I’ve setup up the new LAB, but now I need to create an environment for my testing otherwise I could have saved me the money and spent it on a subscription for Netflix/Disney+/Apple+/Amazon Prime (pick your favourite).
My environment will be using an on-prem Active Directory, consisting of
- Domain Controller (NLSOMDC01)
- an Azure AD Connect Server (NLSOMCC01) to ensure the environment is extended to Azure
- a 2-tier PKI infrastructure
- a Root CA (NLSOMCRT), that’s brought offline after the initial setup/configuration
- a Subordinate CA (NLSOMCA01) that will be issuing CA’s
- a Management Server with Windows Admin Center (NLSOMMG01)
To ensure this AD can communicate with Azure, I need to create a site-to-site IPSEC VPN Tunnel. For this I will install a pfSense Firewall (Community Edition) NLSOMFW01 .
Setting up the pfSense Firewall (Community Edition)
I defined a new VM (1 vCPU, 1GB RAM, 8GB HDD & 2 NICs) which is very limited, but as this is only used for the IPSec tunnel, The installer has been mounted so I start installing:
I read the copyright and distribution notice and click Accept
Out of the 3 options, the default one “Install” is the one I need, so I click OK.
Again not much to do for me, US is a good-enough keyboard layout for me, so I click Select
I will use the guided disk setup “Auto (UFS)” and click OK after which the installation starts.
The installation finishes quickly and I don’t need to make any manual modifications, so I click No
Now the VM needs a reboot
After the reboot, the first thing I need to do is define the VLANs. For my Lab environment this is not needed, so I type n. Next action is to assign the network interfaces correctly to WAN/LAN. After that’s done, I’m sure to proceed, so I type y
Ok, next up assigning fixed IP addresses to my NICs. type 2.
First I will start with the WAN interface.
| IPv4 | 192.168.2.17 |
| Subnet mask (CIBR notation) | 24 |
| IPv4 upstream gateway | 192.168.2.254 |
| IPv6 via DHCP | y |
Now up for the LAN Interface
| IPv4 | 10.57.11.1 |
| Subnet mask (CIBR notation) | 24 |
| IPv4 upstream gateway | <ENTER> |
| IPv6 via DHCP | y |
Now I can finish the configuration using the GUI. I logon using the default credentials (admin | pfsense)
I immediately get a warning that the ‘admin’ password is using the default credentials, but first I will go through the initial configuration, so I click Next
The pfSense setup wizard starts (9 steps). Step 1 of 9, click Next
Step 2 of 9, provided the following information and clicked Next
| Hostname | NLSOMFW01 |
| Domain | lab.damen-online.nl |
| Primary DNS Server | 192.168.2.254 |
| Secondary DNS Server | 1.1.1.1 |
I use the same timeserver (0.nl.pool.ntp.org)as I did before and set the correct timezone (Europe/Amsterdam), again Next
The next step is actually already correct, so I click Next
Same goes for the LAN interface, so again Next
Now I can set the new admin password, which I do and click Next
Now I need to reload the configuration
and after that the initial configuration has been finished, click Finish, and I can start configuring the Site-to-site connection
Site-to-site connection
One of the IP of the pfSense firewall assigned is in my isolated subnet, but I ensured there is a Subnet IP (192.168.2.17) in my private network. As I have the router from my ISP provider in front I needed to ensure that UDP 500 / 4500 is also being forwarded to this IP.
Virtual Network
Now I need to setup the Azure side of the Site-to-site VPN Gateway connection. For this I logon to the Azure portal and select Create a resource in the menu
I search for Virtual Network and click Create
I provide the following information to define my “personal” network in Azure and click Create
| Name | vLAB |
| Address Space | 10.10.12.0/23 |
| Subscription | Microsoft Partner Network |
| Resource Group | (New) LABRG |
| Location | (Europe) West Europe |
| Subnet Name | AzureLAB |
| Subnet Address Range | 10.10.13.0/24 |
VPN Gateway
Now I need to create the VPN Gateway so I select Create a resource in the menu again and search for Virtual Network Gateway and click Create
Again a lot of information needs to be provided to the VPN Gateway can be defined and click Review + Create. This can take some time (up to 45 minutes).
| Subscription | Microsoft Partner Network |
| Resource Group | LABRG |
| Instance Name | vLABGW |
| Region | (Europe) West Europe |
| Gateway type | VPN |
| VPN type | Route-Based |
| SKU | VpnGw1 |
| Generation | Generation1 |
| Virtual Network | vLAB |
| Gateway subnet address range | 10.10.12.0/24 |
| Public IP address | Create new |
| Public IP address name | vLABGWPublicIP |
Local Network Gateway
Now I can create the local network gateway, which defines my on-premises network. So again back to the menu, search for Local Network Gateway and select Create
Here we need to provide a descriptive name,the public IP address of my internet connection and the address space that are part of the local network.
| Name | NLSOM |
| IP address | Public IP of my internet connection |
| Address Space | 10.57.11.0/24 (internal subnet) |
Now I create the VPN connection. For this I open the Virtual Network Gateway I’ve created earlier and addd a new connection.
Again I need to provide a couple of variables to setup the VPN connection
| Name | Azure-NLSOM |
| Connection type | Site-to-site (IPSec) |
| Virtual network gateway | vLABGW |
| Local network gateway | NLSOM |
| Shared key (PSK) | <private shared key> |
| IKE Protocol | IKEv2 |
pfSense
Back to the pfSense firewall, where I select VPN, IPsec
As I need to create a Site-to-Site VPN Tunnel, I will click +Add P1
Now I can configure the first phase (P1) of the tunnel. I provide the following information and hit Save
| Key Exchange version | Auto |
| Interface | WAN |
| Remote Gateway | <vLABGWPublicIP> |
| Description | Site-to-Site VPN NLSOM – Azure |
| Authentication Method | Mutual PSK |
| My identifier | Public IP address of my internet connection, as the pfSense VM is behind my router |
| Peer identifier | Peer IP address |
| Pre-Shared Key | <private shared key> |
| Encrytpion Algorithm | AES – 256 bits – SHA256 – 2 (1024 bit) |
Now I can configure phase 2 (P2) of the tunnel, by clicking + Add P2
Adding the last piece of information for my tunnel to work.
| Remote Network | 10.10.12.0/24 |
| Description | Phase 2 NLSOM – Azure |
| Protocol | ESP |
| Encryption Algorithm | AES – 256 bits |
| Hash Algorithm | SHA1 |
After clicking Save I’m redirected back to the Tunnels page. Click Apply Changes
Now I switch to the Status page of IPsec to check the status of the tunnel
And my tunnel is up-and running
This finishes up the Site-to-Site VPN connection, so now I can sync my on-premises Active Directory to Azure AD.