Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: How to establish a Site-to-Site IPsec VPN to Microsoft Azure (v17.x)

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.



Microsoft Azure supports two types of VPN Gateway: Route-based and policy-based. To use IKEv2, you must select the route-based Azure VPN Gateway.

This article describes the steps to create a Site-to-Site IPsec VPN to Microsoft Azure with one Security Association (SA).

Note: Even though the Azure VPN Route-Based Gateway SKU is used, the connection from the Sophos XG is still Policy-Based. A Policy-Based VPN connection to a Route-Based Gateway SKU in Azure has a limitation of one Security Association (SA) by default. To use more than one Security Association (More than one local or remote network), follow the instructions in Sophos Firewall v17: How to configure a site to site IPsec VPN with multiple SAs to a route based Azure VPN gateway.

Applies to the following Sophos products and versions
Sophos Firewall v17.x


Configure Azure

Create a local network gateway

The local network gateway typically refers to the on-premises location. You'll need the public IP address of the on-premise Sophos Firewall and its private IP address spaces.

  1. Login to Microsoft Azure and click on More services in the lower left corner. In the search box, type local network gateways and select Local network gateways.


  2. In the Local network gateways blade, click +add and configure the following in the Create local network gateway blade:
    • Name: On_Prem_Sophos_XG_Firewall (You can choose any preferred name).
    • IP address: Specify the Sophos Firewall's public IP address.
    • Address space: Specify the on-premises address ranges. If multiple address space ranges are needed, make sure that the specified ranges here do not overlap with ranges of other networks that you want to connect to. Azure will route the specified address range to the on-premises VPN device IP address.
    • Subscription: Select or verify the correct subscription.
    • Resource group: Select the resource group, you can either create a new resource group, or select and existing one.
    • Location: Select the location in which this object will be created. You may want to select the same location that your VNet resides in, but you are not required to do so.


Create a gateway subnet

The VPN gateway is deployed into a specific subnet of your network called the Gateway subnet. The size of the Gateway subnet that you specify depends on the VPN gateway configuration that you want to create. While it is possible to create a Gateway subnet as small as /29, it is recommend to create a larger subnet that includes more addresses by selecting /27 or /28 to be able to accommodate future configurations. 

  1. In the lower left corner of the Azure portal, click on More Services. In the search box, type Virtual networks and select Virtual networks.


  2.  Click on the virtual network for which you want to create a virtual network gateway, in this example, Sophos_Azure_VPN is used.
  3. In the Virtual network blade, under SETTINGS, click on Subnets.
  4. In the Subnets blade, click on +Gateway subnet to add a new.


  5. In the Add subnet blade, configure the CIDR range of the new gateway subnet.


Create the VPN gateway

  1. In the lower left corner of the Azure portal, click on More Services. In the search box, type Virtual network gateways and select Virtual network gateways.


  2.   In the Virtual network gateways blade, click on +Add and configure the following in the Create virtual network gateway blade:
    • Name: Name your gateway. This is not the same as naming a gateway subnet. It's the name of the gateway object you are creating.
    • Gateway type: VPN.
    • VPN type: Route-based (this is a MUST to be able to use IKEv2).
    • SKU: Select the gateway SKU from the drop-down list. For more information about gateway SKUs, see Gateway SKUs.


    • Location: Select the same location as your virtual network (otherwise the virtual network will not be displayed on the list).
    • Virtual network: Choose the virtual network to which you want to add this gateway.
      • Click on Virtual network to open the Choose a virtual network blade.
      • Select the vNet that you created in the Gateway subnet earlier. In this Example, the vNet is Sophos_Azure_VPN created earlier.
      • If you don't see your VNet, make sure the Location field is pointing to the region in which your virtual network is located.


    • Public IP address: You need a public IP address. Do the following to obtain one.
      • Click on First IP configuration to open the Choose public IP address blade.
      • Click on +Create New.
      • In the Create public IP address blade, input a Name for your public IP address, then click OK at the bottom of this blade to save your changes.


    • Subscription: Verify that the correct subscription is showing.
    • Click Create to begin creating the VPN gateway.


    • Note: Creating a gateway can take up to 45 minutes.

  3.  After the VPN gateway creation has successfully completed, click the Refresh button on the Virtual network gateways blade to display the newly deployed VPN gateway.


  4. Click on the VPN gateway created earlier, in this example, Sophos_Azure_VPN_Gateway. In the Virtual network Gateway blade, select Overview and make a note of the newly assigned public IP address of this gateway.


Create the VPN connection

  1. In the lower left corner of the Azure portal, click on More Services. In the search box, type Virtual network gateways and select Virtual network gateways.


  2.  Select your VPN gateway. In the virtual network gateway blade, click on Connections and +Add.  


  3.  In the Add connection blade, configure the following:
    • Name: Sophos_XG_ON_Prem_To_Azure (Input your preferred name).
    • Connection type: Site-to-site (IPSec).
    • Virtual network gateway: The value is fixed because you are connecting from this gateway.
    • Local network gateway:
      • Click on Choose a local network gateway.
      • In the Choose a local network gateway blade, select the local network gateway created earlier.


    • Shared key (PSK): Input a complex shared key. The value here must match the value used on the on-premises Sophos Firewall.
    • The remaining values for SubscriptionResource group, and Location are fixed.


    • Click OK to create your connection. You'll see Creating connection flash on the screen.


Configure Sophos Firewall

    1. Go to Hosts and Services > IP Host and click Add to add the local and remote subnets.



    2. Go to VPN > IPsec Policies to clone the default Microsoft Azure policy.


    3. In the cloned Microsoft Azure policy, disable Re-key connection. Under Dead Peer Detection section, set When peer unreachable to Disconnect. Keep the rest as is. We do this because Azure does not support re-keying from the remote peer and the Gateway type will be set to Respond only. Click Save.
    4. Go to VPN > IPsec Connections, select Add and configure the following settings:
  • General Settings: ​
    • Name: Input any preferred name.
    • IP Version: IPv4.
    • Activate on Save: Selected.
    • Description: Add a description for the connection.
    • Connection Type: Site-to-Site.
    • Gateway Type: Respond Only.


  • Encryption:
    • Policy: The recently cloned Microsoft Azure.
    • Authentication Type: Preshared Key.
    • Preshared Key: Enter the same preshared key that you entered when creating the VPN connection on Azure.
    • Repeat Preshared Key: Confirm the above preshared key.


  • Gateway Settings:
    • Listening Interface: Select the WAN interface of the Sophos Firewall.
    • Gateway Address: Input the public IP of the Azure VPN gateway noted earlier.
    • Local ID: IP Address.
    • Remote ID: IP Address.
    • Local ID: Enter the public IP of the on-premises Sophos Firewall.
    • Remote ID: Input the public IP of the Azure VPN gateway that you noted earlier.
    • Local Subnet: Enter the local subnet created earlier. This subnet is behind the on-premises Sophos Firewall.
    • Remote Subnet: Enter the remote subnet created earlier. This subnet is behind the Azure virtual network gateway.


  • Advanced: leave the default settings.


  • Upon clicking Save, the IPsec connection is activated and the tunnel should be established successfully. 


    Note: ​
    • Make sure that the connection is active. If not, click on the button under the Active column.
    • Do not click on the button under the Connection column as it will override the configuration settings set on the IPsec connection (Gateway type: Respond only). This is to avoid issues since Azure must initiate the tunnel.

  1. Go to Firewall > + Add Firewall Rule and choose User/Network Rule to create two rules for ingress and egress VPN traffic.




  2. Make sure to place these two rules on the top of the list. 


In the lower left corner of the Azure portal, click on More Services. In the search box, type Virtual network gateways and select Virtual network gateways to select the VPN gateway created earlier. 

In the Virtual network gateway blade select Connections and verify that its status is connected.


Click on the connection to verify ingress and egress traffic flow.


From Sophos Firewall, go to Reports > VPN and verify the IPsec usage.


Click on the connection name for more details.



  • An interface with a public routable IP is required on the on-premises XG Firewall as Azure do not support NAT. For further information, refer to Azure VPN Gateway FAQ
  • If the on-premises Sophos Firewall appliance is behind a NAT device, The recommendation is to use a Sophos Firewall in Azure to deploy the VPN connection. Please refer to Sophos Firewall: Quick Start Guide on Microsoft Azure to deploy the XG Firewall on Azure. 
  • Azure must re-key the IKE_SA by deleting the expired IKE_SA and creates a new connection, which leads to some seconds of down time.
  • Azure tends to use SHA1 if not forced by the on-premises XG Firewall to use SHA2.


Edited format, edited title, added tags, added table of contents, added horizontal lines, change XG -> Sophos Firewall.
[edited by: Raphael Alganes at 1:26 PM (GMT -7) on 25 Oct 2023]
  • Hello everyone, I have followed this configuration example for an XG 18.5 because the examples of version 18 indicate that an interface is created but in my case it is not like that, the problem is that something is not going well, it creates the VPN correctly and there is traffic from Azure to OnPremise, but not from OnPremise to Azure and at some point I have, all traffic is allowed so policies are not the problem. How can I see the XG routing table? I think that is where it fails, according to the diagnostics option, the traffic must go through the ipsec0 interface, which I cannot edit or select as the default interface to create a static route, where or how can I solve the problem?

  • Hi , on the device console you can use the command IPsec_route show. Also ensure you've created BOTH ingress/egress firewall rule on your XG. I suggest you run a packet capture while you try to reach a resource behind the Azure to see if it is being sent out the correct tunnel (ipsec0)


    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.
Reply Children
No Data