Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Connect on-premise firewall to Microsoft Azure using route-based IPsec VPN

You can connect your on-premise Sophos Firewall to your Microsoft Azure virtual network using a route-based IPsec VPN connection.

Requirements

You must meet the following requirements:

  • An on-premise Sophos Firewall with a public IP address. It must not be behind a network device that handles NAT for it.
  • A Microsoft Azure virtual network.

Network diagram

On-premise firewall and Azure virtual network IPsec connection diagram.

Microsoft Azure configuration

Create a local network gateway

The local network gateway refers to your on-premise firewall. To configure a local network gateway, do as follows:

  1. Sign in to Microsoft Azure portal.
  2. Go to Local network gateways. You can also search for it in the search box.
  3. Click Create.
  4. Under the Basics tab, configure the following settings:

    1. Project details

      1. Subscription: Select the subscription associated with your Microsoft Azure portal account.
      2. Resource group: Select a resource group or create a new one.
    2. Instance details

      1. Region: Select a region. We recommend you select the region closest to your location.
      2. Name: Enter a name.
      3. Endpoint: Select IP address.
      4. IP address: Enter the public IP address of your on-premise firewall.
      5. Address space(s): Enter your on-premise network address range. For example, 10.100.0.0/16.
  5. Click Review + create.

    A validation test starts. If it fails, check your configuration.

  6. When the validation test succeeds, review the details and click Create.

    The deployment process takes a few minutes.

  7. When the deployment is complete, click Go to resource to see the resources deployed in your account.

Create a gateway subnet

To create a gateway subnet, do as follows:

  1. Go to Virtual networks. You can also search for it in the search box.
  2. Click your Microsoft Azure virtual network.
  3. Go to Settings > Subnets, then click Gateway subnet.
  4. Configure the following settings:

    1. Starting address: Enter a network address.
    2. Size: Select a subnet mask.

    For example, 10.1.1.0/24.

    Gateway subnet.

  5. Click Add.

Tip

Use a large subnet, such as /24 or /28, to accommodate future expansion.

Create a virtual network gateway

To create a virtual network gateway, do as follows:

  1. Go to Virtual network gateways. You can also search for it in the search box.
  2. Click Create.
  3. Under the Basics tab, configure the following settings:

    1. Project details

      1. Subscription: Select the subscription associated with your Microsoft Azure portal account.
    2. Instance details

      1. Name: Enter a name.
      2. Region: Select the same region you used.
      3. Gateway type: Select VPN.
      4. SKU: Select an SKU. See Gateway SKUs and performance.
      5. Generation: Select Generation1.
      6. Virtual network: Select the virtual network to which you want to add the gateway.

        Note

        If the virtual network you want isn't shown, check if you've selected the correct Region.

    3. Public IP address

      1. Public IP address: Select Create new.
      2. Public IP address name: Enter a name.
      3. Availability zone: Select 1.
      4. Enable active-active mode: Select Enabled.
    4. Second public IP address

      1. Second public IP address: Select Create new.
      2. Public IP address name: Enter a name.
      3. Availability zone: Select 1.
      4. Configure BGP: Select Disabled.
    5. Authentication Information (Preview)

      1. Enable Key Vault Access: Select Disabled.
  4. Click Review + create.

    A validation test starts. If it fails, check your configuration.

  5. When the validation test succeeds, review the details and click Create.

    The deployment process can take up to 45 minutes.

  6. When the deployment is complete, click Go to resource to see the resources deployed in your account.

Create an IPsec VPN connection

To create a VPN connection, do as follows:

  1. Go to Virtual network gateways. You can also search for it in the search box.
  2. Click the virtual network gateway you created and make a note of the First public IP address.

    Virtual network gateway public IP address.

  3. Go to Settings > Connections, then click Add.

  4. Under the Basics tab, configure the following settings:

    1. Project details

      1. Subscription: Select the subscription associated with your Microsoft Azure portal account.
      2. Resource group: Select the same resource group you used.
    2. Instance details

      1. Connection type: Select Site-to-site (IPsec).
      2. Name: Enter a name.
      3. Region: Select the same region you used.
  5. Click Next : Settings.

  6. Under the Settings tab, configure the following settings:

    1. Virtual network gateway

      1. Virtual network gateway: Select the virtual network gateway you created.
      2. Local network gateway: Select the local network gateway you created.
      3. Authentication method: Select Shared key(PSK).
      4. Shared key(PSK): Enter a shared key. You must also use this shared key in your on-premise firewall.
      5. IKE protocol: Select IKEv2.
      6. Use Azure private IP address: Don't select.
      7. Enable BGP: Don't select.
      8. IPsec / IKE policy: Select Default.

        Note

        Microsoft may change the default settings. Make sure you configure your on-premise firewall appropriately for both initial tunnel establishment and re-key. See About cryptographic requirements and Azure VPN gateways.

      9. Use policy based traffic selector: Select Disable.

      10. DPD timeout in seconds: Leave the default value as is.
      11. Connection Mode: Select ResponderOnly.
  7. Click Review + create.

    A validation test starts. If it fails, check your configuration.

  8. When the validation test succeeds, review the details and click Create.

    The deployment process takes a few minutes.

  9. When the deployment is complete, click Go to resource to see the resources deployed in your account.

Download configuration file

To download the configuration file, do as follows:

  1. Go to Virtual network gateways. You can also search for it in the search box.
  2. Click the virtual network gateway you created.
  3. Go to Settings > Connections, then click the VPN connection you created.
  4. Click Download configuration, then configure the following settings:

    1. Device vendor: Select Generic samples.
    2. Device family: Select Device parameters.
    3. Firmware version: Select Generic-samples-device-parameters.
    4. Click Download configuration.
  5. Open the downloaded file.

  6. Go to the Tunnel interface (VTI) configuration section.
  7. Make a note of the IP address, subnet mask, and maximum segment size (MSS) of both tunnel interfaces.

    Tunnel configuration.

Sophos Firewall configuration

Create a route-based IPsec VPN connection

To create a route-based IPsec VPN connection, do as follows:

  1. Sign in to the web admin console of your on-premise firewall.
  2. Go to Site-to-site VPN > IPsec, then click Add.
  3. Configure the following settings:

    1. Name: Enter a name.
    2. Connection type: Select Tunnel interface.
    3. Gateway type: Select Initiate the connection.
    4. IP version: Defaults to Dual.

      Note

      Even though the setting defaults to Dual, this example only uses IPv4 protocol.

    5. Activate on save: Select the checkbox.

    6. Profile: Select Microsoft Azure (IKEv2).

      Note

      The default settings of the IPsec / IKE policy on Microsoft Azure may change. If it changes, you must update the IPsec profile of the on-premise firewall according to the following guidelines:

      • To avoid recurring tunnel disconnection, make sure that the Phase 1 and Phase 2 key life on the initiator is less than that of the responder.
      • Make sure that the Phase 2 key life is less than the Phase 1 key life.
    7. Authentication type: Select Preshared key.

    8. Preshared key: Enter the same key you used for the Shared key(PSK) when you created the VPN connection on Microsoft Azure.
    9. Repeat preshared key: Re-enter the key.
    10. Listening interface: Select the WAN interface of the firewall.
    11. Local ID type: Select IP Address.
    12. Local ID: Enter the firewall's public IP address.
    13. Gateway address: Enter the First public IP address you noted in Create an IPsec VPN connection.
    14. Remote ID type: Select IP Address.
    15. Remote ID: Enter the First public IP address you noted in Create an IPsec VPN connection.
  4. Click Save.

  5. In the Preshared key prompt, click OK.

    The firewall initiates the connection, and the connection is established.

    Route-based IPsec VPN connection established.

Create firewall rule

To allow inbound and outbound traffic through the route-based IPsec VPN connection, you must create a firewall rule. To do this, do as follows:

  1. Go to Rules and policies > Firewall rules.
  2. Select IPv4 protocol.
  3. Click Add firewall rule and select New firewall rule.
  4. Configure the following settings:

    1. Rule name: Enter a name.
    2. Action: Select Accept.
    3. Log firewall traffic: Select the checkbox.
    4. Rule position: Select Top.
    5. Rule group: Select None.
    6. Source zones: Select LAN and VPN.
    7. Source networks and devices: Select Any.
    8. During scheduled time: Select All the time.
    9. Destination zones: Select LAN and VPN.
    10. Destination networks: Select Any.
    11. Services: Select Any.
  5. Click Save.

Configure the XFRM interface

To configure the XFRM interface, do as follows:

  1. Go to Network > Interfaces, click the vertical blue bar, or anywhere on the WAN interface row.

    You see the XFRM interfaces automatically created for the tunnels.

    XFRM interface.

  2. Click the XFRM interface and configure the following settings:

    1. IPv4/netmask: Enter the IP address and select the subnet mask of the first tunnel interface you noted in Download configuration file.
    2. Expand Advanced settings.
    3. Select Override MSS and enter the MSS value of the first tunnel interface you noted in Download configuration file.

      XFRM interface configuration.

  3. Click Save.

  4. In the Update interface prompt, click Update interface.

Create a route

To route traffic to Microsoft Azure default LAN through the XFRM interface, you must create a route. In this example, we create a static route. To do this, do as follows:

  1. Go to Routing > Static routes.
  2. Under the IPv4 unicast route section, click Add.
  3. Configure the following settings:

    1. Destination IP / Netmask: Enter your Microsoft Azure virtual network address and subnet mask. For example, 10.1.0.0/16.

      Note

      In this example, the LAN network 10.1.0.0/24 is the default subnet under the Microsoft Azure virtual network.

      Virtual network default subnet.

    2. (Optional) Gateway: You can leave this empty or enter an IP address within the tunnel interface's network you noted in Download configuration file.

      For example, the tunnel interface IP address 169.254.0.1/30 has another IP address, 169.254.0.2, within its network. You can use this IP address.

    3. Interface: Select the XFRM interface.

      Static route.

  4. Click Save.

Verify the VPN connection

Ping test

To verify the connection, do as follows:

  1. Do a ping test from an endpoint behind the firewall to a Microsoft Azure virtual machine.

    On-premise to Azure ping test.

  2. Do a ping test from a Microsoft Azure virtual machine to an endpoint behind the firewall.

    Azure to on-premise ping test.

VPN connection status

To verify the VPN connection status, do as follows:

  1. Sign in to Microsoft Azure portal.
  2. Go to Virtual network gateways. You can also search for it in the search box.
  3. Click the virtual network gateway you connected to.
  4. Go to Settings > Connections.
  5. Verify that the Status of the VPN connection you created is Connected.

    VPN connection status..

  6. Click the VPN connection and see if there's traffic flow.

    VPN connection traffic flow.

    Note

    If you see 0 B, it doesn't indicate a connection issue. There is likely no traffic flowing on the Microsoft Azure side.

Behavior when Microsoft Azure is initiator

If Microsoft Azure is the initiator and Sophos Firewall is the responder, the following behavior occurs when the child SA's re-key timer expires:

  • There's traffic in the tunnel: Microsoft Azure re-keys the child SA, establishes a new child SA, then deletes the old child SA.
  • No traffic in the tunnel: Microsoft Azure doesn't re-key the child SA and deletes it. The following behavior can then occur:

    • If traffic is sent from Microsoft Azure LAN client to Sophos Firewall LAN client, Microsoft Azure creates a child SA for this traffic.
    • If traffic is sent from Sophos Firewall LAN client to Microsoft Azure LAN client, Microsoft Azure doesn't create a child SA, so no traffic can be sent.

Note

The IKE session (phase 1) remains up for both scenarios mentioned above.

Troubleshooting

Microsoft Azure

Take note of the following information when troubleshooting:

  • Connectivity issues can occur if a network security group is configured to block port numbers the traffic uses.
  • By default, the virtual network gateway automatically advertises the VPN subnets to the virtual network route tables. Make sure you don't have user-defined routes that could override this.
  • To re-key the IKE_SA, Microsoft Azure deletes the expired IKE_SA and creates a new connection, which can cause a few seconds of downtime.

Sophos Firewall

To prevent false alerts in Sophos Central, change the re-key timers on the initiator (Sophos Firewall) to values less than what is used in the responder (Microsoft Azure).

More resources