Sophos Firewall: Configuring an IPsec VPN Gateway Connection to Azure

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Pre-requisites
Step 1: Create Azure Local Network Gateway (with Sophos Firewall public IP address)
Step 2: Create a Gateway Subnet
Step 3: Create the VPN Gateway
Step 4: Create the VPN connection (Azure)
Step 5: Download and extract the needed information from the configuration file (Azure)
Step 6: Create the VPN connection (Sophos Firewall)
Step 7: Create firewall rules to allow inbound and outbound traffic through the VPN (Sophos Firewall)
Step 8: Configure the xfrm tunnel interface (Sophos Firewall)
Step 9: Configure static routing to the Azure network (Sophos Firewall)
Step 10: Verify the VPN connection
Things to watch out for

Pre-requisites

1. Sophos Firewall v18 firmware

Minimum of "EAP 3 Refresh-1" needed
You can register for and download from this URL: https://events.sophos.com/v18eap

2. Your OnPrem Sophos Firewall and the following information:

The public IP address of Sophos Firewall.
The IP address space behind your Sophos Firewall.

3. Your Microsoft Azure vNet and the following information:

IP address space of the vNet

Step 1: Create Azure Local Network Gateway (with Sophos Firewall public IP address)

The local network gateway typically refers to your on-premises location. You'll need the public IP address of your On-Prem Sophos Firewall and your On-Prem Private IP address spaces.

Please note that this configuration assumes that the public IP address is directly configured on the On-Prem Sophos Firewall. Your configuration will be slightly different if your On-Prem Sophos Firewall sits behind a NAT device.

Go to the Azure Portal: https://portal.azure.com and sign in with your credentials.
Click on "Create a resource".
In the search box, type "Local Network Gateway".
Select "Local Network Gateway" and click on "Create".
In the "Create local network gateway" blade, configure the following and then click on "Create":
- Name: On_Premises_Sophos_Sophos_Firewall (You can give this any preferred name).
- Endpoint: IP address
- IP address: Specify the public IP address of your Sophos Firewall.
- Address space: Specify the address ranges for the network that your On-Prem local network represents. In our scenario, this is 10.100.0.0/16.
- Subscription: Verify that the correct subscription is selected for the deployment.
- Resource Group: Select the resource group that you want to use. You can either create a new resource group or select an existing one.
- Location: Select the location that this object will be created in.

Step 2: Create a Gateway Subnet

The VPN gateway will be deployed into a specific subnet of your network called the 'GatewaySubnet'.The size of the GatewaySubnet that you specify depends on the VPN gateway configuration that you want to create. While it is possible to create a GatewaySubnet as small as /29, it is recommend to create a larger subnet that includes more addresses by selecting /27 or /28 to be able to accommodate future configurations.

In the Azure Portal: https://portal.azure.com, click on "More Services".
In the search box, type "Virtual Networks" and select the "Virtual Networks" option.
Click on the virtual network for which you want to create a virtual network gateway.
In the "Virtual networks" blade, under "Settings", click on "Subnets".
In the "Subnets" blade, click on "+ Gateway subnet" to add a new Gateway subnet.
In the "Add Subnet" blade, configure the CIDR range of the new Gateway subnet and click "Save". In our scenario, this is 10.1.1.0/24.

Step 3: Create the VPN Gateway

In the Azure Portal: https://portal.azure.com, click on "Create a resource".
In the search box, type "Virtual network gateway".
Select "Virtual network gateway" and click on "Create".
In the "Create virtual network gateway" blade, configure the following:
- Subscription: Verify that the correct subscription is selected for the deployment.
- Instance details
  - Name: This will be the name of the gateway object you are creating.
  - Region: Select the same location as your virtual network (Otherwise the virtual network will not be displayed on the list).
  - Gateway type: VPN
  - VPN type: Route-based (this is a MUST to be able to use IKEv2).
  - SKU: Select the gateway SKU from the dropdown. For more information about gateway SKUs, see Gateway SKUs.
  - Generation: Generation 1
  - Virtual network: Choose the virtual network to which you want to add this gateway (if the virtual network that you want is not displayed on the list, verify that you have selected the right location in the "Region" parameter above).
- Public IP address:
  - Public IP address: Create New
  - Public IP address Name: Enter a Name for the public IP address resource.
  - Leave other settings as default.
  - Click on "Review + Create"
  - Click on "Create"
  - Creating a gateway can take up to 45 minutes!
After the VPN gateway creation has completed successfully, obtain it's public IP address (this will be needed in step 5).
- In the Azure Portal, click on "More services" and search for "Virtual network gateways". Then click on "Virtual network gateways".
- Click on the VPN Gateway that you just created.
- In the "VPN Gateway" blade, in the "Overview" section, make a note of the public IP address of the gateway.
- This will be used in step 5.

Step 4: Create the VPN connection (Azure)

In the Azure Portal: https://portal.azure.com, click on "More Services" and search for "Virtual network gateways". Then click on "Virtual network gateways".
Select the VPN gateway that you created earlier.
In the "VPN Gateway" blade, in the "Settings" section, click on "Connections", then click on "+ Add".
In the "Add connection" blade, configure the following:
- Name: Sophos_Sophos_OnPrem_To_Azure (Input your preferred name)
- Connection type: Site-to-site (IPSec)
- Virtual network gateway: The value is fixed because you are connecting from this gateway
- Local network gateway:
  - Click "Choose a local network gateway"
  - In the "Choose a local network gateway" blade, select the local network gateway that you created earlier.
- Shared key (PSK): Input a complex shared key. The value here must match the value that we will use on our on-premises Sophos Firewall.
- IKE Protocol: IKEv2
- The remaining values for Subscription, Resource Group, and Location are fixed.
- Click OK to create your connection. You'll see Creating Connection flash on the screen.

Step 5: Download and extract the needed information from the configuration file (Azure)

In the Azure Portal: https://portal.azure.com, click on "More services" and search for "Virtual network gateways". Then click on "Virtual network gateways".
Select the VPN gateway that you created earlier.
In the "VPN Gateway" blade, in the "Settings" section, click on "Connections", then select the connection that you created earlier.
Click on the "Download configuration" button. This configuration file contains the needed information to configure the VPN connection on the Sophos Firewall.
In the "Download configuration" blade, select the following:
- Device vendor: Generic Samples
- Device family: Device Parameters
- Firmware version: 1.0
- Click on "Download configuration".
Open the downloaded file and make a note of the following:
- Scroll down to the "Tunnel interface (VTI) configuration" section.
- Make a note of the interface tunnel IP address and subnet mask
- Also, make a note of the MSS value.
- Both values will be needed for the configuration of the "xfrm tunnel interface" on Sophos Firewall.

Step 6: Create the VPN connection (Sophos Firewall)

Log into the WebAdmin of your On-Premises Sophos Firewall.
Under "Configure", click on "VPN" → "IPSEC Connections" → "Add".
Configure the following settings:
- General Settings
  - Name: Input any preferred name.
  - Connection type: Tunnel interface
  - IP version: Dual
  - Gateway type: Initiate
  - Activate on save: Selected
  - Description: Add a description for the connection.
- Encryption
  - Policy: Microsoft Azure
  - Authentication Type: Preshared key
  - Preshared key: Enter the same preshared key that you entered when creating the VPN connection on Azure.
  - Repeat preshared key: Confirm the above preshared key.
- Gateway settings
  - Listening interface: Select the WAN interface of Sophos Firewall.
  - Gateway address: Input the public IP of the Azure VPN gateway that you noted in Step 3 (5).
  - Local ID: IP Address
  - Remote ID: IP Address
  - Local ID: Enter the public IP of the OnPrem Sophos Firewall.
  - Remote ID: Input the public IP of the Azure VPN gateway that you noted in Step 3 (5).
  - There is no option to configure the "Local Subnet" and "Remote Subnet". They will both be set to "0.0.0.0/0".
- Advanced
  - Leave default settings.
- Click "Save".
- Click "OK" when prompted about the "Preshared key".
- The connection should now be active. Click on the "red" button under Connection to enable the connection.
- When prompted if you're sure that you want to connect, click "OK".

Step 7: Create firewall rules to allow inbound and outbound traffic through the VPN (Sophos Firewall)

Sign in to the WebAdmin of your On-Premises Sophos Firewall.
Under "Protect", click on "Rules and policies" → "Add firewall rule" → "New firewall rule".
In the "Add Firewall Rule" window, configure the incoming firewall rule as follows:
- Rule status: None
- Rule name: azure_to_onprem
- Action: Accept
- Rule position: Top
- Rule group: None
- Log firewall traffic: Selected
- Source
  - Source zones: LAN and VPN
  - Source networks and devices: Any
  - During scheduled time: Leave the default setting
- Destination & services
  - Destination zones: LAN and VPN
  - Destination networks: Any
  - Services: Any
- Leave other settings as default.
  - You can configure the security checks of Sophos Firewall for the traffic if you want to.
- Click on "Save".

Step 8: Configure the xfrm tunnel interface (Sophos Firewall)

Sign in to the WebAdmin of your On-Premises Sophos Firewall.
Under "Configure", click "Network" → under "Interfaces", click the xfrm interface.
In the "Network" configuration window, configure the following:
- IPv4/netmask: Enter the IP address and select the subnet mask you noted in Step 5 (6).
- Expand "Advanced settings".
  - Select "Override MSS" and enter the MSS value you noted in Step 5 (6).
- Click "Save"
- In the "Update interface" prompt, click "Update interface".

Step 9: Configure static routing to the Azure network (Sophos Firewall)

Sign in to the WebAdmin of your On-Premises Sophos Firewall.
Under "Configure", click "Routing" → under "Static Routing", click "Add".
In the "Add unicast route" window, configure the following:
- Destination IP/Netmask: Enter your Azure virtual network's network IP and subnet mask.
- Gateway: You can either leave this empty
  - OR enter the second IP address in the network you noted in Step 5 (6). For example, the Sophos Firewall tunnel interface in my case is "169.254.0.1" in a "/30" network, so the only other IP in that network is "169.254.0.2". I can enter this if I choose.
- Interface: Select the Sophos's xfrm tunnel interface.
- Distance: Leave default setting.
- Click "Save"

Step 10: Verify the VPN connection

Do a connectivity test from an on-premise instance to an Azure VM.
Do a connectivity test from an Azure VM to an on-premise instance.
In the Azure Portal: https://portal.azure.com, go to "Virtual network gateways" and select the virtual network that you connected to.
In the "VPN Gateway" blade, in the "Settings" section, click "Connections".
In the "VPN Gateway - Connections" blade, ensure that the connection status is "Connected."
Click the connection and ensure that you're seeing data flow.
- If you see 0B, it doesn't mean that the connection isn’t working. It just means that there's no data flow detected on the Azure side.

Things to watch out for

Network Security Groups in Azure
- If there's a network security group configured to block ports you're attempting to connect on. This will cause issues.
Route Table configuration in Azure
- By default, the VPN Gateway automatically advertises the VPN subnets to the vNet route tables, but watch out if you have user-defined routes that could override this.
An interface with a public routable IP address is required on the on-premises Sophos Firewall since Azure doesn’t support NAT. For more information, see Azure VPN Gateway FAQ.
If the on-premises Sophos Firewall is behind a NAT device, it is recommended to use Sophos Firewall in Azure to deploy the VPN connection. To deploy Sophos Firewall on Azure, see Sophos Firewall on Azure: How to Deploy.
To avoid triggering false alerts in Sophos Central, change the re-key timers on Sophos Firewall (initiator) to lesser values than what is used in Azure.
Azure must re-key the IKE_SA by deleting the expired IKE_SA and creating a new connection, which leads to some seconds of downtime.
Azure tends to use SHA1 if not forced by the on-premises Sophos Firewall to use SHA2.

Revamped RR Added Horizontal Lines Corrected Grammar
[edited by: Erick Jan at 5:50 AM (GMT -8) on 16 Nov 2023]

Top Replies

DominicRemigio over 1 year ago in reply to woter324 +2

Hi woter324 , I have tried to reconfigure this scenario by following the article and I was able to ping both ways. But my setup is that my On-premise devices are also actually in Azure but in a different…

Adam Lee over 2 years ago

Hi and thanks for a great guide.

I've completed most of the steps, I'm getting a green light when connected and Azure is also confirming the connection but when I go to "network interfaces" I don't have an XFRM Tunnel Interface even though I selected tunnel for the type when creating the IPSec connection.

Any clues on how to fix?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
emmosophos over 2 years ago in reply to Adam Lee

Hello Adam,

Make sure you’re clicking under your WAN interface that connects to the Azure, it might not show, until you click a white space on the WAN interface.

Regards,

Emmanuel (EmmoSophos)

Technical Team Lead, Global Community Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up +1 Vote Down

Sign in to reply

Cancel
Adam Lee over 2 years ago in reply to emmosophos

Thanks. I'll try that. I've got it working using this guide for now though which uses site-to-site rather than tunnel mode: Sophos XG Firewall: How to configure a site to site IPsec VPN with multiple SAs to a route-based Azure VPN gateway - Recommended Reads - Sophos (XG) Firewall - Sophos Community
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
Sam Santandrea over 2 years ago

Hello,

I have been working through this guide to setup a IPsec VPN connection and I can't get it to establish a connection.

I believe I am having difficulty with step 5. I am supposed to enter the APIPA address in the xfrm virtual port? What about the VPN connection? I assume this should be the public IP address of the azure Virtual Network Gateway for both. The guide is not very clear. I don't know why I would ever use an APIPA address. Unless someone can explain to me.

Sam
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
Kyle Sexson over 1 year ago

Out of Curiosity, why set the VPN on the Sophos to Respond Only? It doesn't seem like Azure reaches out to open the connection, and some experimenting has ours behaving better with it set to initiate.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
woter324 over 1 year ago

Hi DominicRemigio

Thank you for the article. You have two step 9's :-) - Glad you read this and fixed it.

I can ping Azure > Home, but not the other way. Trace route goes no further than the test machine's default gateway.

You say the gateway of the static route can be left blank. I've tried leaving it blankl and I have added the gateway 169.254.0.2.

As this is a home license, I've started a discussion:

https://community.sophos.com/sophos-xg-firewall/f/discussions/131633/azure-ipsec-issues.

Thanks
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
DominicRemigio over 1 year ago in reply to woter324

Hi woter324,

I have tried to reconfigure this scenario by following the article and I was able to ping both ways. But my setup is that my On-premise devices are also actually in Azure but in a different Virtual Network than the Virtual Network Gateway because I do not have an actual "on-premise" Sophos Firewall with a public IP address.

Network Diagram:

VPN tunnel successfully established.

After following the configuration in the article, I cannot ping from OnPremWin10 to AzureWin10 and vice versa. But maybe this is because I'm missing a route within Azure because my On-premise devices are also in Azure.

I tried to add a Route Table in Azure and associated the SophosXGOnPrem LAN network (10.0.0.0/24) to it.

Then I created a route going to the Azure Network (10.1.0.0/16) and pointed it to the SophosXGOnPrem's LAN IP (10.0.0.4/24).

The XG already knows how to get to the Azure Network (10.1.0.0/16) because of the static route configured while following the article, and this route is via the xfrm interface.

So now the packets coming from the OnPremWin10 that is going to the Azure Network (10.1.0.0/16) will be forwarded to the SophosXGOnPrem, which knows how to get to that network via the xfrm interface.

After adding the route in Azure, I was able to ping both ways. This is if the tunnel is established.

If I disable the tunnel, the traffic gets disconnected. So it means that the traffic is flowing to the IPsec VPN connection.

Maybe you can check any routing issues within your network. Something might be missing.

Also, I did not put any Gateway in the Static Route configuration in the XG.
Cancel
Vote Up +2 Vote Down

Sign in to reply

Cancel
Cedillo Edwards over 1 year ago

I don't have an XFRM Tunnel Interface even though I selected tunnel for the type when creating the IPSec connection...

Tell me how to fix
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
DominicRemigio over 1 year ago in reply to Kyle Sexson

Thanks for your feedback. This has been updated.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
DominicRemigio over 1 year ago in reply to Cedillo Edwards

Hello, please see the related response of Emmo in the comments above.
Cancel
Vote Up +1 Vote Down

Sign in to reply

Cancel