Sophos UTM: How to create an IPsec connection to Microsoft Azure

Disclaimer: This information is provided as-is without any guarantees. Please contact Sophos Professional Services if you require assistance with your specific environment.

Overview

This knowledge base article explains how to set up an IPsec connection from the Sophos UTM to Microsoft Azure.

This article goes through each step required to have a functional virtual network to connect to Azure. Please adapt these steps to fit your existing environment.

The following sections are covered:

Applies to the following Sophos products and versions
Sophos UTM
 

How to set up the Azure environment

The example below describes the steps to build a new environment but can be easily adapted to an existing environment.
 

Create the Virtual Network

The Virtual Network defines the address space used in Azure, as well as what subnets are in that network.
 

  1. Sign in to the Azure Portal.
  2. Click Create a resource.
  3. Search for Virtual network and click Create.
  4. Under the Basics tab, configure the following:
    1. Subscription
    2. Resource group - select an existing resource group or create a new one.
    3. Name
    4. Region
  5. Click Next : IP Addresses.
  6. Under the IP Addresses tab, configure the following:
    1. IPv4 address spaceThe address space should be bigger than the subnet address range as we will need at least two subnets for this setup.
      1. Example: Address space: 10.0.0.0/16
      2. Example: Subnet address range 10.0.0.0/24
    2. Subnet name - create a new subnet by clicking Add subnet.
    3. Subnet address range
  7. Click Next : Security.
  8. Leave the settings as defaults but you can configure this according to your environment.
  9. Click Next : Tags.
  10. Leave the settings as defaults but you can configure this according to your environment.
  11. Click Next : Review + create.
  12. Click Create.

Create the Virtual Network Gateway

The Virtual Network Gateway defines the external IP with which VPN tunnels can be created. It also defines which networks can be accessed by those VPNs.

  1. Go back to Azure's home page and click Create a resource.
  2. Search for Virtual Network Gateway and click Create.
  3. Under the Basics tab, configure the following:
    1. Subscription
    2. Name
    3. Region
    4. Gateway type - VPN
    5. VPN type - Policy-based
    6. SKU
    7. Generation
    8. Virtual network - select the virtual network that was created.
    9. Gateway subnet address range - this will be filled out automatically, you can change the range as long as it is within your virtual networks address space.
    10. Public IP address - Create new (follow the prompts to automatically generate a new public IP)
    11. Public IP address name
  4. Click Next : Tags.
  5. Leave the settings as defaults but you can configure this according to your environment.
  6. Click Next : Review + create.
  7. Click Create.

Create the Local network gateway

The Local network gateway specifies the public IP and private IP's of local networks that may establish a connection to Azure.

  1. Go back to Azure's home page and click Create a resource.
  2. Search for Local Network Gateway and click Create.
  3. Configure the following:
    1. Name
    2. Endpoint - IP address
    3. IP address - the public IP address of the on-premise UTM
    4. Address space - the local network of the on-premise UTM
    5. Subscription
    6. Resource Group - select the existing resource group
    7. Location
  4. Click Create.

Create the Connection

The connection defines a specific VPN tunnel and which networks may access it.
 

  1. Go back to Azure's home page, search for Virtual network gateways, and select it.
  2. Click on the virtual network gateway that was created earlier.
  3. Click Connections > Add.
  4. Configure the following:
    1. Name
    2. Connection type - Site-to-site (IPsec)
    3. Local network gateway - select the local network gateway that was created earlier.
    4. Shared key (PSK) - create a PSK.
    5. IKE Protocol - IKEv1 (UTM only supports IKEv1. Azure supports both IKEv1 and IKEv2, and IKEv2 is the default.)
  5. Click OK.

How to set up the UTM

The UTM will be set up like any normal IPsec tunnel except that we must make an encryption policy specific to Azure's requirements.
 

Create the Remote Gateway

This defines the remote address the UTM will connect to.
 

  1. Sign in to the Webadmin of the Sophos UTM.
  2. Navigate to Site-to-Site VPN > IPsec > Remote Gateways.
  3. Configure the following:
    1. Name
    2. Gateway type - Initiate connection
    3. Gatewaycreate a network object for the Gateway IP address. This is the public IP address of the Azure Virtual Network Gateway.
    4. Authentication type - Preshared key
    5. Key -  this must match the key used on the Azure connection.
    6. Repeat -  this must match the key used on the Azure connection.
    7. Remote networks - define the networks that will be accessed on Azure.

  4. Click Save.

Create the IPsec Policy

The IPsec Policy defines the encryption and other security parameters used by the IPsec tunnel. Azure has specific requirements and we have found that these settings work best.
 

  1. Navigate to Site-to-Site VPN > IPsec > Policies.
  2. Click on + New IPsec Policy.
  3. Configure the following:
    1. Name
    2. IKE encryption algorithm - AES 128
    3. IKE authentication algorithm - SHA1
    4. IKE SA lifetime - 28800
    5. IKE DH group - Group 2: MODP 1024
    6. IPsec encryption algorithm - AES 128
    7. IPsec authentication algorithm - SHA1
    8. IPsec SA lifetime - 3600
    9. IPsec PFS group - None


      Note: If the tunnel keeps disconnecting or experiencing a slow connection, try to enable Strict policy.

  4. Click Save.

Create the IPsec Connection

This creates the IPsec tunnel by selecting a Remote Gateway, Policy, and defining which local networks can access the tunnel.
 

  1. Navigate to Site-to-Site VPN > IPsec > Connections.
  2. Configure the following:
    1. Name
    2. Remote gateway - select the remote gateway that was created earlier.
    3. Local interface - this should be the gateway used to establish the IPsec connection. It is usually the WAN interface.
    4. Policy -  select the IPsec policy that was created earlier.
    5. Local Networks - define the networks that will have access to the IPsec tunnel.
    6. Automatic firewall rules - enable
  3. Click Save.

Additional information

  • When creating the IPsec tunnel on the UTM, make sure to check Automatic firewall rules, otherwise, you will need to manually create firewall rules to and from the Azure and local subnets.
  • Verify there are no firewall rules in Azure that are preventing traffic from the UTM's network to the local networks.
  • A Source NAT (SNAT) rule is not necessary to communicate between subnets, if you are having problems with communication between Azure and the Local subnet, verify that there is no Masquerade or SNAT rule interfering with the traffic.

Related information


Previous article ID: 126995



Added the following: Note: If the tunnel keeps disconnecting or experiencing a slow connection, try to enable Strict policy.
[edited by: DominicRemigio at 3:55 AM (GMT -7) on 8 Oct 2021]
Parents
  • Last week, I came up with a solution to a problem that my client was having with his new IPsec tunnel to Azure disconnecting occasionally and being slower than expected.  It took 2.4 hours of billable time to examine his configuration as per Dominic's post above above, the logs and the results of espdump at the command line. On the tunnel status page, I eventually noticed that Azure was negotiating 256 in IKE instead of 128::

         IKE: Auth PSK / Enc AES_CBC_256 / Hash HMAC_SHA2_256 / Lifetime 28800s

    I only made one change and now my client describes his connection as solid and "screamin'" fast.

    I'd been working "blind" since the end of July with a service provider in Las Vegas that was trying to sell a service in Azure to a customer in Denver with a UTM.  I wasn't allowed to access the UTM although Sophos did include me in the emails about the case.  When I shared the setting below, my client's customer reported today, "I turned on Strict policy yesterday and as of right now, the keepalive process is still showing a live connection."

    NOTE 14 hours later: Las Vegas client sent a note 4 hours after I posted this that communication had been interrupted.  I'd been saying for almost 2 weeks that I thought the problem was the load balancer in front of their customer's UTM.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Last week, I came up with a solution to a problem that my client was having with his new IPsec tunnel to Azure disconnecting occasionally and being slower than expected.  It took 2.4 hours of billable time to examine his configuration as per Dominic's post above above, the logs and the results of espdump at the command line. On the tunnel status page, I eventually noticed that Azure was negotiating 256 in IKE instead of 128::

         IKE: Auth PSK / Enc AES_CBC_256 / Hash HMAC_SHA2_256 / Lifetime 28800s

    I only made one change and now my client describes his connection as solid and "screamin'" fast.

    I'd been working "blind" since the end of July with a service provider in Las Vegas that was trying to sell a service in Azure to a customer in Denver with a UTM.  I wasn't allowed to access the UTM although Sophos did include me in the emails about the case.  When I shared the setting below, my client's customer reported today, "I turned on Strict policy yesterday and as of right now, the keepalive process is still showing a live connection."

    NOTE 14 hours later: Las Vegas client sent a note 4 hours after I posted this that communication had been interrupted.  I'd been saying for almost 2 weeks that I thought the problem was the load balancer in front of their customer's UTM.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children