Microsoft Azure supports two types of VPN Gateway: Route-based and policy-based. To use IKEv2, you must select the route-based Azure VPN Gateway.
This article describes the steps to create a Site-to-Site IPsec VPN to Microsoft Azure with one Security Association (SA).
Note: Even though the Azure VPN Route-Based Gateway SKU is used, the connection from the Sophos XG is still Policy-Based. A Policy-Based VPN connection to a Route-Based Gateway SKU in Azure has a limitation of one Security Association (SA) by default. To use more than one Security Association (More than one local or remote network), please follow the instructions in Sophos XG Firewall v17: How to configure a site to site IPsec VPN with multiple SAs to a route based Azure VPN gateway. The following sections are covered:
Applies to the following Sophos products and versions Sophos Firewall XG Virtual v17.5.0 GASophos Firewall v17
The local network gateway typically refers to the on-premises location. You'll need the public IP address of the on-premise Sophos XG Firewall and its private IP address spaces.
The VPN gateway is deployed into a specific subnet of your network called the Gateway subnet. The size of the Gateway subnet that you specify depends on the VPN gateway configuration that you want to create. While it is possible to create a Gateway subnet as small as /29, it is recommend to create a larger subnet that includes more addresses by selecting /27 or /28 to be able to accommodate future configurations.
Note: Creating a gateway can take up to 45 minutes.
Click on the VPN gateway created earlier, in this example, Sophos_Azure_VPN_Gateway. In the Virtual network Gateway blade, select Overview and make a note of the newly assigned public IP address of this gateway.
Make sure to place these two rules on the top of the list. If needed, refer to Sophos XG Firewall: How to change firewall rule order.
In the lower left corner of the Azure portal, click on More Services. In the search box, type Virtual network gateways and select Virtual network gateways to select the VPN gateway created earlier.
In the Virtual network gateway blade select Connections and verify that its status is connected.
Click on the connection to verify ingress and egress traffic flow.
From Sophos XG Firewall, go to Reports > VPN and verify the IPsec usage.
Click on the connection name for more details.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.