Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: Configuring an IPsec VPN Gateway Connection to Azure

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


Pre-requisites

1. Sophos Firewall v18 firmware

2. Your OnPrem Sophos Firewall and the following information:

  • The public IP address of Sophos Firewall.
  • The IP address space behind your Sophos Firewall.

3. Your Microsoft Azure vNet and the following information:

  • IP address space of the vNet

Step 1: Create Azure Local Network Gateway (with Sophos Firewall public IP address)

The local network gateway typically refers to your on-premises location. You'll need the public IP address of your On-Prem Sophos Firewall and your On-Prem Private IP address spaces.

Please note that this configuration assumes that the public IP address is directly configured on the On-Prem Sophos Firewall. Your configuration will be slightly different if your On-Prem Sophos Firewall sits behind a NAT device.

  1. Go to the Azure Portal: https://portal.azure.com and sign in with your credentials.
  2. Click on "Create a resource".
  3. In the search box, type "Local Network Gateway".
  4. Select "Local Network Gateway" and click on "Create".
  5. In the "Create local network gateway" blade, configure the following and then click on "Create":

    • Name: On_Premises_Sophos_Sophos_Firewall (You can give this any preferred name).
    • Endpoint: IP address
    • IP address: Specify the public IP address of your Sophos Firewall.
    • Address space: Specify the address ranges for the network that your On-Prem local network represents. In our scenario, this is 10.100.0.0/16.
    • Subscription: Verify that the correct subscription is selected for the deployment.
    • Resource Group: Select the resource group that you want to use. You can either create a new resource group or select an existing one.
    • Location: Select the location that this object will be created in.

Step 2: Create a Gateway Subnet

The VPN gateway will be deployed into a specific subnet of your network called the 'GatewaySubnet'.The size of the GatewaySubnet that you specify depends on the VPN gateway configuration that you want to create. While it is possible to create a GatewaySubnet as small as /29, it is recommend to create a larger subnet that includes more addresses by selecting /27 or /28 to be able to accommodate future configurations.

  1. In the Azure Portal: https://portal.azure.com, click on "More Services".
  2. In the search box, type "Virtual Networks" and select the "Virtual Networks" option.
  3. Click on the virtual network for which you want to create a virtual network gateway.
  4. In the "Virtual networks" blade, under "Settings", click on "Subnets".
  5. In the "Subnets" blade, click on "+ Gateway subnet" to add a new Gateway subnet.
  6. In the "Add Subnet" blade, configure the CIDR range of the new Gateway subnet and click "Save". In our scenario, this is 10.1.1.0/24.

Step 3: Create the VPN Gateway

  1. In the Azure Portal: https://portal.azure.com, click on "Create a resource".
  2. In the search box, type "Virtual network gateway".
  3. Select "Virtual network gateway" and click on "Create".
  4. In the "Create virtual network gateway" blade, configure the following:

    • Subscription: Verify that the correct subscription is selected for the deployment.
    • Instance details
      • Name: This will be the name of the gateway object you are creating.
      • Region: Select the same location as your virtual network (Otherwise the virtual network will not be displayed on the list).
      • Gateway type: VPN
      • VPN type: Route-based (this is a MUST to be able to use IKEv2).
      • SKU: Select the gateway SKU from the dropdown. For more information about gateway SKUs, see Gateway SKUs.
      • Generation: Generation 1
      • Virtual network: Choose the virtual network to which you want to add this gateway (if the virtual network that you want is not displayed on the list, verify that you have selected the right location in the "Region" parameter above).
    • Public IP address:
      • Public IP address: Create New
      • Public IP address Name: Enter a Name for the public IP address resource.
      • Leave other settings as default.
      • Click on "Review + Create"
      • Click on "Create"
      • Creating a gateway can take up to 45 minutes!
  5. After the VPN gateway creation has completed successfully, obtain it's public IP address (this will be needed in step 5).
    • In the Azure Portal, click on "More services" and search for "Virtual network gateways". Then click on "Virtual network gateways".
    • Click on the VPN Gateway that you just created.
    • In the "VPN Gateway" blade, in the "Overview" section, make a note of the public IP address of the gateway.
    • This will be used in step 5.

Step 4: Create the VPN connection (Azure)

  1. In the Azure Portal: https://portal.azure.comclick on "More Services" and search for "Virtual network gateways". Then click on "Virtual network gateways".
  2. Select the VPN gateway that you created earlier.
  3. In the "VPN Gateway" blade, in the "Settings" section, click on "Connections", then click on "+ Add".
  4. In the "Add connection" blade, configure the following:
    • Name: Sophos_Sophos_OnPrem_To_Azure (Input your preferred name)
    • Connection type: Site-to-site (IPSec)
    • Virtual network gateway: The value is fixed because you are connecting from this gateway
    • Local network gateway
      • Click "Choose a local network gateway
      • In the "Choose a local network gateway"  blade, select the local network gateway that you created earlier.
    • Shared key (PSK): Input a complex shared key. The value here must match the value that we will use on our on-premises Sophos Firewall.
    • IKE Protocol: IKEv2
    • The remaining values for Subscription, Resource Group, and Location are fixed.
    • Click OK to create your connection. You'll see Creating Connection flash on the screen.

Step 5: Download and extract the needed information from the configuration file (Azure)

  1. In the Azure Portal: https://portal.azure.comclick on "More services" and search for "Virtual network gateways". Then click on "Virtual network gateways".
  2. Select the VPN gateway that you created earlier.
  3. In the "VPN Gateway" blade, in the "Settings" section, click on "Connections", then select the connection that you created earlier.
  4. Click on the "Download configuration" button. This configuration file contains the needed information to configure the VPN connection on the Sophos Firewall.
  5. In the "Download configuration" blade, select the following:
    • Device vendor: Generic Samples
    • Device family: Device Parameters
    • Firmware version: 1.0
    • Click on "Download configuration".
  6. Open the downloaded file and make a note of the following:
    • Scroll down to the "Tunnel interface (VTI) configuration" section.
    • Make a note of the interface tunnel IP address and subnet mask
    • Also, make a note of the MSS value.
    • Both values will be needed for the configuration of the "xfrm tunnel interface" on Sophos Firewall.

Step 6: Create the VPN connection (Sophos Firewall)

  1. Log into the WebAdmin of your On-Premises Sophos Firewall.
  2. Under "Configure", click on "VPN" → "IPSEC Connections" → "Add".
  3. Configure the following settings:
    • General Settings
      • Name: Input any preferred name.
      • Connection type: Tunnel interface
      • IP version: Dual
      • Gateway type: Initiate
      • Activate on save: Selected
      • Description: Add a description for the connection.
    • Encryption
      • Policy: Microsoft Azure
      • Authentication Type: Preshared key
      • Preshared key: Enter the same preshared key that you entered when creating the VPN connection on Azure.
      • Repeat preshared key: Confirm the above preshared key.
    • Gateway settings
      • Listening interface: Select the WAN interface of Sophos Firewall.
      • Gateway address: Input the public IP of the Azure VPN gateway that you noted in Step 3 (5).
      • Local ID: IP Address
      • Remote ID: IP Address
      • Local ID: Enter the public IP of the OnPrem Sophos Firewall.
      • Remote ID: Input the public IP of the Azure VPN gateway that you noted in Step 3 (5).
      • There is no option to configure the "Local Subnet" and "Remote Subnet". They will both be set to "0.0.0.0/0".
    • Advanced
      • Leave default settings.
    • Click "Save".
    • Click "OK" when prompted about the "Preshared key".
    • The connection should now be active. Click on the "red" button under Connection to enable the connection.

    • When prompted if you're sure that you want to connect, click "OK".

Step 7: Create firewall rules to allow inbound and outbound traffic through the VPN (Sophos Firewall)

  1. Sign in to the WebAdmin of your On-Premises Sophos Firewall.
  2. Under "Protect", click on "Rules and policies" → "Add firewall rule" → "New firewall rule".
  3. In the "Add Firewall Rule" window, configure the incoming firewall rule as follows:
    • Rule status: None
    • Rule name: azure_to_onprem
    • Action: Accept
    • Rule position: Top
    • Rule group: None
    • Log firewall traffic: Selected
    • Source
      • Source zones: LAN and VPN
      • Source networks and devices: Any
      • During scheduled time: Leave the default setting
    • Destination & services
      • Destination zones: LAN and VPN
      • Destination networks: Any
      • Services: Any
    • Leave other settings as default.
      • You can configure the security checks of Sophos Firewall for the traffic if you want to.
    • Click on "Save".

Step 8: Configure the xfrm tunnel interface (Sophos Firewall)

  1. Sign in to the WebAdmin of your On-Premises Sophos Firewall.
  2. Under "Configure", click "Network" → under "Interfaces", click the xfrm interface.



  3. In the "Network" configuration window, configure the following:
    • IPv4/netmask: Enter the IP address and select the subnet mask you noted in Step 5 (6).
    • Expand "Advanced settings".
      • Select "Override MSS" and enter the MSS value you noted in Step 5 (6).
    • Click "Save"



    • In the "Update interface" prompt, click "Update interface".

Step 9: Configure static routing to the Azure network (Sophos Firewall)

  1. Sign in to the WebAdmin of your On-Premises Sophos Firewall.
  2. Under "Configure", click "Routing" → under "Static Routing", click "Add".
  3. In the "Add unicast route" window, configure the following:
    • Destination IP/Netmask: Enter your Azure virtual network's network IP and subnet mask.
    • Gateway: You can either leave this empty
      • OR enter the second IP address in the network you noted in Step 5 (6). For example, the Sophos Firewall tunnel interface in my case is "169.254.0.1" in a "/30" network, so the only other IP in that network is "169.254.0.2". I can enter this if I choose.
    • Interface: Select the Sophos's xfrm tunnel interface.
    • Distance: Leave default setting.
    • Click "Save"

Step 10: Verify the VPN connection

  1. Do a connectivity test from an on-premise instance to an Azure VM.



  2. Do a connectivity test from an Azure VM to an on-premise instance.



  3. In the Azure Portal: https://portal.azure.com, go to "Virtual network gateways" and select the virtual network that you connected to.
  4. In the "VPN Gateway" blade, in the "Settings" section, click "Connections".
  5. In the "VPN Gateway - Connections" blade, ensure that the connection status is "Connected."



  6. Click the connection and ensure that you're seeing data flow.
    • If you see 0B, it doesn't mean that the connection isn’t working. It just means that there's no data flow detected on the Azure side.

Things to watch out for

  1. Network Security Groups in Azure
    • If there's a network security group configured to block ports you're attempting to connect on. This will cause issues.
  2. Route Table configuration in Azure
    • By default, the VPN Gateway automatically advertises the VPN subnets to the vNet route tables, but watch out if you have user-defined routes that could override this.
  3. An interface with a public routable IP address is required on the on-premises Sophos Firewall since Azure doesn’t support NAT. For more information, see Azure VPN Gateway FAQ.
  4. If the on-premises Sophos Firewall is behind a NAT device, it is recommended to use Sophos Firewall in Azure to deploy the VPN connection. To deploy Sophos Firewall on Azure, see Sophos Firewall on Azure: How to Deploy.
  5. To avoid triggering false alerts in Sophos Central, change the re-key timers on Sophos Firewall (initiator) to lesser values than what is used in Azure.
  6. Azure must re-key the IKE_SA by deleting the expired IKE_SA and creating a new connection, which leads to some seconds of downtime.
  7. Azure tends to use SHA1 if not forced by the on-premises Sophos Firewall to use SHA2.


Revamped RR Added Horizontal Lines Corrected Grammar
[edited by: Erick Jan at 5:50 AM (GMT -8) on 16 Nov 2023]
Parents Reply Children
  • Hi ,

    I have tried to reconfigure this scenario by following the article and I was able to ping both ways. But my setup is that my On-premise devices are also actually in Azure but in a different Virtual Network than the Virtual Network Gateway because I do not have an actual "on-premise" Sophos Firewall with a public IP address.

    Network Diagram:

    VPN tunnel successfully established.

    After following the configuration in the article, I cannot ping from OnPremWin10 to AzureWin10 and vice versa. But maybe this is because I'm missing a route within Azure because my On-premise devices are also in Azure.

    I tried to add a Route Table in Azure and associated the SophosXGOnPrem LAN network (10.0.0.0/24) to it.

    Then I created a route going to the Azure Network (10.1.0.0/16) and pointed it to the SophosXGOnPrem's LAN IP (10.0.0.4/24).

    The XG already knows how to get to the Azure Network (10.1.0.0/16) because of the static route configured while following the article, and this route is via the xfrm interface.

    So now the packets coming from the OnPremWin10 that is going to the Azure Network (10.1.0.0/16) will be forwarded to the SophosXGOnPrem, which knows how to get to that network via the xfrm interface.

    After adding the route in Azure, I was able to ping both ways. This is if the tunnel is established.

    If I disable the tunnel, the traffic gets disconnected. So it means that the traffic is flowing to the IPsec VPN connection.

    Maybe you can check any routing issues within your network. Something might be missing.

    Also, I did not put any Gateway in the Static Route configuration in the XG.

  • Thank you  for replying. I know it's been a while. I created a Windows router to solve the issue at the time, however, 6 months later, I had to get the Site-to-Site VPN working between the XG & Azure. After spending the best part of a weekend on it, I finally cracked my problem. It was NAT'ing. During a prior upgrade, you (Sophos) changed the way NAT'ing behaved and the upgrade process automatically created a bunch of NAT rules. Things seemed to work, so I left them as they were.

    What fixed the local > Azure ping issue was explicitly setting the Outbound Interface to my public interface. It was set to Any.

    (I can't get the screenshot to upload here, so I'll put it in my forum post)

    For those reading here: 

    1. Rules and policies.
    2. NAT rules.
    3. Select rule corresponding to VLAN that cannot ping.
    4. Interface matching criteria > Outbound interface > <external facing port>.

    Link to my forum post: https://community.sophos.com/sophos-xg-firewall/f/discussions/131633/azure-ipsec-issues.

    There might be a better and it might have been such an obvious thing, nobody thought to mention it.

    Thanks again