…covering cloud technologies such as Office 365, Azure, Amazon and, of course, SharePoint

Creating a Site-to-Site Connection between Azure and pfSense

June 08, 2013 by Greg Carnie

This was a big of a tricky endeavour and obviously a topic that I I don’t typically cover on this blog.  The whole reason for the post actually directly relates back to my Moving to Office 365 post as I haven’t get succeeded in moving enough of my operations to the cloud such that I am not dependent on my main internet connection any more.

I was able to find a few resources on this topic which were helpful with my initial configuration:

How you can connect an Azure cloud to a pfSense network over IPSec - Excellent how-to article to get you started!

After repeatedly not successfully establishing a connection between the two networks and only seeing ERROR: invalid flag 0x08 in my IPsec log I concluded that something had changed after the articles were written.  After lots of digging I found couple changes which were required:

  1. The first thing I found in this article which indicated that the encryption algorithm had moved to AES 265 from AES 128.  Change made, still saw the same error.
  2. The second obvious thing missing from the above article is after step 12 (Create Gateway).  Along with the Create Gateway function now, you have the choice of creating a Static Routing or Dynamic Routing Gateway.  Doing a bit more research I came across this (same as issue 1) article which recommends that you create a dynamic routing gateway.  Fair enough, it sounds like it would be the easiest for me to maintain.  WRONG! Scrolling further down that article, you find the ‘Key exchange’ property, on a static routing gateway it is IKE v1, on a dynamic routing gateway it is IKE v2.  What is the significance of this you ask? I refer you to this discussion on the pfSense form.  IKEv2 is not supported by racoon which is the foundation of the pfSense IPSec implementation.  A quick removal of my current Azure gateway and creation of a static routing gateway worked beautifully!  Connection established!

Written by Greg Carnie

I am a SharePoint consultant (Business Analyst by title) with Ideaca Knowledge Services based in Toronto, Canada. I have been actively working with SharePoint for three years now and have been specializing more in the developmental and architectural aspects of SharePoint. In a previous life I worked both with SAP and Microsoft Exchange. In my spare time (yes – I have figured out how to have a life outside of SharePoint – only took 3 years!!) I read, have started to get myself back into decent shape, and intend to spend a significant amount of time outside this summer.

You should follow Greg on Twitter