Sophos UTM: How to create an IPsec connection to Microsoft Azure

Disclaimer: This information is provided as-is without any guarantees. Please contact Sophos Professional Services if you require assistance with your specific environment.

Overview

This knowledge base article explains how to set up an IPsec connection from the Sophos UTM to Microsoft Azure.

This article goes through each step required to have a functional virtual network to connect to Azure. Please adapt these steps to fit your existing environment.

The following sections are covered:

Applies to the following Sophos products and versions
Sophos UTM
 

How to set up the Azure environment

The example below describes the steps to build a new environment but can be easily adapted to an existing environment.
 

Create the Virtual Network

The Virtual Network defines the address space used in Azure, as well as what subnets are in that network.
 

  1. Sign in to the Azure Portal.
  2. Click Create a resource.
  3. Search for Virtual network and click Create.
  4. Under the Basics tab, configure the following:
    1. Subscription
    2. Resource group - select an existing resource group or create a new one.
    3. Name
    4. Region
  5. Click Next : IP Addresses.
  6. Under the IP Addresses tab, configure the following:
    1. IPv4 address spaceThe address space should be bigger than the subnet address range as we will need at least two subnets for this setup.
      1. Example: Address space: 10.0.0.0/16
      2. Example: Subnet address range 10.0.0.0/24
    2. Subnet name - create a new subnet by clicking Add subnet.
    3. Subnet address range
  7. Click Next : Security.
  8. Leave the settings as defaults but you can configure this according to your environment.
  9. Click Next : Tags.
  10. Leave the settings as defaults but you can configure this according to your environment.
  11. Click Next : Review + create.
  12. Click Create.

Create the Virtual Network Gateway

The Virtual Network Gateway defines the external IP with which VPN tunnels can be created. It also defines which networks can be accessed by those VPNs.

  1. Go back to Azure's home page and click Create a resource.
  2. Search for Virtual Network Gateway and click Create.
  3. Under the Basics tab, configure the following:
    1. Subscription
    2. Name
    3. Region
    4. Gateway type - VPN
    5. VPN type - Policy-based
    6. SKU
    7. Generation
    8. Virtual network - select the virtual network that was created.
    9. Gateway subnet address range - this will be filled out automatically, you can change the range as long as it is within your virtual networks address space.
    10. Public IP address - Create new (follow the prompts to automatically generate a new public IP)
    11. Public IP address name
  4. Click Next : Tags.
  5. Leave the settings as defaults but you can configure this according to your environment.
  6. Click Next : Review + create.
  7. Click Create.

Create the Local network gateway

The Local network gateway specifies the public IP and private IP's of local networks that may establish a connection to Azure.

  1. Go back to Azure's home page and click Create a resource.
  2. Search for Local Network Gateway and click Create.
  3. Configure the following:
    1. Name
    2. Endpoint - IP address
    3. IP address - the public IP address of the on-premise UTM
    4. Address space - the local network of the on-premise UTM
    5. Subscription
    6. Resource Group - select the existing resource group
    7. Location
  4. Click Create.

Create the Connection

The connection defines a specific VPN tunnel and which networks may access it.
 

  1. Go back to Azure's home page, search for Virtual network gateways, and select it.
  2. Click on the virtual network gateway that was created earlier.
  3. Click Connections > Add.
  4. Configure the following:
    1. Name
    2. Connection type - Site-to-site (IPsec)
    3. Local network gateway - select the local network gateway that was created earlier.
    4. Shared key (PSK) - create a PSK.
    5. IKE Protocol - IKEv1 (UTM only supports IKEv1. Azure supports both IKEv1 and IKEv2, and IKEv2 is the default.)
  5. Click OK.

How to set up the UTM

The UTM will be set up like any normal IPsec tunnel except that we must make an encryption policy specific to Azure's requirements.
 

Create the Remote Gateway

This defines the remote address the UTM will connect to.
 

  1. Sign in to the Webadmin of the Sophos UTM.
  2. Navigate to Site-to-Site VPN > IPsec > Remote Gateways.
  3. Configure the following:
    1. Name
    2. Gateway type - Initiate connection
    3. Gatewaycreate a network object for the Gateway IP address. This is the public IP address of the Azure Virtual Network Gateway.
    4. Authentication type - Preshared key
    5. Key -  this must match the key used on the Azure connection.
    6. Repeat -  this must match the key used on the Azure connection.
    7. Remote networks - define the networks that will be accessed on Azure.

  4. Click Save.

Create the IPsec Policy

The IPsec Policy defines the encryption and other security parameters used by the IPsec tunnel. Azure has specific requirements and we have found that these settings work best.
 

  1. Navigate to Site-to-Site VPN > IPsec > Policies.
  2. Click on + New IPsec Policy.
  3. Configure the following:
    1. Name
    2. IKE encryption algorithm - AES 128
    3. IKE authentication algorithm - SHA1
    4. IKE SA lifetime - 28800
    5. IKE DH group - Group 2: MODP 1024
    6. IPsec encryption algorithm - AES 128
    7. IPsec authentication algorithm - SHA1
    8. IPsec SA lifetime - 3600
    9. IPsec PFS group - None


      Note: If the tunnel keeps disconnecting or experiencing a slow connection, try to enable Strict policy.

  4. Click Save.

Create the IPsec Connection

This creates the IPsec tunnel by selecting a Remote Gateway, Policy, and defining which local networks can access the tunnel.
 

  1. Navigate to Site-to-Site VPN > IPsec > Connections.
  2. Configure the following:
    1. Name
    2. Remote gateway - select the remote gateway that was created earlier.
    3. Local interface - this should be the gateway used to establish the IPsec connection. It is usually the WAN interface.
    4. Policy -  select the IPsec policy that was created earlier.
    5. Local Networks - define the networks that will have access to the IPsec tunnel.
    6. Automatic firewall rules - enable
  3. Click Save.

Additional information

  • When creating the IPsec tunnel on the UTM, make sure to check Automatic firewall rules, otherwise, you will need to manually create firewall rules to and from the Azure and local subnets.
  • Verify there are no firewall rules in Azure that are preventing traffic from the UTM's network to the local networks.
  • A Source NAT (SNAT) rule is not necessary to communicate between subnets, if you are having problems with communication between Azure and the Local subnet, verify that there is no Masquerade or SNAT rule interfering with the traffic.

Related information


Previous article ID: 126995



Added the following: Note: If the tunnel keeps disconnecting or experiencing a slow connection, try to enable Strict policy.
[edited by: DominicRemigio at 3:55 AM (GMT -7) on 8 Oct 2021]
Parents
  • Hello everyone! we are in a complicated situation, we follow the guide step by step, but we still cannot connect the VPN, sophos cannot establish the tunnel, could you support us?

    These are the device data:

    Model: SG210 Firmware:

    9.711-5

    Pattern: 210117

  • ¡Hola! Oscar and welcome to the UTM Community!

    We need to see the relevant lines from the IPsec log.

         1. Confirm that Debug is not enabled.
         2. Disable the IPsec Connection.
         3. Start the IPsec Live Log and wait for it to begin to populate.
         4. Enable the IPsec Connection.
         5. Copy here about 60 lines from enabling through the error.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • S_LaVita/MC4 PRODUCCION"" #950" received Vendor ID payload [XAUTH]
    S_LaVita/MC4 PRODUCCION"" #950" ignoring Vendor ID payload [6b46ba7c9447cf06e011347356018ec6]
    S_LaVita/MC4 PRODUCCION"" #950" ignoring Vendor ID payload [Cisco VPN 3000 Series]
    S_LaVita/MC4 PRODUCCION"" #950" received Vendor ID payload [Dead Peer Detection]
    S_LaVita/MC4 PRODUCCION"" #950" Peer ID is ID_IPV4_ADDR
    S_LaVita/MC4 PRODUCCION"" #950" Dead Peer Detection (RFC 3706) enabled
    S_LaVita/MC4 PRODUCCION"" #950" ISAKMP SA established
    S_LaVita/MC4 PRODUCCION"" #951" initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#950}
    S_LaVita/MC4 PRODUCCION"" #951"" ignoring informational payload type IPSEC_RESPONDER_LIFETIME"
    S_LaVita/MC4 PRODUCCION"" #951"" sent QI2 IPsec SA established {ESP=>0x2775eb48 <0xbfb239ec DPD}"
    forgetting secrets
    loading secrets from ""/etc/ipsec.secrets"""
    loaded PSK secret for 181.188.189.2 200.87.138.178
    loaded PSK secret for 181.188.189.2 44.207.17.74
    loaded PSK secret for 181.188.189.2 181.115.185.226
    loaded PSK secret for 181.188.189.2 20.25.85.153
    loaded PSK secret for 192.168.252.2 192.168.252.1
    loaded PSK secret for 181.188.189.2 %any
    loaded PSK secret for 181.188.189.2 190.129.69.40
    loaded PSK secret for 181.188.189.2 190.216.243.86
    listening for IKE messages
    forgetting secrets
    loading secrets from ""/etc/ipsec.secrets"""
    loaded PSK secret for 181.188.189.2 200.87.138.178
    loaded PSK secret for 181.188.189.2 44.207.17.74
    loaded PSK secret for 181.188.189.2 181.115.185.226
    loaded PSK secret for 181.188.189.2 20.25.85.153
    loaded PSK secret for 192.168.252.2 192.168.252.1
    loaded PSK secret for 181.188.189.2 %any
    loaded PSK secret for 181.188.189.2 190.129.69.40
    loaded PSK secret for 181.188.189.2 190.216.243.86
    loading ca certificates from '/etc/ipsec.d/cacerts'
    loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA.pem'
    loading aa certificates from '/etc/ipsec.d/aacerts'
    loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
    loading attribute certificates from '/etc/ipsec.d/acerts'
    Changing to directory '/etc/ipsec.d/crls'
    no default route - cannot cope with %defaultroute!!!
    S_AZURE VPN CC""" deleting connection
    S_AZURE VPN CC"" #948" deleting state (STATE_MAIN_I1)
    added connection description ""S_AZURE VPN CC"""
    S_AZURE VPN CC"" #952" initiating Main Mode
    added connection description ""S_AZURE VPN CC"""
    added connection description ""S_AZURE VPN CC"""
    forgetting secrets
    loading secrets from ""/etc/ipsec.secrets"""
    loaded PSK secret for 181.188.189.2 200.87.138.178
    loaded PSK secret for 181.188.189.2 44.207.17.74
    loaded PSK secret for 181.188.189.2 181.115.185.226
    loaded PSK secret for 192.168.252.2 192.168.252.1
    loaded PSK secret for 181.188.189.2 %any
    loaded PSK secret for 181.188.189.2 190.129.69.40
    loaded PSK secret for 181.188.189.2 190.216.243.86
    listening for IKE messages
    forgetting secrets
    loading secrets from ""/etc/ipsec.secrets"""
    loaded PSK secret for 181.188.189.2 200.87.138.178
    loaded PSK secret for 181.188.189.2 44.207.17.74
    loaded PSK secret for 181.188.189.2 181.115.185.226

  • That doesn't look like logs from a Sophos UTM, Oscar.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 2022:07:13-13:12:03 puerta pluto[8279]: "S_LaVitalicia/MC4 PRODUCCION" #950: received Vendor ID payload [XAUTH]
    2022:07:13-13:12:03 puerta pluto[8279]: "S_LaVitalicia/MC4 PRODUCCION" #950: ignoring Vendor ID payload [6b46ba7c9447cf06e011347356018ec6]
    2022:07:13-13:12:03 puerta pluto[8279]: "S_LaVitalicia/MC4 PRODUCCION" #950: ignoring Vendor ID payload [Cisco VPN 3000 Series]
    2022:07:13-13:12:04 puerta pluto[8279]: "S_LaVitalicia/MC4 PRODUCCION" #950: received Vendor ID payload [Dead Peer Detection]
    2022:07:13-13:12:04 puerta pluto[8279]: "S_LaVitalicia/MC4 PRODUCCION" #950: Peer ID is ID_IPV4_ADDR: '181.115.185.226'
    2022:07:13-13:12:04 puerta pluto[8279]: "S_LaVitalicia/MC4 PRODUCCION" #950: Dead Peer Detection (RFC 3706) enabled
    2022:07:13-13:12:04 puerta pluto[8279]: "S_LaVitalicia/MC4 PRODUCCION" #950: ISAKMP SA established
    2022:07:13-13:12:04 puerta pluto[8279]: "S_LaVitalicia/MC4 PRODUCCION" #951: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#950}
    2022:07:13-13:12:04 puerta pluto[8279]: "S_LaVitalicia/MC4 PRODUCCION" #951: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
    2022:07:13-13:12:04 puerta pluto[8279]: "S_LaVitalicia/MC4 PRODUCCION" #951: sent QI2, IPsec SA established {ESP=>0x2775eb48 <0xbfb239ec DPD}
    2022:07:13-13:14:17 puerta pluto[8279]: forgetting secrets
    2022:07:13-13:14:17 puerta pluto[8279]: loading secrets from "/etc/ipsec.secrets"
    2022:07:13-13:14:17 puerta pluto[8279]: loaded PSK secret for 181.188.189.2 200.87.138.178
    2022:07:13-13:14:17 puerta pluto[8279]: loaded PSK secret for 181.188.189.2 44.207.17.74
    2022:07:13-13:14:17 puerta pluto[8279]: loaded PSK secret for 181.188.189.2 181.115.185.226
    2022:07:13-13:14:17 puerta pluto[8279]: loaded PSK secret for 181.188.189.2 20.25.85.153
    2022:07:13-13:14:17 puerta pluto[8279]: loaded PSK secret for 192.168.252.2 192.168.252.1
    2022:07:13-13:14:17 puerta pluto[8279]: loaded PSK secret for 181.188.189.2 %any
    2022:07:13-13:14:17 puerta pluto[8279]: loaded PSK secret for 181.188.189.2 190.129.69.40
    2022:07:13-13:14:17 puerta pluto[8279]: loaded PSK secret for 181.188.189.2 190.216.243.86
    2022:07:13-13:14:17 puerta pluto[8279]: listening for IKE messages
    2022:07:13-13:14:17 puerta pluto[8279]: forgetting secrets
    2022:07:13-13:14:17 puerta pluto[8279]: loading secrets from "/etc/ipsec.secrets"
    2022:07:13-13:14:17 puerta pluto[8279]: loaded PSK secret for 181.188.189.2 200.87.138.178
    2022:07:13-13:14:17 puerta pluto[8279]: loaded PSK secret for 181.188.189.2 44.207.17.74
    2022:07:13-13:14:17 puerta pluto[8279]: loaded PSK secret for 181.188.189.2 181.115.185.226
    2022:07:13-13:14:17 puerta pluto[8279]: loaded PSK secret for 181.188.189.2 20.25.85.153
    2022:07:13-13:14:17 puerta pluto[8279]: loaded PSK secret for 192.168.252.2 192.168.252.1
    2022:07:13-13:14:17 puerta pluto[8279]: loaded PSK secret for 181.188.189.2 %any
    2022:07:13-13:14:17 puerta pluto[8279]: loaded PSK secret for 181.188.189.2 190.129.69.40
    2022:07:13-13:14:17 puerta pluto[8279]: loaded PSK secret for 181.188.189.2 190.216.243.86
    2022:07:13-13:14:17 puerta pluto[8279]: loading ca certificates from '/etc/ipsec.d/cacerts'
    2022:07:13-13:14:17 puerta pluto[8279]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA.pem'
    2022:07:13-13:14:17 puerta pluto[8279]: loading aa certificates from '/etc/ipsec.d/aacerts'
    2022:07:13-13:14:17 puerta pluto[8279]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
    2022:07:13-13:14:17 puerta pluto[8279]: loading attribute certificates from '/etc/ipsec.d/acerts'
    2022:07:13-13:14:17 puerta pluto[8279]: Changing to directory '/etc/ipsec.d/crls'
    2022:07:13-13:14:17 puerta ipsec_starter[10695]: no default route - cannot cope with %defaultroute!!!
    2022:07:13-13:14:17 puerta pluto[8279]: "S_AZURE VPN CC": deleting connection
    2022:07:13-13:14:17 puerta pluto[8279]: "S_AZURE VPN CC" #948: deleting state (STATE_MAIN_I1)
    2022:07:13-13:14:17 puerta pluto[8279]: added connection description "S_AZURE VPN CC"
    2022:07:13-13:14:17 puerta pluto[8279]: "S_AZURE VPN CC" #952: initiating Main Mode
    2022:07:13-13:14:17 puerta pluto[8279]: added connection description "S_AZURE VPN CC"
    2022:07:13-13:14:17 puerta pluto[8279]: added connection description "S_AZURE VPN CC"
    2022:07:13-13:14:46 puerta pluto[8279]: forgetting secrets
    2022:07:13-13:14:46 puerta pluto[8279]: loading secrets from "/etc/ipsec.secrets"
    2022:07:13-13:14:46 puerta pluto[8279]: loaded PSK secret for 181.188.189.2 200.87.138.178
    2022:07:13-13:14:46 puerta pluto[8279]: loaded PSK secret for 181.188.189.2 44.207.17.74
    2022:07:13-13:14:46 puerta pluto[8279]: loaded PSK secret for 181.188.189.2 181.115.185.226
    2022:07:13-13:14:46 puerta pluto[8279]: loaded PSK secret for 192.168.252.2 192.168.252.1
    2022:07:13-13:14:46 puerta pluto[8279]: loaded PSK secret for 181.188.189.2 %any
    2022:07:13-13:14:46 puerta pluto[8279]: loaded PSK secret for 181.188.189.2 190.129.69.40
    2022:07:13-13:14:46 puerta pluto[8279]: loaded PSK secret for 181.188.189.2 190.216.243.86
    2022:07:13-13:14:46 puerta pluto[8279]: listening for IKE messages
    2022:07:13-13:14:46 puerta pluto[8279]: forgetting secrets
    2022:07:13-13:14:46 puerta pluto[8279]: loading secrets from "/etc/ipsec.secrets"
    2022:07:13-13:14:46 puerta pluto[8279]: loaded PSK secret for 181.188.189.2 200.87.138.178
    2022:07:13-13:14:46 puerta pluto[8279]: loaded PSK secret for 181.188.189.2 44.207.17.74
    2022:07:13-13:14:46 puerta pluto[8279]: loaded PSK secret for 181.188.189.2 181.115.185.226
    2022:07:13-13:14:46 puerta pluto[8279]: loaded PSK secret for 192.168.252.2 192.168.252.1

  •      no default route - cannot cope with %defaultroute!!!

    This could be a configuration problem on either side.  Insert here pictures of the Edits of the IPsec Connection and Remote Gateway.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Sorry Bob, i couldn´t upload the image but this is the current configuration

  • The link says I'm not allowed to access what you uploaded, Oscar.  You should be able to simply drag-n-drop pictures into your post.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi bob thank you, i am receiving a message: an error occured, Try again or contact your administrator, thats because i upload as a link.

    i am trying with different formats, gif, jpg, png but is the same result. Is this a know issue?

  • Never an issue, Lior.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply Children
No Data