The LAB (Site-to-Site VPN – Azure)

I’ve setup up the new LAB, but now I need to create an environment for my testing otherwise I could have saved me the money and spent it on a subscription for Netflix/Disney+/Apple+/Amazon Prime (pick your favourite).

My environment will be using an on-prem Active Directory, consisting of

  • Domain Controller (NLSOMDC01)
  • an Azure AD Connect Server (NLSOMCC01) to ensure the environment is extended to Azure
  • a 2-tier PKI infrastructure
    • a Root CA (NLSOMCRT), that’s brought offline after the initial setup/configuration
    • a Subordinate CA (NLSOMCA01) that will be issuing CA’s
  • a Management Server with Windows Admin Center (NLSOMMG01)

To ensure this AD can communicate with Azure, I need to create a site-to-site IPSEC VPN Tunnel. For this I will install a pfSense Firewall (Community Edition) NLSOMFW01 .

Setting up the pfSense Firewall (Community Edition)

I defined a new VM (1 vCPU, 1GB RAM, 8GB HDD & 2 NICs) which is very limited, but as this is only used for the IPSec tunnel, The installer has been mounted so I start installing:

I read the copyright and distribution notice and click Accept

Out of the 3 options, the default one “Install” is the one I need, so I click OK.

Again not much to do for me, US is a good-enough keyboard layout for me, so I click Select

I will use the guided disk setup “Auto (UFS)” and click OK after which the installation starts.

The installation finishes quickly and I don’t need to make any manual modifications, so I click No

Now the VM needs a reboot

After the reboot, the first thing I need to do is define the VLANs. For my Lab environment this is not needed, so I type n. Next action is to assign the network interfaces correctly to WAN/LAN. After that’s done, I’m sure to proceed, so I type y

Ok, next up assigning fixed IP addresses to my NICs. type 2.

First I will start with the WAN interface.

Subnet mask (CIBR notation)24
IPv4 upstream gateway192.168.2.254
IPv6 via DHCPy

Now up for the LAN Interface

Subnet mask (CIBR notation)24
IPv4 upstream gateway<ENTER>
IPv6 via DHCPy

Now I can finish the configuration using the GUI. I logon using the default credentials (admin | pfsense)

I immediately get a warning that the ‘admin’ password is using the default credentials, but first I will go through the initial configuration, so I click Next

The pfSense setup wizard starts (9 steps). Step 1 of 9, click Next

Step 2 of 9, provided the following information and clicked Next

Primary DNS Server192.168.2.254
Secondary DNS Server1.1.1.1

I use the same timeserver ( I did before and set the correct timezone (Europe/Amsterdam), again Next

The next step is actually already correct, so I click Next

Same goes for the LAN interface, so again Next

Now I can set the new admin password, which I do and click Next

Now I need to reload the configuration

and after that the initial configuration has been finished, click Finish, and I can start configuring the Site-to-site connection

Site-to-site connection

One of the IP of the pfSense firewall assigned is in my isolated subnet, but I ensured there is a Subnet IP ( in my private network. As I have the router from my ISP provider in front I needed to ensure that UDP 500 / 4500 is also being forwarded to this IP.

Virtual Network

Now I need to setup the Azure side of the Site-to-site VPN Gateway connection. For this I logon to the Azure portal and select Create a resource in the menu

I search for Virtual Network and click Create

I provide the following information to define my “personal” network in Azure and click Create

Address Space10.10.12.0/23
SubscriptionMicrosoft Partner Network
Resource Group(New) LABRG
Location(Europe) West Europe
Subnet NameAzureLAB
Subnet Address Range10.10.13.0/24

VPN Gateway

Now I need to create the VPN Gateway so I select Create a resource in the menu again and search for Virtual Network Gateway and click Create

Again a lot of information needs to be provided to the VPN Gateway can be defined and click Review + Create. This can take some time (up to 45 minutes).

SubscriptionMicrosoft Partner Network
Resource GroupLABRG
Instance NamevLABGW
Region(Europe) West Europe
Gateway typeVPN
VPN typeRoute-Based
Virtual NetworkvLAB
Gateway subnet address range10.10.12.0/24
Public IP addressCreate new
Public IP address namevLABGWPublicIP

Local Network Gateway

Now I can create the local network gateway, which defines my on-premises network. So again back to the menu, search for Local Network Gateway and select Create

Here we need to provide a descriptive name,the public IP address of my internet connection and the address space that are part of the local network.

IP addressPublic IP of my internet connection
Address Space10.57.11.0/24 (internal subnet)

Now I create the VPN connection. For this I open the Virtual Network Gateway I’ve created earlier and addd a new connection.

Again I need to provide a couple of variables to setup the VPN connection

Connection typeSite-to-site (IPSec)
Virtual network gatewayvLABGW
Local network gatewayNLSOM
Shared key (PSK)<private shared key>
IKE ProtocolIKEv2


Back to the pfSense firewall, where I select VPN, IPsec

As I need to create a Site-to-Site VPN Tunnel, I will click +Add P1

Now I can configure the first phase (P1) of the tunnel. I provide the following information and hit Save

Key Exchange versionAuto
Remote Gateway<vLABGWPublicIP>
DescriptionSite-to-Site VPN NLSOM – Azure
Authentication MethodMutual PSK
My identifierPublic IP address of my internet connection, as the pfSense VM is behind my router
Peer identifierPeer IP address
Pre-Shared Key<private shared key>
Encrytpion AlgorithmAES – 256 bits – SHA256 – 2 (1024 bit)

Now I can configure phase 2 (P2) of the tunnel, by clicking + Add P2

Adding the last piece of information for my tunnel to work.

Remote Network10.10.12.0/24
DescriptionPhase 2 NLSOM – Azure
Encryption AlgorithmAES – 256 bits
Hash AlgorithmSHA1

After clicking Save I’m redirected back to the Tunnels page. Click Apply Changes

Now I switch to the Status page of IPsec to check the status of the tunnel

And my tunnel is up-and running

This finishes up the Site-to-Site VPN connection, so now I can sync my on-premises Active Directory to Azure AD.

Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *