Add to collection(s) Add to saved
  1. No category
Uploaded by Abbas Mehdi

AZURE SOPHOS SIte to Site VPN

advertisement 
19/06/2018
Sophos XG Firewall v17: How to establish a Site-to-Site IPsec VPN to Microsoft Azure - Sophos Community
Sophos XG Firewall v17: How to establish a Site-to-Site
IPsec VPN to Microsoft Azure
127546
19 Dec 2017
6 people found this helpful
English | Español | Italiano | 日本語 | Français | Deutsch
Overview
Microsoft Azure supports two types of VPN Gateway: Route-based and policy-based. To use IKEv2, you
must select the route-based Azure VPN Gateway.
This article describes the steps to create a route-based Site-to-Site IPsec VPN to Microsoft Azure.
The following sections are covered:
Configure Azure
Create a local network gateway
Create a gateway subnet
Create the VPN gateway
Create the VPN connection
Configure Sophos XG Firewall
Results
Related information
Feedback and contact
Applies to the following Sophos products and versions
Sophos Firewall v17
https://community.sophos.com/kb/en-us/127546
1/20
19/06/2018
Sophos XG Firewall v17: How to establish a Site-to-Site IPsec VPN to Microsoft Azure - Sophos Community
Configure Azure
Create a local network gateway
The local network gateway typically refers to the on-premises location. You'll need the public IP address
of the on-premise Sophos XG Firewall and its private IP address spaces.
1. Login to Microsoft Azure and click on More services in the lower left corner. In the search box, type local network
gateways and select Local network gateways.
2. In the Local network gateways blade, click +add and configure the following in the Create local network gateway
blade:
Name: On_Prem_Sophos_XG_Firewall (You can choose any preferred name).
IP address: Specify the Sophos XG Firewall's public IP address.
Address space: Specify the on-premises address ranges. If multiple address space ranges are needed, make
sure that the specified ranges here do not overlap with ranges of other networks that you want to connect to.
Azure will route the specified address range to the on-premises VPN device IP address.
Subscription: Select or verify the correct subscription.
Resource group: Select the resource group, you can either create a new resource group, or select and
existing one.
Location: Select the location in which this object will be created. You may want to select the same location
that your VNet resides in, but you are not required to do so.
https://community.sophos.com/kb/en-us/127546
2/20
19/06/2018
Sophos XG Firewall v17: How to establish a Site-to-Site IPsec VPN to Microsoft Azure - Sophos Community
Create a gateway subnet
The VPN gateway is deployed into a specific subnet of your network called the Gateway subnet. The size
of the Gateway subnet that you specify depends on the VPN gateway configuration that you want to
create. While it is possible to create a Gateway subnet as small as /29, it is recommend to create a larger
subnet that includes more addresses by selecting /27 or /28 to be able to accommodate future
configurations.
1. In the lower left corner of the Azure portal, click on More Services. In the search box, type Virtual networks and
select Virtual networks.
https://community.sophos.com/kb/en-us/127546
3/20
19/06/2018
Sophos XG Firewall v17: How to establish a Site-to-Site IPsec VPN to Microsoft Azure - Sophos Community
2. Click on the virtual network for which you want to create a virtual network gateway, in this example,
Sophos_Azure_VPN is used.
3. In the Virtual network blade, under SETTINGS, click on Subnets.
4. In the Subnets blade, click on +Gateway subnet to add a new.
5. In the Add subnet blade, configure the CIDR range of the new gateway subnet.
https://community.sophos.com/kb/en-us/127546
4/20
19/06/2018
Sophos XG Firewall v17: How to establish a Site-to-Site IPsec VPN to Microsoft Azure - Sophos Community
Create the VPN gateway
1. In the lower left corner of the Azure portal, click on More Services. In the search box, type Virtual network
gateways and select Virtual network gateways.
https://community.sophos.com/kb/en-us/127546
5/20
19/06/2018
Sophos XG Firewall v17: How to establish a Site-to-Site IPsec VPN to Microsoft Azure - Sophos Community
2. In the Virtual network gateways blade, click on +Add and configure the following in the Create virtual network
gateway blade:
Name: Name your gateway. This is not the same as naming a gateway subnet. It's the name of the gateway
object you are creating.
Gateway type: VPN.
VPN type: Route-based (this is a MUST to be able to use IKEv2).
SKU: Select the gateway SKU from the drop-down list. For more information about gateway SKUs, see
Gateway SKUs.
Location: Select the same location as your virtual network (otherwise the virtual network will not be
displayed on the list).
Virtual network: Choose the virtual network to which you want to add this gateway.
Click on Virtual network to open the Choose a virtual network blade.
Select the vNet that you created in the Gateway subnet earlier. In this Example, the vNet is
Sophos_Azure_VPN created earlier.
If you don't see your VNet, make sure the Location field is pointing to the region in which your virtual
network is located.
Public IP address: You need a public IP address. Do the following to obtain one.
Click on First IP configuration to open the Choose public IP address blade.
https://community.sophos.com/kb/en-us/127546
6/20
19/06/2018
Sophos XG Firewall v17: How to establish a Site-to-Site IPsec VPN to Microsoft Azure - Sophos Community
Click on +Create New.
In the Create public IP address blade, input a Name for your public IP address, then click OK at the
bottom of this blade to save your changes.
Subscription: Verify that the correct subscription is showing.
Click Create to begin creating the VPN gateway.
https://community.sophos.com/kb/en-us/127546
7/20
19/06/2018
Sophos XG Firewall v17: How to establish a Site-to-Site IPsec VPN to Microsoft Azure - Sophos Community
Note: Creating a gateway can take up to 45 minutes.
3. After the VPN gateway creation has successfully completed, click the Refresh button on the Virtual network
gateways blade to display the newly deployed VPN gateway.
https://community.sophos.com/kb/en-us/127546
8/20
19/06/2018
Sophos XG Firewall v17: How to establish a Site-to-Site IPsec VPN to Microsoft Azure - Sophos Community
4. Click on the VPN gateway created earlier, in this example, Sophos_Azure_VPN_Gateway. In the
Virtual network Gateway blade, select Overview and make a note of the newly assigned public IP
address of this gateway.
Create the VPN connection
1. In the lower left corner of the Azure portal, click on More Services. In the search box, type Virtual network
gateways and select Virtual network gateways.
https://community.sophos.com/kb/en-us/127546
9/20
19/06/2018
Sophos XG Firewall v17: How to establish a Site-to-Site IPsec VPN to Microsoft Azure - Sophos Community
2. Select your VPN gateway. In the virtual network gateway blade, click on Connections and +Add.
3. In the Add connection blade, configure the following:
Name: Sophos_XG_ON_Prem_To_Azure (Input your preferred name).
Connection type: Site-to-site (IPSec).
Virtual network gateway: The value is fixed because you are connecting from this gateway.
Local network gateway:
Click on Choose a local network gateway.
In the Choose a local network gateway blade, select the local network gateway created earlier.
https://community.sophos.com/kb/en-us/127546
10/20
19/06/2018
Sophos XG Firewall v17: How to establish a Site-to-Site IPsec VPN to Microsoft Azure - Sophos Community
Shared key (PSK): Input a complex shared key. The value here must match the value used on the onpremises Sophos XG Firewall.
The remaining values for Subscription, Resource group, and Location are fixed.
https://community.sophos.com/kb/en-us/127546
11/20
19/06/2018
Sophos XG Firewall v17: How to establish a Site-to-Site IPsec VPN to Microsoft Azure - Sophos Community
Click OK to create your connection. You'll see Creating connection flash on the screen.
https://community.sophos.com/kb/en-us/127546
12/20
19/06/2018
Sophos XG Firewall v17: How to establish a Site-to-Site IPsec VPN to Microsoft Azure - Sophos Community
Configure Sophos XG Firewall
1. Go to Hosts and Services > IP Host and click Add to add the local and remote subnets.
2. Go to VPN > IPsec Connections, select Add and configure the following settings:
General Settings:
Name: Input any preferred name.
IP Version: IPv4.
Activate on Save: Selected.
Description: Add a description for the connection.
Connection Type: Site-to-Site.
Gateway Type: Respond Only.
https://community.sophos.com/kb/en-us/127546
13/20
19/06/2018
Sophos XG Firewall v17: How to establish a Site-to-Site IPsec VPN to Microsoft Azure - Sophos Community
Encryption:
Policy: Microsoft Azure.
Authentication Type: Preshared Key.
Preshared Key: Enter the same preshared key that you entered when creating the VPN connection on
Azure.
Repeat Preshared Key: Confirm the above preshared key.
Gateway Settings:
Listening Interface: Select the WAN interface of the Sophos XG Firewall.
Gateway Address: Input the public IP of the Azure VPN gateway noted earlier.
Local ID: IP Address.
Remote ID: IP Address.
Local ID: Enter the public IP of the on-premises Sophos XG Firewall.
Remote ID: Input the public IP of the Azure VPN gateway that you noted earlier.
Local Subnet: Enter the local subnet created earlier. This subnet is behind the on-premises Sophos XG
Firewall.
Remote Subnet: Enter the remote subnet created earlier. This subnet is behind the Azure virtual network
gateway.
Advanced: leave the default settings.
https://community.sophos.com/kb/en-us/127546
14/20
19/06/2018
Sophos XG Firewall v17: How to establish a Site-to-Site IPsec VPN to Microsoft Azure - Sophos Community
Upon clicking Save, the IPsec connection is activated and the tunnel should be established successfully.
3. Go to Firewall > + Add Firewall Rule and choose User/Network Rule to create two rules for ingress and egress VPN
traffic.
https://community.sophos.com/kb/en-us/127546
15/20
19/06/2018
Sophos XG Firewall v17: How to establish a Site-to-Site IPsec VPN to Microsoft Azure - Sophos Community
4. Make sure to place these two rules on the top of the list. If needed, refer to Sophos XG Firewall: How
to change firewall rule order.
5. Go to Network > Interfaces to edit the public facing interface. Enable Override MSS and set its value
to 1350.
https://community.sophos.com/kb/en-us/127546
16/20
19/06/2018
Sophos XG Firewall v17: How to establish a Site-to-Site IPsec VPN to Microsoft Azure - Sophos Community
This is because any packets larger than an MSS of 1350 bytes hitting the Azure virtual network
through its gateway will get segments and some fragments may get dropped in the Azure platform
across the VPN datapath. For more information, please refer to About VPN devices and IPsec/IKE
parameters for Site-to-Site VPN Gateway connections.
Results
In the lower left corner of the Azure portal, click on More Services. In the search box, type Virtual network
gateways and select Virtual network gateways to select the VPN gateway created earlier.
In the Virtual network gateway blade select Connections and verify that its status is connected.
Click on the connection to verify ingress and egress traffic flow.
https://community.sophos.com/kb/en-us/127546
17/20
19/06/2018
Sophos XG Firewall v17: How to establish a Site-to-Site IPsec VPN to Microsoft Azure - Sophos Community
From Sophos XG Firewall, go to Reports > VPN and verify the IPsec usage.
Click on the connection name for more details.
https://community.sophos.com/kb/en-us/127546
18/20
19/06/2018
Sophos XG Firewall v17: How to establish a Site-to-Site IPsec VPN to Microsoft Azure - Sophos Community
Note:
An interface with a public routable IP is required on the on-premises XG Firewall as Azure do not support NAT. For
further information, please refer to Azure VPN Gateway FAQ.
If the on-premises Sophos XG Firewall appliance is behind a NAT device, The recommendation is to use a Sophos
XG Firewall in Azure to deploy the VPN connection. Please refer to Sophos XG Firewall: Quick Start Guide on
Microsoft Azure to deploy the XG Firewall on Azure.
Azure must re-key the IKE_SA by deleting the expired IKE_SA and creates a new connection, which leads to some
seconds of down time.
Azure tends to use SHA1 if not forced by the on-premises XG Firewall to use SHA2.
Related information
Sophos Firewall: How to establish a Site-to-Site IPsec VPN to Microsoft Azure
Feedback and contact
If you've spotted an error or would like to provide feedback on this article, please use the section below to
rate and comment on the article.
This is invaluable to us to ensure that we continually strive to give our customers the best information
possible.
Article appears in the following topics
https://community.sophos.com/kb/en-us/127546
19/20
19/06/2018
Sophos XG Firewall v17: How to establish a Site-to-Site IPsec VPN to Microsoft Azure - Sophos Community
XG Firewall > Microsoft Azure
XG Firewall > Sophos Firewall > System > VPN
Did this article provide the information you were looking for?
Every comment submitted here is read (by a human) but we do not reply to specific technical questions.
For technical support post a question to the community. Or click here for new feature/product
improvements. Alternatively for paid/licensed products open a support ticket.
https://community.sophos.com/kb/en-us/127546
20/20
Related documents
Establishment of the VPN connection with the
Establishment of the VPN connection with the
Physics Network Integration - University of Oxford Department
Physics Network Integration - University of Oxford Department
Peplink SpeedFusion
Peplink SpeedFusion
Download
advertisement