td>\n<\/tr>\n<tr class=\"row-even\">\n<td><strong>Interface<\/strong><\/td>\n<td>IPSEC1000<\/td>\n<td><em>Choose the IPsec interface<\/em><\/td>\n<\/tr>\n<tr class=\"row-odd\">\n<td><strong>IP Address<\/strong><\/td>\n<td>10.111.1.2<\/td>\n<td><em>Set the peer IP address<\/em><\/td>\n<\/tr>\n<tr class=\"row-even\">\n<td><strong>Far Gateway<\/strong><\/td>\n<td>Checked<\/td>\n<td><em>This has to be checked as it is a point-to-point connection<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<\/div>\n<div id=\"step-7-add-static-routes\" class=\"section\">\n<h2>Step 7 &#8211; Add Static Routes<\/h2>\n<p>When the gateway is set up you can add a route for the Azure virtual network pointing to the new gateway. Go to\u00a0<span class=\"menuselection\">System \u2023 Routes \u2023 Configuration<\/span>.<\/p>\n<div id=\"route-opnsense\" class=\"section\">\n<h3>Route OPNsense<\/h3>\n<div class=\"wy-table-responsive\">\n<table class=\"docutils align-default\">\n<colgroup>\n<col \/>\n<col \/>\n<col \/><\/colgroup>\n<tbody>\n<tr class=\"row-odd\">\n<td><strong>Network Address<\/strong><\/td>\n<td>192.168.2.0\/24<\/td>\n<td><em>Azure virtual network<\/em><\/td>\n<\/tr>\n<tr class=\"row-even\">\n<td><strong>Gateway<\/strong><\/td>\n<td>VPNGW<\/td>\n<td><em>Select the VPN gateway<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p>Now you are all set!<\/p>\n<\/div>\n<\/div>\n<\/div><div class=\"fusion-clearfix\"><\/div><a class=\" fusion-read-more\" style=\"float:left;\" href=\"https:\/\/docs.opnsense.org\/manual\/how-tos\/ipsec-s2s-route-azure.html\" target=\"_self\">Read More<\/a><div class=\"fusion-clearfix\"><\/div><\/div><\/div><div class=\"fusion-clearfix\"><\/div><\/div><\/div><\/div><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-1 fusion_builder_column_1_4 1_4 fusion-flex-column\" style=\"--awb-bg-size:cover;--awb-width-large:25%;--awb-margin-top-large:0px;--awb-spacing-right-large:7.68%;--awb-margin-bottom-large:20px;--awb-spacing-left-large:7.68%;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:1.92%;--awb-spacing-left-medium:1.92%;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:1.92%;--awb-spacing-left-small:1.92%;\"><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-flex-start fusion-content-layout-column\"><div ><a class=\"fusion-button button-flat fusion-button-default-size button-custom fusion-button-default button-2 fusion-button-default-span fusion-button-default-type\" style=\"--button_accent_color:#ffffff;--button_accent_hover_color:#ffffff;--button_border_hover_color:#ffffff;--button-border-radius-top-left:10px;--button-border-radius-top-right:10px;--button-border-radius-bottom-right:10px;--button-border-radius-bottom-left:10px;--button_gradient_start:9%;--button_gradient_top_color:#001b41;--button_gradient_bottom_color:#001b41;--button_gradient_top_color_hover:#11c7e6;--button_gradient_bottom_color_hover:#11c7e6;--button_typography-font-family:&quot;ionos-sans-regular&quot;;--button_typography-font-style:normal;--button_typography-font-weight:400;width:calc(100%);\" target=\"_self\" href=\"https:\/\/docs.opnsense.org\/manual\/how-tos\/ipsec-s2s-route-azure.html\"><span class=\"fusion-button-text\">Read More<\/span><\/a><\/div><\/div><\/div><\/div><\/div>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_bbp_topic_count":0,"_bbp_reply_count":0,"_bbp_total_topic_count":0,"_bbp_total_reply_count":0,"_bbp_voice_count":0,"_bbp_anonymous_reply_count":0,"_bbp_topic_count_hidden":0,"_bbp_reply_count_hidden":0,"_bbp_forum_subforum_count":0,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[1],"tags":[710],"class_list":["post-2891","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-azconnect-configure"],"_links":{"self":[{"href":"https:\/\/ionoslabs.com\/index.php\/wp-json\/wp\/v2\/posts\/2891","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ionoslabs.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ionoslabs.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ionoslabs.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ionoslabs.com\/index.php\/wp-json\/wp\/v2\/comments?post=2891"}],"version-history":[{"count":8,"href":"https:\/\/ionoslabs.com\/index.php\/wp-json\/wp\/v2\/posts\/2891\/revisions"}],"predecessor-version":[{"id":2941,"href":"https:\/\/ionoslabs.com\/index.php\/wp-json\/wp\/v2\/posts\/2891\/revisions\/2941"}],"wp:attachment":[{"href":"https:\/\/ionoslabs.com\/index.php\/wp-json\/wp\/v2\/media?parent=2891"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ionoslabs.com\/index.php\/wp-json\/wp\/v2\/categories?post=2891"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ionoslabs.com\/index.php\/wp-json\/wp\/v2\/tags?post=2891"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}