Recently I was asked by a customer to setup a Site-to-Site VPN between a Sophos UTM Firewall and their Azure Portal.

Here are the steps that you should follow to get this done.


The purpose of setting all of this up was to setup a secure offsite Veeam Backup and Replication Storage Repository to protect against a potential Ransomware attack.

Here is the solution working in action.


Here is a screen shot of what the finished product looks like:


Settings in Microsoft AZURE

  1. Logon to the AZURE Management Portal.
  2. In the lower left-hand corner of the screen, click New.
  3. In the navigation pane, click Network Services, and then click Virtual Network.
  4. Click Custom Create to begin the configuration wizard.
  5. Type Name of the Virtual network.
  6. Select the location from dropdown.
  7. On the DNS Servers and VPN Connectivity page, enter the DNS server name and IP address, or select a previously registered DNS server from the dropdown. This setting does not create a DNS server, it allows you to specify the DNS servers that you want to use for name resolution for this virtual network.
  8. Select Configure a site-to-site VPN.
  9. Type the name of local network site to Name:.
  10. Type Public IP Address of Sophos UTM to VPN Device IP address.
  11. Click add address space and type Subnet of Sophos Sophos UTM local network, which want to connect with Microsoft Azure. Multi subnet is allowed.
  12. On the Virtual Network Address Spaces page, type the address space to Address Space: for your virtual network.
  13. Type the names and IPs for subnets to add subnet, they are to be created in your virtual network.
  14. Specific the IP addresses to add gateway subnet, they are to be used for your virtual network gateway subnet.
  15. Click the checkmark on the bottom of the page and the virtual network will begin to create.
  16. Go to dashboard and click CREATE GATEWAY.
  17. Select Static Gateway.
  18. You will see the Microsoft Azure Gateway IP Address after create gateway successful.
  19. Copy the Preshared key from Manage Share Key. We need it for Sophos UTM VPN settings.

Settings in Sophos UTM

  1. Logon to SPHOS UTM.
  2. Select Site-to-Site VPN and click IPsec.
  3. On the Ipsec page, select Remote Gateway and click New Remote Gateway.
  4. On the Add Remote Gateway page.
  5. Name: Enter a descriptive name for this remote gateway.
  6. Gateway type: Select the Initiate connection.
  7. Gateway: click add new network definition.
  8. On the Add new network definition page.
  9. Name: Enter name of AZUREGW.
  10. Type: select Host.
  11. IPv4 Address: Enter the gateway IP address of AZURE and then click Save.
  12. On the Add Remote Gateway page.
  13. Authentication type: select Preshared key.
  14. Key: copy and paste the preshared key from AZURE.
  15. Repeat: copy and paste the preshared key from AZURE.
  16. VPN ID type: select IP Address.
  17. Remote Networks: Click Add network definition.
  18. On the Add network definition page.
  19. Name: Type name for ASURE Network.
  20. Type: Select Network.
  21. Address: Enter Subnet of AZURE Virtual network.
  22. Netmask: select the netmask of
    AZURE Virtual network and then click Save.
  23. Click Save on the Add Remote Gateway page.
  24. Slect Policies tab and create new policy for Azure.
  25. On the Edit Ipsec policy page.
  26. Name: type policy name for Azure policy.
  27. IKE encryption algorithm: Select AES 256.
  28. IKE authentication algorithm: select SHA1.
  29. IKE SA lifetime: Enter 7800.
  30. IKE DH group: Select Group 2: MODP 1024.
  31. IPsec encryption algorithm: Select 3DES.
  32. IPsec authentication algorithm: Select SHA1.
  33. IPsec SA lifetime: Select 3600.
  34. IPsec PFS group: Select None and then click Save.
  35. Select Connections tab and create new connection.
  36. Click New IPsec connection….
  37. On the Add IPsec connection page.
  38. Name: Enter connect name.
  39. Remote Gateway: Select the gateway that we created.
  40. Local Interface: select WAN.
  41. Policy: Select the policy that we created.
  42. Local Networks: Enter the Local Sophos UTM Subnet.
  43. Click Save.

Hope you Enjoy,

Cary Sun @SifuSun

Advertisements