Configuring VPN Remote Access for the first time on your Sophos XG Firewall? Check out this useful Community post!
Advisory: Sophos XG Firewall - Antivirus service stopped due to failed pattern update. Please visit this KBA for the latest updates
Microsoft Azure supports two types of VPN Gateway: Route-based and policy-based. To use IKEv2, you must select the route-based Azure VPN Gateway.
This knowledge base article describes the steps to configure a site to site IPsec VPN with multiple SAs to a route based Azure VPN gateway. The following sections are covered:
Applies to the following Sophos products and versions Sophos Firewall v17
The local network gateway typically refers to the on-premises location. You'll need the public IP address of the on-premise Sophos XG Firewall and its private IP address spaces.
The VPN gateway is deployed into a specific subnet of your network called the Gateway subnet. The size of the Gateway subnet that you specify depends on the VPN gateway configuration that you want to create. While it is possible to create a Gateway subnet as small as /29, it is recommend to create a larger subnet that includes more addresses by selecting /27 or /28 to be able to accommodate future configurations.
Note: Creating a gateway can take up to 45 minutes.
Click on the VPN gateway created earlier, in this example, TE_Sophos_Azure_VPN_Gateway. In the Virtual network Gateway blade, select Overview and make a note of the newly assigned public IP address of this gateway.
If this is your first time using the Cloud Shell, you will be prompted to create a storage account, click on Create storage
$resourcegroup = "name_of_the resource_group_for_the_connection" $vpngw = "name_of_the_azure_vpn_gateway_created_earlier" $localgw = "name_of_azure_local_gateway_created_earlier" $vpnconnection = "name_for_the_vpn_connection" $location = "location_of_the_vpn_connection"
$ipsecpolicy = New-AzureRmIpsecPolicy -IkeEncryption AES256 -IkeIntegrity SHA256 -DhGroup DHGroup2 -IpsecEncryption AES256 -IpsecIntegrity SHA256 -PfsGroup None -SALifeTimeSeconds 27000
$vnetgateway = Get-AzureRmVirtualNetworkGateway -Name $vpngw -ResourceGroupName $resourcegroup $localgateway = Get-AzureRmLocalNetworkGateway -Name $localgw -ResourceGroupName $resourcegroup
New-AzureRmVirtualNetworkGatewayConnection -Name $vpnconnection -ResourceGroupName $resourcegroup -VirtualNetworkGateway1 $vnetgateway -LocalNetworkGateway2 $localgateway -Location $location -ConnectionType IPsec -UsePolicyBasedTrafficSelectors $True -IpsecPolicies $ipsecpolicy -SharedKey 'shared_secret_key'
Go to Network > Interfaces to edit the public facing interface. Enable Override MSS and set its value to 1350.
This is because any packets larger than an MSS of 1350 bytes hitting the Azure virtual network through its gateway will get segments and some fragments may get dropped in the Azure platform across the VPN datapath. For more information, please refer to About VPN devices and IPsec/IKE parameters for Site-to-Site VPN Gateway connections.
In the higher left corner of the Azure portal, click on All Services. In the search box, type Virtual network gateways and select Virtual network gateways.
Select the VPN gateway created earlier, in the Virtual network gateway blade select Connections and verify that its status is connected.
Click on the connection to verify ingress and egress traffic flow.
From Sophos XG Firewall, go to Current activities > IPsec connections and verify both connections to both subnets.
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.