Recently I was asked by a customer to setup a Site-to-Site VPN between a Sophos UTM Firewall and their Azure Portal.
Here are the steps that you should follow to get this done.
The purpose of setting all of this up was to setup a secure offsite Veeam Backup and Replication Storage Repository to protect against a potential Ransomware attack.
Here is the solution working in action.
Here is a screen shot of what the finished product looks like:
Settings in Microsoft AZURE
- Logon to the AZURE Management Portal.
- In the lower left-hand corner of the screen, click New.
- In the navigation pane, click Network Services, and then click Virtual Network.
- Click Custom Create to begin the configuration wizard.
- Type Name of the Virtual network.
- Select the location from dropdown.
- On the DNS Servers and VPN Connectivity page, enter the DNS server name and IP address, or select a previously registered DNS server from the dropdown. This setting does not create a DNS server, it allows you to specify the DNS servers that you want to use for name resolution for this virtual network.
- Select Configure a site-to-site VPN.
- Type the name of local network site to Name:.
- Type Public IP Address of Sophos UTM to VPN Device IP address.
- Click add address space and type Subnet of Sophos Sophos UTM local network, which want to connect with Microsoft Azure. Multi subnet is allowed.
- On the Virtual Network Address Spaces page, type the address space to Address Space: for your virtual network.
- Type the names and IPs for subnets to add subnet, they are to be created in your virtual network.
- Specific the IP addresses to add gateway subnet, they are to be used for your virtual network gateway subnet.
- Click the checkmark on the bottom of the page and the virtual network will begin to create.
- Go to dashboard and click CREATE GATEWAY.
- Select Static Gateway.
- You will see the Microsoft Azure Gateway IP Address after create gateway successful.
- Copy the Preshared key from Manage Share Key. We need it for Sophos UTM VPN settings.
Settings in Sophos UTM
- Logon to SPHOS UTM.
- Select Site-to-Site VPN and click IPsec.
- On the Ipsec page, select Remote Gateway and click New Remote Gateway.
- On the Add Remote Gateway page.
- Name: Enter a descriptive name for this remote gateway.
- Gateway type: Select the Initiate connection.
- Gateway: click add new network definition.
- On the Add new network definition page.
- Name: Enter name of AZUREGW.
- Type: select Host.
- IPv4 Address: Enter the gateway IP address of AZURE and then click Save.
- On the Add Remote Gateway page.
- Authentication type: select Preshared key.
- Key: copy and paste the preshared key from AZURE.
- Repeat: copy and paste the preshared key from AZURE.
- VPN ID type: select IP Address.
- Remote Networks: Click Add network definition.
- On the Add network definition page.
- Name: Type name for ASURE Network.
- Type: Select Network.
- Address: Enter Subnet of AZURE Virtual network.
- Netmask: select the netmask of
AZURE Virtual network and then click Save.
- Click Save on the Add Remote Gateway page.
- Slect Policies tab and create new policy for Azure.
- On the Edit Ipsec policy page.
- Name: type policy name for Azure policy.
- IKE encryption algorithm: Select AES 256.
- IKE authentication algorithm: select SHA1.
- IKE SA lifetime: Enter 7800.
- IKE DH group: Select Group 2: MODP 1024.
- IPsec encryption algorithm: Select 3DES.
- IPsec authentication algorithm: Select SHA1.
- IPsec SA lifetime: Select 3600.
- IPsec PFS group: Select None and then click Save.
- Select Connections tab and create new connection.
- Click New IPsec connection….
- On the Add IPsec connection page.
- Name: Enter connect name.
- Remote Gateway: Select the gateway that we created.
- Local Interface: select WAN.
- Policy: Select the policy that we created.
- Local Networks: Enter the Local Sophos UTM Subnet.
- Click Save.
Hope you Enjoy,
Cary Sun @SifuSun
