Reflexion will be End-of-life on March 31,2023. See Sophos Reflexion EoL FAQs to learn more.
Disclaimer: Please contact Sophos Professional Services if you require assistance with your specific environment.
1. Sophos Firewall v18 firmware
2. Your OnPrem Sophos Firewall and the following information:
3. Your Microsoft Azure vNet and the following information:
The local network gateway typically refers to your on-premises location. You'll need the public IP address of your On-Prem Sophos Firewall and your On-Prem Private IP address spaces. Please note that this configuration assumes that the public IP address is directly configured on the On-Prem Sophos Firewall. Your configuration will be slightly different if your On-Prem Sophos Firewall sits behind a NAT device.
The local network gateway typically refers to your on-premises location. You'll need the public IP address of your On-Prem Sophos Firewall and your On-Prem Private IP address spaces.
Please note that this configuration assumes that the public IP address is directly configured on the On-Prem Sophos Firewall. Your configuration will be slightly different if your On-Prem Sophos Firewall sits behind a NAT device.
In the "Create local network gateway" blade, configure the following and then click on "Create":
The VPN gateway will be deployed into a specific subnet of your network called the 'GatewaySubnet'.The size of the GatewaySubnet that you specify depends on the VPN gateway configuration that you want to create. While it is possible to create a GatewaySubnet as small as /29, it is recommend to create a larger subnet that includes more addresses by selecting /27 or /28 to be able to accommodate future configurations.
In the "Create virtual network gateway" blade, configure the following:
Hi and thanks for a great guide.
I've completed most of the steps, I'm getting a green light when connected and Azure is also confirming the connection but when I go to "network interfaces" I don't have an XFRM Tunnel Interface even though I selected tunnel for the type when creating the IPSec connection.
Any clues on how to fix?
Hello Adam,
Make sure you’re clicking under your WAN interface that connects to the Azure, it might not show, until you click a white space on the WAN interface.
Regards,
Thanks. I'll try that. I've got it working using this guide for now though which uses site-to-site rather than tunnel mode: Sophos XG Firewall: How to configure a site to site IPsec VPN with multiple SAs to a route-based Azure VPN gateway - Recommended Reads - Sophos (XG) Firewall - Sophos Community
Hello,
I have been working through this guide to setup a IPsec VPN connection and I can't get it to establish a connection.
I believe I am having difficulty with step 5. I am supposed to enter the APIPA address in the xfrm virtual port? What about the VPN connection? I assume this should be the public IP address of the azure Virtual Network Gateway for both. The guide is not very clear. I don't know why I would ever use an APIPA address. Unless someone can explain to me.
Sam
Out of Curiosity, why set the VPN on the Sophos to Respond Only? It doesn't seem like Azure reaches out to open the connection, and some experimenting has ours behaving better with it set to initiate.
Hi DominicRemigio
Thank you for the article. You have two step 9's :-) - Glad you read this and fixed it.
I can ping Azure > Home, but not the other way. Trace route goes no further than the test machine's default gateway.
You say the gateway of the static route can be left blank. I've tried leaving it blankl and I have added the gateway 169.254.0.2.
As this is a home license, I've started a discussion:
https://community.sophos.com/sophos-xg-firewall/f/discussions/131633/azure-ipsec-issues.
Thanks
Hi woter324,
I have tried to reconfigure this scenario by following the article and I was able to ping both ways. But my setup is that my On-premise devices are also actually in Azure but in a different Virtual Network than the Virtual Network Gateway because I do not have an actual "on-premise" Sophos Firewall with a public IP address.
Network Diagram:
VPN tunnel successfully established.
After following the configuration in the article, I cannot ping from OnPremWin10 to AzureWin10 and vice versa. But maybe this is because I'm missing a route within Azure because my On-premise devices are also in Azure.
I tried to add a Route Table in Azure and associated the SophosXGOnPrem LAN network (10.0.0.0/24) to it.
Then I created a route going to the Azure Network (10.1.0.0/16) and pointed it to the SophosXGOnPrem's LAN IP (10.0.0.4/24).
The XG already knows how to get to the Azure Network (10.1.0.0/16) because of the static route configured while following the article, and this route is via the xfrm interface.
So now the packets coming from the OnPremWin10 that is going to the Azure Network (10.1.0.0/16) will be forwarded to the SophosXGOnPrem, which knows how to get to that network via the xfrm interface.
After adding the route in Azure, I was able to ping both ways. This is if the tunnel is established.
If I disable the tunnel, the traffic gets disconnected. So it means that the traffic is flowing to the IPsec VPN connection.
Maybe you can check any routing issues within your network. Something might be missing.
Also, I did not put any Gateway in the Static Route configuration in the XG.
I don't have an XFRM Tunnel Interface even though I selected tunnel for the type when creating the IPSec connection...
Tell me how to fix
Thanks for your feedback. This has been updated.
Hello, please see the related response of Emmo in the comments above.