Thread Info
  • Replies 13 replies
  • Subscribers 9 subscribers
  • Views 15871 views
  • Users 0 members are here
Options
Suggested

Sophos UTM: How to create an IPsec connection to Microsoft Azure

DominicRemigio

Disclaimer: This information is provided as-is without any guarantees. Please contact Sophos Professional Services if you require assistance with your specific environment.

Overview

This knowledge base article explains how to set up an IPsec connection from the Sophos UTM to Microsoft Azure.

This article goes through each step required to have a functional virtual network to connect to Azure. Please adapt these steps to fit your existing environment.

The following sections are covered:

Applies to the following Sophos products and versions
Sophos UTM
 

How to set up the Azure environment

The example below describes the steps to build a new environment but can be easily adapted to an existing environment.
 

Create the Virtual Network

The Virtual Network defines the address space used in Azure, as well as what subnets are in that network.
 

  1. Sign in to the Azure Portal.
  2. Click Create a resource.
  3. Search for Virtual network and click Create.
  4. Under the Basics tab, configure the following:
    1. Subscription
    2. Resource group - select an existing resource group or create a new one.
    3. Name
    4. Region
  5. Click Next : IP Addresses.
  6. Under the IP Addresses tab, configure the following:
    1. IPv4 address spaceThe address space should be bigger than the subnet address range as we will need at least two subnets for this setup.
      1. Example: Address space: 10.0.0.0/16
      2. Example: Subnet address range 10.0.0.0/24
    2. Subnet name - create a new subnet by clicking Add subnet.
    3. Subnet address range
  7. Click Next : Security.
  8. Leave the settings as defaults but you can configure this according to your environment.
  9. Click Next : Tags.
  10. Leave the settings as defaults but you can configure this according to your environment.
  11. Click Next : Review + create.
  12. Click Create.

Create the Virtual Network Gateway

The Virtual Network Gateway defines the external IP with which VPN tunnels can be created. It also defines which networks can be accessed by those VPNs.

  1. Go back to Azure's home page and click Create a resource.
  2. Search for Virtual Network Gateway and click Create.
  3. Under the Basics tab, configure the following:
    1. Subscription
    2. Name
    3. Region
    4. Gateway type - VPN
    5. VPN type - Policy-based
    6. SKU
    7. Generation
    8. Virtual network - select the virtual network that was created.
    9. Gateway subnet address range - this will be filled out automatically, you can change the range as long as it is within your virtual networks address space.
    10. Public IP address - Create new (follow the prompts to automatically generate a new public IP)
    11. Public IP address name
  4. Click Next : Tags.
  5. Leave the settings as defaults but you can configure this according to your environment.
  6. Click Next : Review + create.
  7. Click Create.

Create the Local network gateway

The Local network gateway specifies the public IP and private IP's of local networks that may establish a connection to Azure.

  1. Go back to Azure's home page and click Create a resource.
  2. Search for Local Network Gateway and click Create.
  3. Configure the following:
    1. Name
    2. Endpoint - IP address
    3. IP address - the public IP address of the on-premise UTM
    4. Address space - the local network of the on-premise UTM
    5. Subscription
    6. Resource Group - select the existing resource group
    7. Location
  4. Click Create.

Create the Connection

The connection defines a specific VPN tunnel and which networks may access it.
 

  1. Go back to Azure's home page, search for Virtual network gateways, and select it.
  2. Click on the virtual network gateway that was created earlier.
  3. Click Connections > Add.
  4. Configure the following:
    1. Name
    2. Connection type - Site-to-site (IPsec)
    3. Local network gateway - select the local network gateway that was created earlier.
    4. Shared key (PSK) - create a PSK.
    5. IKE Protocol - IKEv1 (UTM only supports IKEv1. Azure supports both IKEv1 and IKEv2, and IKEv2 is the default.)
  5. Click OK.

How to set up the UTM

The UTM will be set up like any normal IPsec tunnel except that we must make an encryption policy specific to Azure's requirements.
 

Create the Remote Gateway

This defines the remote address the UTM will connect to.
 

  1. Sign in to the Webadmin of the Sophos UTM.
  2. Navigate to Site-to-Site VPN > IPsec > Remote Gateways.
  3. Configure the following:
    1. Name
    2. Gateway type - Initiate connection
    3. Gatewaycreate a network object for the Gateway IP address. This is the public IP address of the Azure Virtual Network Gateway.
    4. Authentication type - Preshared key
    5. Key -  this must match the key used on the Azure connection.
    6. Repeat -  this must match the key used on the Azure connection.
    7. Remote networks - define the networks that will be accessed on Azure.

  4. Click Save.

Create the IPsec Policy

The IPsec Policy defines the encryption and other security parameters used by the IPsec tunnel. Azure has specific requirements and we have found that these settings work best.
 

  1. Navigate to Site-to-Site VPN > IPsec > Policies.
  2. Click on + New IPsec Policy.
  3. Configure the following:
    1. Name
    2. IKE encryption algorithm - AES 128
    3. IKE authentication algorithm - SHA1
    4. IKE SA lifetime - 28800
    5. IKE DH group - Group 2: MODP 1024
    6. IPsec encryption algorithm - AES 128
    7. IPsec authentication algorithm - SHA1
    8. IPsec SA lifetime - 3600
    9. IPsec PFS group - None


      Note: If the tunnel keeps disconnecting or experiencing a slow connection, try to enable Strict policy.

  4. Click Save.

Create the IPsec Connection

This creates the IPsec tunnel by selecting a Remote Gateway, Policy, and defining which local networks can access the tunnel.
 

  1. Navigate to Site-to-Site VPN > IPsec > Connections.
  2. Configure the following:
    1. Name
    2. Remote gateway - select the remote gateway that was created earlier.
    3. Local interface - this should be the gateway used to establish the IPsec connection. It is usually the WAN interface.
    4. Policy -  select the IPsec policy that was created earlier.
    5. Local Networks - define the networks that will have access to the IPsec tunnel.
    6. Automatic firewall rules - enable
  3. Click Save.

Additional information

  • When creating the IPsec tunnel on the UTM, make sure to check Automatic firewall rules, otherwise, you will need to manually create firewall rules to and from the Azure and local subnets.
  • Verify there are no firewall rules in Azure that are preventing traffic from the UTM's network to the local networks.
  • A Source NAT (SNAT) rule is not necessary to communicate between subnets, if you are having problems with communication between Azure and the Local subnet, verify that there is no Masquerade or SNAT rule interfering with the traffic.

Related information


Previous article ID: 126995



Added the following: Note: If the tunnel keeps disconnecting or experiencing a slow connection, try to enable Strict policy.
[edited by: DominicRemigio at 3:55 AM (GMT -7) on 8 Oct 2021]

  • Last week, I came up with a solution to a problem that my client was having with his new IPsec tunnel to Azure disconnecting occasionally and being slower than expected.  It took 2.4 hours of billable time to examine his configuration as per Dominic's post above above, the logs and the results of espdump at the command line. On the tunnel status page, I eventually noticed that Azure was negotiating 256 in IKE instead of 128::

         IKE: Auth PSK / Enc AES_CBC_256 / Hash HMAC_SHA2_256 / Lifetime 28800s

    I only made one change and now my client describes his connection as solid and "screamin'" fast.

    I'd been working "blind" since the end of July with a service provider in Las Vegas that was trying to sell a service in Azure to a customer in Denver with a UTM.  I wasn't allowed to access the UTM although Sophos did include me in the emails about the case.  When I shared the setting below, my client's customer reported today, "I turned on Strict policy yesterday and as of right now, the keepalive process is still showing a live connection."

    NOTE 14 hours later: Las Vegas client sent a note 4 hours after I posted this that communication had been interrupted.  I'd been saying for almost 2 weeks that I thought the problem was the load balancer in front of their customer's UTM.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • in reply to BAlfson

    Great Article about it, Thanks for sharing. Really Appreciated.. 

  • Hello everyone! we are in a complicated situation, we follow the guide step by step, but we still cannot connect the VPN, sophos cannot establish the tunnel, could you support us?

    These are the device data:

    Model: SG210 Firmware:

    9.711-5

    Pattern: 210117

  • in reply to OscarLM

    ¡Hola! Oscar and welcome to the UTM Community!

    We need to see the relevant lines from the IPsec log.

         1. Confirm that Debug is not enabled.
         2. Disable the IPsec Connection.
         3. Start the IPsec Live Log and wait for it to begin to populate.
         4. Enable the IPsec Connection.
         5. Copy here about 60 lines from enabling through the error.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • in reply to BAlfson

    S_LaVita/MC4 PRODUCCION"" #950" received Vendor ID payload [XAUTH]
    S_LaVita/MC4 PRODUCCION"" #950" ignoring Vendor ID payload [6b46ba7c9447cf06e011347356018ec6]
    S_LaVita/MC4 PRODUCCION"" #950" ignoring Vendor ID payload [Cisco VPN 3000 Series]
    S_LaVita/MC4 PRODUCCION"" #950" received Vendor ID payload [Dead Peer Detection]
    S_LaVita/MC4 PRODUCCION"" #950" Peer ID is ID_IPV4_ADDR
    S_LaVita/MC4 PRODUCCION"" #950" Dead Peer Detection (RFC 3706) enabled
    S_LaVita/MC4 PRODUCCION"" #950" ISAKMP SA established
    S_LaVita/MC4 PRODUCCION"" #951" initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#950}
    S_LaVita/MC4 PRODUCCION"" #951"" ignoring informational payload type IPSEC_RESPONDER_LIFETIME"
    S_LaVita/MC4 PRODUCCION"" #951"" sent QI2 IPsec SA established {ESP=>0x2775eb48 <0xbfb239ec DPD}"
    forgetting secrets
    loading secrets from ""/etc/ipsec.secrets"""
    loaded PSK secret for 181.188.189.2 200.87.138.178
    loaded PSK secret for 181.188.189.2 44.207.17.74
    loaded PSK secret for 181.188.189.2 181.115.185.226
    loaded PSK secret for 181.188.189.2 20.25.85.153
    loaded PSK secret for 192.168.252.2 192.168.252.1
    loaded PSK secret for 181.188.189.2 %any
    loaded PSK secret for 181.188.189.2 190.129.69.40
    loaded PSK secret for 181.188.189.2 190.216.243.86
    listening for IKE messages
    forgetting secrets
    loading secrets from ""/etc/ipsec.secrets"""
    loaded PSK secret for 181.188.189.2 200.87.138.178
    loaded PSK secret for 181.188.189.2 44.207.17.74
    loaded PSK secret for 181.188.189.2 181.115.185.226
    loaded PSK secret for 181.188.189.2 20.25.85.153
    loaded PSK secret for 192.168.252.2 192.168.252.1
    loaded PSK secret for 181.188.189.2 %any
    loaded PSK secret for 181.188.189.2 190.129.69.40
    loaded PSK secret for 181.188.189.2 190.216.243.86
    loading ca certificates from '/etc/ipsec.d/cacerts'
    loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA.pem'
    loading aa certificates from '/etc/ipsec.d/aacerts'
    loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
    loading attribute certificates from '/etc/ipsec.d/acerts'
    Changing to directory '/etc/ipsec.d/crls'
    no default route - cannot cope with %defaultroute!!!
    S_AZURE VPN CC""" deleting connection
    S_AZURE VPN CC"" #948" deleting state (STATE_MAIN_I1)
    added connection description ""S_AZURE VPN CC"""
    S_AZURE VPN CC"" #952" initiating Main Mode
    added connection description ""S_AZURE VPN CC"""
    added connection description ""S_AZURE VPN CC"""
    forgetting secrets
    loading secrets from ""/etc/ipsec.secrets"""
    loaded PSK secret for 181.188.189.2 200.87.138.178
    loaded PSK secret for 181.188.189.2 44.207.17.74
    loaded PSK secret for 181.188.189.2 181.115.185.226
    loaded PSK secret for 192.168.252.2 192.168.252.1
    loaded PSK secret for 181.188.189.2 %any
    loaded PSK secret for 181.188.189.2 190.129.69.40
    loaded PSK secret for 181.188.189.2 190.216.243.86
    listening for IKE messages
    forgetting secrets
    loading secrets from ""/etc/ipsec.secrets"""
    loaded PSK secret for 181.188.189.2 200.87.138.178
    loaded PSK secret for 181.188.189.2 44.207.17.74
    loaded PSK secret for 181.188.189.2 181.115.185.226

  • in reply to OscarLM

    That doesn't look like logs from a Sophos UTM, Oscar.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • in reply to BAlfson

    2022:07:13-13:12:03 puerta pluto[8279]: "S_LaVitalicia/MC4 PRODUCCION" #950: received Vendor ID payload [XAUTH]
    2022:07:13-13:12:03 puerta pluto[8279]: "S_LaVitalicia/MC4 PRODUCCION" #950: ignoring Vendor ID payload [6b46ba7c9447cf06e011347356018ec6]
    2022:07:13-13:12:03 puerta pluto[8279]: "S_LaVitalicia/MC4 PRODUCCION" #950: ignoring Vendor ID payload [Cisco VPN 3000 Series]
    2022:07:13-13:12:04 puerta pluto[8279]: "S_LaVitalicia/MC4 PRODUCCION" #950: received Vendor ID payload [Dead Peer Detection]
    2022:07:13-13:12:04 puerta pluto[8279]: "S_LaVitalicia/MC4 PRODUCCION" #950: Peer ID is ID_IPV4_ADDR: '181.115.185.226'
    2022:07:13-13:12:04 puerta pluto[8279]: "S_LaVitalicia/MC4 PRODUCCION" #950: Dead Peer Detection (RFC 3706) enabled
    2022:07:13-13:12:04 puerta pluto[8279]: "S_LaVitalicia/MC4 PRODUCCION" #950: ISAKMP SA established
    2022:07:13-13:12:04 puerta pluto[8279]: "S_LaVitalicia/MC4 PRODUCCION" #951: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#950}
    2022:07:13-13:12:04 puerta pluto[8279]: "S_LaVitalicia/MC4 PRODUCCION" #951: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
    2022:07:13-13:12:04 puerta pluto[8279]: "S_LaVitalicia/MC4 PRODUCCION" #951: sent QI2, IPsec SA established {ESP=>0x2775eb48 <0xbfb239ec DPD}
    2022:07:13-13:14:17 puerta pluto[8279]: forgetting secrets
    2022:07:13-13:14:17 puerta pluto[8279]: loading secrets from "/etc/ipsec.secrets"
    2022:07:13-13:14:17 puerta pluto[8279]: loaded PSK secret for 181.188.189.2 200.87.138.178
    2022:07:13-13:14:17 puerta pluto[8279]: loaded PSK secret for 181.188.189.2 44.207.17.74
    2022:07:13-13:14:17 puerta pluto[8279]: loaded PSK secret for 181.188.189.2 181.115.185.226
    2022:07:13-13:14:17 puerta pluto[8279]: loaded PSK secret for 181.188.189.2 20.25.85.153
    2022:07:13-13:14:17 puerta pluto[8279]: loaded PSK secret for 192.168.252.2 192.168.252.1
    2022:07:13-13:14:17 puerta pluto[8279]: loaded PSK secret for 181.188.189.2 %any
    2022:07:13-13:14:17 puerta pluto[8279]: loaded PSK secret for 181.188.189.2 190.129.69.40
    2022:07:13-13:14:17 puerta pluto[8279]: loaded PSK secret for 181.188.189.2 190.216.243.86
    2022:07:13-13:14:17 puerta pluto[8279]: listening for IKE messages
    2022:07:13-13:14:17 puerta pluto[8279]: forgetting secrets
    2022:07:13-13:14:17 puerta pluto[8279]: loading secrets from "/etc/ipsec.secrets"
    2022:07:13-13:14:17 puerta pluto[8279]: loaded PSK secret for 181.188.189.2 200.87.138.178
    2022:07:13-13:14:17 puerta pluto[8279]: loaded PSK secret for 181.188.189.2 44.207.17.74
    2022:07:13-13:14:17 puerta pluto[8279]: loaded PSK secret for 181.188.189.2 181.115.185.226
    2022:07:13-13:14:17 puerta pluto[8279]: loaded PSK secret for 181.188.189.2 20.25.85.153
    2022:07:13-13:14:17 puerta pluto[8279]: loaded PSK secret for 192.168.252.2 192.168.252.1
    2022:07:13-13:14:17 puerta pluto[8279]: loaded PSK secret for 181.188.189.2 %any
    2022:07:13-13:14:17 puerta pluto[8279]: loaded PSK secret for 181.188.189.2 190.129.69.40
    2022:07:13-13:14:17 puerta pluto[8279]: loaded PSK secret for 181.188.189.2 190.216.243.86
    2022:07:13-13:14:17 puerta pluto[8279]: loading ca certificates from '/etc/ipsec.d/cacerts'
    2022:07:13-13:14:17 puerta pluto[8279]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA.pem'
    2022:07:13-13:14:17 puerta pluto[8279]: loading aa certificates from '/etc/ipsec.d/aacerts'
    2022:07:13-13:14:17 puerta pluto[8279]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
    2022:07:13-13:14:17 puerta pluto[8279]: loading attribute certificates from '/etc/ipsec.d/acerts'
    2022:07:13-13:14:17 puerta pluto[8279]: Changing to directory '/etc/ipsec.d/crls'
    2022:07:13-13:14:17 puerta ipsec_starter[10695]: no default route - cannot cope with %defaultroute!!!
    2022:07:13-13:14:17 puerta pluto[8279]: "S_AZURE VPN CC": deleting connection
    2022:07:13-13:14:17 puerta pluto[8279]: "S_AZURE VPN CC" #948: deleting state (STATE_MAIN_I1)
    2022:07:13-13:14:17 puerta pluto[8279]: added connection description "S_AZURE VPN CC"
    2022:07:13-13:14:17 puerta pluto[8279]: "S_AZURE VPN CC" #952: initiating Main Mode
    2022:07:13-13:14:17 puerta pluto[8279]: added connection description "S_AZURE VPN CC"
    2022:07:13-13:14:17 puerta pluto[8279]: added connection description "S_AZURE VPN CC"
    2022:07:13-13:14:46 puerta pluto[8279]: forgetting secrets
    2022:07:13-13:14:46 puerta pluto[8279]: loading secrets from "/etc/ipsec.secrets"
    2022:07:13-13:14:46 puerta pluto[8279]: loaded PSK secret for 181.188.189.2 200.87.138.178
    2022:07:13-13:14:46 puerta pluto[8279]: loaded PSK secret for 181.188.189.2 44.207.17.74
    2022:07:13-13:14:46 puerta pluto[8279]: loaded PSK secret for 181.188.189.2 181.115.185.226
    2022:07:13-13:14:46 puerta pluto[8279]: loaded PSK secret for 192.168.252.2 192.168.252.1
    2022:07:13-13:14:46 puerta pluto[8279]: loaded PSK secret for 181.188.189.2 %any
    2022:07:13-13:14:46 puerta pluto[8279]: loaded PSK secret for 181.188.189.2 190.129.69.40
    2022:07:13-13:14:46 puerta pluto[8279]: loaded PSK secret for 181.188.189.2 190.216.243.86
    2022:07:13-13:14:46 puerta pluto[8279]: listening for IKE messages
    2022:07:13-13:14:46 puerta pluto[8279]: forgetting secrets
    2022:07:13-13:14:46 puerta pluto[8279]: loading secrets from "/etc/ipsec.secrets"
    2022:07:13-13:14:46 puerta pluto[8279]: loaded PSK secret for 181.188.189.2 200.87.138.178
    2022:07:13-13:14:46 puerta pluto[8279]: loaded PSK secret for 181.188.189.2 44.207.17.74
    2022:07:13-13:14:46 puerta pluto[8279]: loaded PSK secret for 181.188.189.2 181.115.185.226
    2022:07:13-13:14:46 puerta pluto[8279]: loaded PSK secret for 192.168.252.2 192.168.252.1

  • in reply to OscarLM

         no default route - cannot cope with %defaultroute!!!

    This could be a configuration problem on either side.  Insert here pictures of the Edits of the IPsec Connection and Remote Gateway.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • in reply to BAlfson

    Sorry Bob, i couldn´t upload the image but this is the current configuration

Unfiltered HTML