Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
Microsoft Azure supports two types of VPN Gateway: Route-based and policy-based. To use IKEv2, you must select the route-based Azure VPN Gateway.
This article describes the steps to create a Site-to-Site IPsec VPN to Microsoft Azure with one Security Association (SA).
Note: Even though the Azure VPN Route-Based Gateway SKU is used, the connection from the Sophos XG is still Policy-Based. A Policy-Based VPN connection to a Route-Based Gateway SKU in Azure has a limitation of one Security Association (SA) by default. To use more than one Security Association (More than one local or remote network), please follow the instructions in Sophos XG Firewall v17: How to configure a site to site IPsec VPN with multiple SAs to a route based Azure VPN gateway. The following sections are covered:
Applies to the following Sophos products and versions Sophos Firewall XG Virtual v17.5.0 GASophos Firewall v17
The local network gateway typically refers to the on-premises location. You'll need the public IP address of the on-premise Sophos XG Firewall and its private IP address spaces.
The VPN gateway is deployed into a specific subnet of your network called the Gateway subnet. The size of the Gateway subnet that you specify depends on the VPN gateway configuration that you want to create. While it is possible to create a Gateway subnet as small as /29, it is recommend to create a larger subnet that includes more addresses by selecting /27 or /28 to be able to accommodate future configurations.
Note: Creating a gateway can take up to 45 minutes.
Click on the VPN gateway created earlier, in this example, Sophos_Azure_VPN_Gateway. In the Virtual network Gateway blade, select Overview and make a note of the newly assigned public IP address of this gateway.
Make sure to place these two rules on the top of the list. If needed, refer to Sophos XG Firewall: How to change firewall rule order.
Go to Network > Interfaces to edit the public facing interface. Enable Override MSS and set its value to 1350.
This is because any packets larger than an MSS of 1350 bytes hitting the Azure virtual network through its gateway will get segments and some fragments may get dropped in the Azure platform across the VPN datapath. For more information, please refer to About VPN devices and IPsec/IKE parameters for Site-to-Site VPN Gateway connections.
In the lower left corner of the Azure portal, click on More Services. In the search box, type Virtual network gateways and select Virtual network gateways to select the VPN gateway created earlier.
In the Virtual network gateway blade select Connections and verify that its status is connected.
Click on the connection to verify ingress and egress traffic flow.
From Sophos XG Firewall, go to Reports > VPN and verify the IPsec usage.
Click on the connection name for more details.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.