Disclaimer: This information is provided as-is without any guarantees. Please contact Sophos Professional Services if you require assistance with your specific environment.
This knowledge base article explains how to set up an IPsec connection from the Sophos UTM to Microsoft Azure.
This article goes through each step required to have a functional virtual network to connect to Azure. Please adapt these steps to fit your existing environment.The following sections are covered:
Applies to the following Sophos products and versionsSophos UTM
The example below describes the steps to build a new environment but can be easily adapted to an existing environment.
The Virtual Network defines the address space used in Azure, as well as what subnets are in that network.
The Virtual Network Gateway defines the external IP with which VPN tunnels can be created. It also defines which networks can be accessed by those VPNs.
The Local network gateway specifies the public IP and private IP's of local networks that may establish a connection to Azure.
The connection defines a specific VPN tunnel and which networks may access it.
The UTM will be set up like any normal IPsec tunnel except that we must make an encryption policy specific to Azure's requirements.
This defines the remote address the UTM will connect to.
The IPsec Policy defines the encryption and other security parameters used by the IPsec tunnel. Azure has specific requirements and we have found that these settings work best.
This creates the IPsec tunnel by selecting a Remote Gateway, Policy, and defining which local networks can access the tunnel.
Previous article ID: 126995
Last week, I came up with a solution to a problem that my client was having with his new IPsec tunnel to Azure disconnecting occasionally and being slower than expected. It took 2.4 hours of billable time to examine his configuration as per Dominic's post above above, the logs and the results of espdump at the command line. On the tunnel status page, I eventually noticed that Azure was negotiating 256 in IKE instead of 128::
IKE: Auth PSK / Enc AES_CBC_256 / Hash HMAC_SHA2_256 / Lifetime 28800s
I only made one change and now my client describes his connection as solid and "screamin'" fast.
I'd been working "blind" since the end of July with a service provider in Las Vegas that was trying to sell a service in Azure to a customer in Denver with a UTM. I wasn't allowed to access the UTM although Sophos did include me in the emails about the case. When I shared the setting below, my client's customer reported today, "I turned on Strict policy yesterday and as of right now, the keepalive process is still showing a live connection."
NOTE 14 hours later: Las Vegas client sent a note 4 hours after I posted this that communication had been interrupted. I'd been saying for almost 2 weeks that I thought the problem was the load balancer in front of their customer's UTM.
Cheers - Bob