Disclaimer: This information is provided as-is without any guarantees. Please contact Sophos Professional Services if you require assistance with your specific environment.
Microsoft Azure supports two types of VPN Gateway: Route-based and policy-based. To use IKEv2, you must select the route-based Azure VPN Gateway.
This article describes the steps to configure a site-to-site IPsec VPN with multiple SAs to a route-based Azure VPN gateway.
Applies to the following Sophos products and versionsSophos XG Firewall
The local network gateway typically refers to the on-premises location. You'll need the public IP address of the on-premise Sophos XG Firewall and its private IP address spaces.
The VPN gateway is deployed into a specific subnet of your network called the Gateway subnet. The size of the Gateway subnet that you specify depends on the VPN gateway configuration that you want to create. While it is possible to create a Gateway subnet as small as /29, it is recommended to create a larger subnet that includes more addresses by selecting /27 or /28 to be able to accommodate future configurations.
Note: Creating a gateway can take up to 45 minutes.
Click on the VPN gateway created earlier, in this example, TE_Sophos_Azure_VPN_Gateway. In the Virtual network Gateway blade, select Overview and make a note of the newly assigned public IP address of this gateway.
$resourcegroup = "name_of_the resource_group_for_the_connection"$vpngw = "name_of_the_azure_vpn_gateway_created_earlier"$localgw = "name_of_azure_local_gateway_created_earlier"$vpnconnection = "name_for_the_vpn_connection"$location = "location_of_the_vpn_connection"
$ipsecpolicy = New-AzureRmIpsecPolicy -IkeEncryption AES256 -IkeIntegrity SHA256 -DhGroup DHGroup2 -IpsecEncryption AES256 -IpsecIntegrity SHA256 -PfsGroup None -SALifeTimeSeconds 27000
$vnetgateway = Get-AzureRmVirtualNetworkGateway -Name $vpngw -ResourceGroupName $resourcegroup$localgateway = Get-AzureRmLocalNetworkGateway -Name $localgw -ResourceGroupName $resourcegroup
New-AzureRmVirtualNetworkGatewayConnection -Name $vpnconnection -ResourceGroupName $resourcegroup -VirtualNetworkGateway1 $vnetgateway -LocalNetworkGateway2 $localgateway -Location $location -ConnectionType IPsec -UsePolicyBasedTrafficSelectors $True -IpsecPolicies $ipsecpolicy -SharedKey 'shared_secret_key'