In this article I will go through how to configure a site to site VPN from Azure v2 (ARM) to a Pfsense server on premises.

Login to the Azure Portal

Create a new Resource Group.

Create a Virtual Network

Ensure Resource Manager is selected and click Create.

Give your VNet a name. Populate the Address Space field with the subnet you wish to use in azure. Then create a subnet for the VM’s you will run in Azure. In this guide I use 10.10.x.x/16 on premises and 10.11.x.x/16 in Azure.

Next you need to create a Gateway Subnet for the gateway VM’s to be use. Click All Resources > Your VNet Name > All Settings > Subnets.

Click + Gateway Subnet.

Enter a range for your Gateway Subnet. This can be at the top end of your range like I am using. Once entered click OK.

Now you need to create a VNet Gateway. Click New > Networking > Virtual Network Gateway.

Enter a name for your Virtual Network Gateway. Select your Virtual Network (VNet) and create a new Public IP address. Select VPN as gateway type and use the Route-based VPN type then click Create.

Note this really does take around 45 mins to create so while is does that lets go create a Virtual Machine that we can test the VPN with later.

To keep Azure tidy I like to create the components required for my Azure infrastructure separately. Firstly, create a Storage Account by clicking New > Data + Storage > Storage account.

Give your storage account a name (note you have to use lower case and between 3 and 64 characters). Select Resource Manager deployment model and a General purpose account. Chose the performance of the storage in the Storage Account. Standard is effectively SAS speed and Premium is SSD. I have chosen Locally Redundant Storage. For more information on the storage teirs see my article regarding Azure Storage and make your choice based on this.

Once your storage account is created lets create a VM. Click New > Virtual Machines > Select a template (I’m using a Server 2012 R2 Datacenter edition machine).

On the Welcome blade click ensure Resource Manager is selected and click Create

Enter a Name for the VM. Enter a username and Password. Note, recently Azure changed the requirements for the length of passwords! Select your Subscription if you have more than one and ensure you select Use existing Resource Group that you created at the start of this guide.

Select the size of the VM you want to create. I have chosen an A1 machine as this is more than adequate for my lab networking. At the time of writing this costs £21.36 per month although I will write another article on how to create an automation runbook guide on how to shut this down during the night to save money. Click select once you have chosen your VM Size.

Select your storage account you just created. Select your VNet. Select the Servers Subnet. Create a new Public IP Address. Network Security Groups are outside the scope of this guide so select None. Disable monitoring then click OK.

On the summary screen Click OK.

Now go and check the status of your Gateway.

Once created click All Resources > Gateway Name > All Settings > Connections.

You now need to create a connection to your on premises Pfsense server.

Click Create New. Give the Gateway a name. Then select Site-to-site (IPSec) as the connection type. Select your VNet Gateway.

You also need to create a Local Gateway which are the settings of the Pfsense server. Click Create new and give it a name. Enter the Public IP of the Pfsense server and the address space of your ON PREM subnet. Click OK.

Note my Public IP v4 addresses are fake!

Enter a Shared Key which you will need to enter on the Pfsense server. The longer and more secure the better. Then click OK.

Now navigate to All Resources > VNet Gateway Name and then note the Public IP Address azure has allocated your Gateway. This is the Azure part done.

Navigate to your Pfsense server.

Click on VPN > IPSec and click + Add P1

Enter the following details for Phase 1:



Key Exchange Version


Remote Gateway

Public IP of Azure from Above

Pre-Shared Key

Key you entered above in the Azure Portal

Phase 1 Lifetime



Click on Show Phase 2 Entries (0) and enter the following details for Phase 2:



Local Network

Choose your LAN network

Remote Network

Azure Subnet. In my case





Encryption Algorithms

AES / 128 Bit
Don’t change anything else

Hash Algorithm


PFS Key Group

2 (1024 bit)


Click Save and then Apply Settings.

Now click Status > IPsec

Click Connect VPN. It should take a couple of seconds to connect. Press F5 to refresh and navigate back to Status > IPsec if necessary.

You should now be connected.

You may need to create a firewall rule as per the example above to allow traffic to route.

You should now be able to Ping your Azure VM and RDP to it on the IP Address that has been allocated to it. To find this navigate to:

That’s it!