Reflexion will be End-of-life on March 31,2023. See Sophos Reflexion EoL FAQs to learn more.

Thread Info
  • Replies 17 replies
  • Subscribers 32 subscribers
  • Views 41897 views
  • Users 0 members are here
Options
Suggested

Sophos Firewall: Configuring an IPsec VPN Gateway Connection to Azure

DominicRemigio

Disclaimer: Please contact Sophos Professional Services if you require assistance with your specific environment.

Pre-requisites

1. Sophos Firewall v18 firmware

2. Your OnPrem Sophos Firewall and the following information:

  • The public IP address of Sophos Firewall.
  • The IP address space behind your Sophos Firewall.

3. Your Microsoft Azure vNet and the following information:

  • IP address space of the vNet

Step 1: Create Azure Local Network Gateway (with Sophos Firewall public IP address)

The local network gateway typically refers to your on-premises location. You'll need the public IP address of your On-Prem Sophos Firewall and your On-Prem Private IP address spaces.

Please note that this configuration assumes that the public IP address is directly configured on the On-Prem Sophos Firewall. Your configuration will be slightly different if your On-Prem Sophos Firewall sits behind a NAT device.

  1. Go to the Azure Portal: https://portal.azure.com and sign in with your credentials.
  2. Click on "Create a resource".
  3. In the search box, type "Local Network Gateway".
  4. Select "Local Network Gateway" and click on "Create".

  5. In the "Create local network gateway" blade, configure the following and then click on "Create":

    • Name: On_Premises_Sophos_XG_Firewall (You can give this any preferred name).
    • Endpoint: IP address
    • IP address: Specify the public IP address of your Sophos Firewall.
    • Address space: Specify the address ranges for the network that your On-Prem local network represents. In our scenario, this is 10.100.0.0/16.
    • Subscription: Verify that the correct subscription is selected for the deployment.
    • Resource Group: Select the resource group that you want to use. You can either create a new resource group or select an existing one.
    • Location: Select the location that this object will be created in.

Step 2: Create a Gateway Subnet

The VPN gateway will be deployed into a specific subnet of your network called the 'GatewaySubnet'.The size of the GatewaySubnet that you specify depends on the VPN gateway configuration that you want to create. While it is possible to create a GatewaySubnet as small as /29, it is recommend to create a larger subnet that includes more addresses by selecting /27 or /28 to be able to accommodate future configurations.

  1. In the Azure Portal: https://portal.azure.com, click on "More Services".
  2. In the search box, type "Virtual Networks" and select the "Virtual Networks" option.
  3. Click on the virtual network for which you want to create a virtual network gateway.
  4. In the "Virtual networks" blade, under "Settings", click on "Subnets".
  5. In the "Subnets" blade, click on "+ Gateway subnet" to add a new Gateway subnet.
  6. In the "Add Subnet" blade, configure the CIDR range of the new Gateway subnet and click "Save". In our scenario, this is 10.1.1.0/24.

Step 3: Create the VPN Gateway

  1. In the Azure Portal: https://portal.azure.com, click on "Create a resource".
  2. In the search box, type "Virtual network gateway".
  3. Select "Virtual network gateway" and click on "Create".

  4. In the "Create virtual network gateway" blade, configure the following:

    • Subscription: Verify that the correct subscription is selected for the deployment.
    • Instance details
      • Name: This will be the name of the gateway object you are creating.
      • Region: Select the same location as your virtual network (Otherwise the virtual network will not be displayed on the list).
      • Gateway type: VPN
      • VPN type: Route-based (this is a MUST to be able to use IKEv2).
      • SKU: Select the gateway SKU from the dropdown. For more information about gateway SKUs, see Gateway SKUs.
      • Generation: Generation 1
      • Virtual network: Choose the virtual network to which you want to add this gateway (if the virtual network that you want is not displayed on the list, verify that you have selected the right location in the "Region" parameter above).
    • Public IP address:
      • Public IP address: Create New
      • Public IP address Name: Enter a Name for the public IP address resource.
      • Leave other settings as default.
      • Click on "Review + Create"
      • Click on "Create"
      • Creating a gateway can take up to 45 minutes!
  5. After the VPN gateway creation has completed successfully, obtain it's public IP address (this will be needed in step 5).
    • In the Azure Portal, click on "More services" and search for "Virtual network gateways". Then click on "Virtual network gateways".
    • Click on the VPN Gateway that you just created.
    • In the "VPN Gateway" blade, in the "Overview" section, make a note of the public IP address of the gateway.
    • This will be used in step 5.

Step 4: Create the VPN connection (Azure)

  1. In the Azure Portal: https://portal.azure.comclick on "More Services" and search for "Virtual network gateways". Then click on "Virtual network gateways".
  2. Select the VPN gateway that you created earlier.
  3. In the "VPN Gateway" blade, in the "Settings" section, click on "Connections", then click on "+ Add".
  4. In the "Add connection" blade, configure the following:
    • Name: Sophos_Xg_OnPrem_To_Azure (Input your preferred name)
    • Connection type: Site-to-site (IPSec)
    • Virtual network gateway: The value is fixed because you are connecting from this gateway
    • Local network gateway
      • Click "Choose a local network gateway
      • In the "Choose a local network gateway"  blade, select the local network gateway that you created earlier.
    • Shared key (PSK): Input a complex shared key. The value here must match the value that we will use on our on-premises Sophos Firewall.
    • IKE Protocol: IKEv2
    • The remaining values for Subscription, Resource Group, and Location are fixed.
    • Click OK to create your connection. You'll see Creating Connection flash on the screen.

Step 5: Download and extract the needed information from the configuration file (Azure)

  1. In the Azure Portal: https://portal.azure.comclick on "More services" and search for "Virtual network gateways". Then click on "Virtual network gateways".
  2. Select the VPN gateway that you created earlier.
  3. In the "VPN Gateway" blade, in the "Settings" section, click on "Connections", then select the connection that you created earlier.
  4. Click on the "Download configuration" button. This configuration file contains the needed information to configure the VPN connection on the Sophos Firewall.
  5. In the "Download configuration" blade, select the following:
    • Device vendor: Generic Samples
    • Device family: Device Parameters
    • Firmware version: 1.0
    • Click on "Download configuration".
  6. Open the downloaded file and make a note of the following:
    • Scroll down to the "Tunnel interface (VTI) configuration" section.
    • Make a note of the interface tunnel IP address and subnet mask
    • Also, make a note of the MSS value.
    • Both values will be needed for the configuration of the "xfrm tunnel interface" on Sophos Firewall.

Step 6: Create the VPN connection (Sophos Firewall)

  1. Log into the WebAdmin of your On-Premises Sophos Firewall.
  2. Under "Configure", click on "VPN" → "IPSEC Connections" → "Add".
  3. Configure the following settings:
    • General Settings
      • Name: Input any preferred name.
      • Connection type: Tunnel interface
      • IP version: Dual
      • Gateway type: Initiate
      • Activate on save: Selected
      • Description: Add a description for the connection.
    • Encryption
      • Policy: Microsoft Azure
      • Authentication Type: Preshared key
      • Preshared key: Enter the same preshared key that you entered when creating the VPN connection on Azure.
      • Repeat preshared key: Confirm the above preshared key.
    • Gateway settings
      • Listening interface: Select the WAN interface of Sophos Firewall.
      • Gateway address: Input the public IP of the Azure VPN gateway that you noted in Step 3 (5).
      • Local ID: IP Address
      • Remote ID: IP Address
      • Local ID: Enter the public IP of the OnPrem Sophos Firewall.
      • Remote ID: Input the public IP of the Azure VPN gateway that you noted in Step 3 (5).
      • There is no option to configure the "Local Subnet" and "Remote Subnet". They will both be set to "0.0.0.0/0".
    • Advanced
      • Leave default settings.
    • Click "Save".
    • Click "OK" when prompted about the "Preshared key".
    • The connection should now be active. Click on the "red" button under Connection to enable the connection.

    • When prompted if you're sure that you want to connect, click "OK".

Step 7: Create firewall rules to allow inbound and outbound traffic through the VPN (Sophos Firewall)

  1. Sign in to the WebAdmin of your On-Premises Sophos Firewall.
  2. Under "Protect", click on "Rules and policies" → "Add firewall rule" → "New firewall rule".
  3. In the "Add Firewall Rule" window, configure the incoming firewall rule as follows:
    • Rule status: None
    • Rule name: azure_to_onprem
    • Action: Accept
    • Rule position: Top
    • Rule group: None
    • Log firewall traffic: Selected
    • Source
      • Source zones: LAN and VPN
      • Source networks and devices: Any
      • During scheduled time: Leave default setting
    • Destination & services
      • Destination zones: LAN and VPN
      • Destination networks: Any
      • Services: Any
    • Leave other settings as default.
      • You can configure the security checks of Sophos Firewall for the traffic if you want to.
    • Click on "Save".

Step 8: Configure the xfrm tunnel interface (Sophos Firewall)

  1. Sign in to the WebAdmin of your On-Premises Sophos Firewall.
  2. Under "Configure", click on "Network" → under "Interfaces", click on the xfrm interface.



  3. In the "Network" configuration window, configure the following:
    • IPv4/netmask: Enter the IP address and select the subnet mask that you made a note of in Step 5 (6).
    • Expand "Advanced settings".
      • Select "Override MSS" and enter the MSS value that you made a note of in Step 5 (6).
    • Click on "Save"



    • In the "Update interface" prompt, click "Update interface".

Step 9: Configure static routing to the Azure network (Sophos Firewall)

  1. Sign in to the WebAdmin of your On-Premises Sophos Firewall.
  2. Under "Configure", click on "Routing" → under "Static Routing", click on "Add".
  3. In the "Add unicast route" window, configure the following:
    • Destination IP/Netmask: Enter the network IP and subnet mask of your Azure virtual network.
    • Gateway: You can either leave this empty
      • OR enter the second IP address in the network that you made a note of in Step 5 (6). For example, the Sophos Firewall tunnel interface in my case is "169.254.0.1" in a "/30" network so the only other IP in that network is "169.254.0.2". I can enter this if I choose.
    • Interface: Select the XG's xfrm tunnel interface.
    • Distance: Leave default setting.
    • Click on "Save"

Step 10: Verify the VPN connection

  1. Do a connectivity test from an on-premise instance to an Azure VM.



  2. Do a connectivity test from an Azure VM to an on-premise instance.



  3. In the Azure Portal: https://portal.azure.com, go to "Virtual network gateways" and select the virtual network that you connected to.
  4. In the "VPN Gateway" blade, in the "Settings" section, click on "Connections".
  5. In the "VPN Gateway - Connections" blade, ensure that the status of the connection is "Connected"



  6. Click on the connection and ensure that you're seeing data flow.
    • If you see 0B doesn't mean that the connection is not working, it just means that there's no data flow detected on the Azure side.

Things to watch out for

  1. Network Security Groups in Azure
    • If there's a network security group that's configured to block ports that you're attempting to connect on. This will cause issues.
  2. Route Table configuration in Azure
    • By default, the VPN Gateway automatically advertises the VPN subnets to the vNet route tables but watch out if you have user-defined routes that could override this.
  3. An interface with a public routable IP address is required on the on-premises Sophos Firewall since Azure do not support NAT. For more information, see Azure VPN Gateway FAQ.
  4. If the on-premises Sophos Firewall is behind a NAT device, it is recommended to use Sophos Firewall in Azure to deploy the VPN connection. To deploy Sophos Firewall on Azure, see Sophos Firewall on Azure: How to Deploy.
  5. Azure must re-key the IKE_SA by deleting the expired IKE_SA and creates a new connection, which leads to some seconds of downtime.
  6. Azure tends to use SHA1 if not forced by the on-premises Sophos Firewall to use SHA2.


Updated Table Of Contents, and some links
[edited by: emmosophos at 11:36 PM (GMT -8) on 24 Nov 2022]
Unfiltered HTML