In this guide we will be setting up a basic Azure Site-to-Site VPN with pfSense via the Azure CLI. This is useful for scenarios where you want to have your On-Premise environment accessible to the Azure VNET and/or vis versa.

Before we get started you will need to be sure to have the following installed:

Additionally, this guide assumes  you have also met all the criteria stated in the Microsoft's documentation: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-cli#before-you-begin

Connect to your Azure subscription

Once you have installed the Azure CLI you will want to run the following command to log in to your Azure subscription.

az login

If you happen to have more than one Azure subscription, run this command to list your subscriptions for your account.

az account list --all

To specify which subscription to use run this command.

az account set --subscription <your_subscription_id>

Our example values used throughout this guide:

VnetName                = S2SVNET 
ResourceGroup           = Site2SiteVPNRG 
Location                = centralus 
AddressSpace            = 10.15.0.0/16 
SubnetName              = Subnet1 
Subnet                  = 10.15.0.0/24 
GatewaySubnet           = 10.15.255.0/27 
LocalNetworkGatewayName = OnPremSite 
LNG Public IP           = <VPN device IP address>
LocalAddrPrefix         = 192.168.0.0/24
GatewayName             = S2SVNETGW
PublicIP                = S2SVNETGWIP 
VPNType                 = RouteBased 
GatewayType             = Vpn 
ConnectionName          = VNET2SITE

Creating a resource group

If you do not already have a resource group in which you want to use for your VNET, you could follow this next example to create one.

We will be creating a new resource group in the region 'centralus' with the name 'Site2SiteVPN'.

az group create --name Site2SiteVPNRG --location centralus

Creating a virtual network

Let's get started with the fun now. Here will we be creating a new virtual network. This will be where we connect all our Azure resources as well as connect our on-prem network as well. Be sure that the address space you specify does not overlap your on-prem network, otherwise you will have some routing issues.

The following command will be creating a new virtual network named 'S2SVNET' and a subnet 'Subnet1'.

az network vnet create --name S2SVNET --resource-group Site2SiteVPNRG --address-prefix 10.15.0.0/16 --location centralus --subnet-name Subnet1 --subnet-prefix 10.15.0.0/24

Creating the gateway subnet

The gateway subnet is used by the VPN gateway for your virtual network. Without it, you will have deployment failures and will not be able to deploy a VPN Gateway. This subnet MUST be called 'GatewaySubnet' in order for it to be recognized by the VPN gateway.

Run the following command to create your gateway subnet.

az network vnet subnet create --address-prefix 10.15.255.0/27 --name GatewaySubnet --resource-group Site2SiteVPNRG --vnet-name S2SVNET

Creating the local network gateway

The local network gateway is information of your on-prem network. This information will be provided to the VPN Gateway in order to create a connection.

In the following command we will be providing our on-prem VPN device's public IP address as well as our local network address space.

az network local-gateway create --gateway-ip-address 23.99.221.164 --name OnPremSite --resource-group Site2SiteVPNRG --local-address-prefixes 192.168.0.0/24

Requesting a Public IP address

Your VPN Gateway will need a public IP address in order for your on-prem network to connect to it.

Run this command to request a Dynamic Public IP address.

az network public-ip create --name S2SVNETGWIP --resource-group Site2SiteVPNRG --allocation-method Dynamic

Creating the VPN gateway

This method could take up to 45 minutes or more to complete so please be patient when running this command.

We will be creating a Basic VPN here. For more information on Azure VPN Gateway SKUs you could find them here: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsku

Run this command using the '--no-wait' parameter. This will not provide any feedback or output and allow the gateway to create in the background. Please note it could take up to 45 minutes or more to create the gateway.

az network vnet-gateway create --name S2SVNETGW --public-ip-address S2SVNETGWIP --resource-group Site2SiteVPNRG --vnet S2SVNET --gateway-type Vpn --vpn-type RouteBased --sku Basic --no-wait

Creating the VPN connection

Here we will create the Site-to-Site VPN connection between your Azure VNET and your on-prem VPN device. Be sure to pay close attention to the shared key value as this must match the configurated share key value for your VPN device.

az network vpn-connection create --name VNET2SITE --resource-group Site2SiteVPNRG --vnet-gateway1 S2SVNETGW -l centralus --shared-key letstalktech123 --local-gateway2 OnPremSite 

Getting your VPN Gateway IP Address

Run the following command to get your VPN Gateway IP Address. This will be used when configuring your pfSense device.

az network public-ip list --resource-group Site2SiteVPNRG --output table

Configuring your pfSense device

Now that we have all the Azure pieces completed, lets take care of our pfSense components.

Navigate and log in to your pfSense device. https://mypfsense-device/

On your navigation bar, click VPN then IPsec.

On this page click Add P1.

Here we will need to add all our Azure VPN Gateway information. Most default settings are fine; however, change what is highlighted to your specific Azure settings.

Once completed, click Save.

Click on the Show Phase 2 Entries, and click Add P2.

Here we will enter our Azure VNET address space as well as our Encryption Algorithms.

All other default setting could stay the same. Once completed hit Save.
Once saved, click Apply Changes.

Creating pfSense Firewall Rule for IPsec

Now that we have our pfSense device configured for Site-to-Site VPN, we need to ensure that our firewall rules are set for the traffic as well.

Go to Firewall section of your navigation bar on pfSense, select Rules.

Select IPsec and click Add to create a new rule.

Feel free to lock down this rule further if needed. However, for this example we are allowing any protocols from any source and any destination.

Click Save, then click Apply Changes.

Verifying Connection on pfSense

Now that we have everything connected. Lets go over to the Status section of your navigation bar on pfSense and select IPsec.

You should now be able to see an Established connection.

Verifying Connection on Azure

You can verify that your connection was successful via Azure CLI as well using the following command.

az network vpn-connection show --name VNET2SITE --resource-group Site2SiteVPNRG

Conclusion

That is all folks!!

For more information on Azure Site-to-Site connections or how to set this up via the Azure Portal, click here: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal