STEP BY STEP TO BUILD SITE-TO-SITE VPN FROM SOPHOS XG FIREWALL TO AZURE

Today, I would like to tell you how to build a site-to-site VPN from Sophos XG firewall to Azure, if you have no budget to buy a hardware base firewall for your home office or lab, no worry, you also can download and install at Microsoft Hyper-V (or others) Virtual Machine and it’s free!!

Let’s follow step by step to build site-to-site VPN from Sophos XG firewall to Azure.

Settings in Microsoft Azure Site

1. Logon to Azure portal and select Virtual networks.

   

2. On the Virtual networks page, click Create virtual network.

   

3. Enter information as follow and click Create.

   Name: AZURE-LAB-VNet1

   Address Space: 10.10.0.0/16

   Subscription: select your subscription

   Resource group: select Create new and enter your Resource Group name

   Location: Select Central US (you also can choice other locations)

   Subnet Name: enter your subnet name

   Address range: 10.10.0.0/19

   DDoS protection: Basic (Default)

   Service endpoints: Disable (default)

   

4. On the AZURE-LAB-Vnet1 page, select Subnets.

   

5. On the AZURE-LAB-VNet1 – Subnets page, click +Gateway subnet.

   

6. Enter Address range as 10.10.32.0/27 and click OK.

   

7. Go back to Azure Dashboard and click +Create a resource.

   

8. On the search bar, enter Virtual network gateway.

   

9. Select Virtual network gateway and click Create.

   

10. Enter information as follow and click Create.

    Name: AZURE-LAB-GW

    Gateway type: VPN

    VPN type: Route-based

    SKU: Basic

    Virtual network: Azure-Lab-VNet1

    

    Public IP address: Create new, enter AZURE-LAB-GWIP as its name, Basic for SKU and then click OK.

    

    Subscription: select your subscription

    Location: select the location as before (Central US) and then click Create.

    

11. Go back to Azure Dashboard and click +Create a resource.

    

12. On the search bar, enter Local network gateway.

    

13. Select Local network gateway and click Create.

    

14. Enter information as follow and click Create.

    Name: Cary-HQ

    IP Address: 184.65.174.148

    Subscription: select your subscription.

    Resource Group: click Use Existing and select AZURE-LAB

    Location: select the same location as before (Central US) and then click Create.

    

15. On the Cary-HQ page select Connections.

    

16. On the Cary-HQ – Connections page, click +Add.

    

17. Enter information as follow and then click OK.

    Name: AZURE-LAB-VNet1toCaryHQ

    Virtual network gateway: AZURE-LAB-GW

    Local network gateway: Cary-HQ

    Shared key: enter your share, it is must the same as XG firewall site.

    

Settings On-premises Site

1. We are using Sophos XG firewall behind NAT device, so we need to do port forward settings at NAT Device.
   

   
   

2. Login to Sophos XG firewall.
   

   
   

3. Select Network and make sure interfaces settings are correct.
   

   
   

4. Select VPN and click Add, it’s under IPsec Connections.
   

   
   

5. Enter information as follow and click Save.
   

   Name: GAM2Azure
   

   IP Version: IPv4
   

   Connection Type: Site-to-Site
   

   Gateway Type: Respond Only
   

   Policy: Microsoft Azure
   

   Authentication Type: select Preshared Key and type preshared key, it’s must be the same as Azure site.
   

   Listening Interface: Port2 – 102.168.0.127
   

   Local ID Type: IP Address
   

   Local ID: 184.65.174.148
   

   Local Subnet: LAN (172.16.1.0/24)
   

   Gateway Address: 52.176.45.61
   

   Remote ID Type: IP Address
   

   Remote ID: 52.176.45.61
   

   Remote Subnet: AZUREVNet (10.10.0.0/16)
   

   
   

6. On the VPN page, the Active and Connection status should show green.
   

   
   

7. On the Azure Connection page, the status should show Connected.
   

   
   

8. You may find there is no traffic at VPN tunnel even their status show connected. No worry, that’s because we still not configure firewall rules yet.
   
9. On the Sophos XG Firewall configure web page, select Firewall and click Add Firewall Rule.
   

   
   

10. Enter follow information to create Inbound VPN rule and click Save.
    

    Rule Name: Inbound_VPN
    

    Action: Accept
    

    Source Zones: VPN
    

    Source Networks and Devices: Any
    

    Destination Zones: LAN
    

    Destination Networks: Any
    

    Services: Any
    

    
    

11. Enter follow information to create Outbound VPN rule and click Save.
    

    Rule Name: Outbound_VPN
    

    Action: Accept
    

    Source Zones: LAN
    

    Source Networks and Devices: Any
    

    Destination Zones: VPN
    

    Destination Networks: Any
    

    Services: Any
    

    
    

    Now, we have Site-to-site VPN successfully.
    

    Hope you enjoy this post!!
    

    Cary Sun @SifuSun
    

Author: Cary Sun

Cary Sun is an Principal Consultant, He has a strong background specializing in datacenter and deployment solutions, and has spent over 20 years in the planning, design, and implementation of network technologies and Management and system integration.He hold CISCO CERTIFIED INTERNETWORK EXPERT (CCIE No.4531) from 1997.Cary is also a Microsoft Most Valuable Professional (MVP) and Cisco Champion, He is a published author with serveral titles, include blogs on Checkyourlogs.net, author for many books. Specialties: CCIE /CCNA / MCSE / MCITP / MCTS / MCSA / Solution Expert / CCA
Blog:
http://www.carysun.com http://www.checkyourlogs.net
Twitter:@SifuSun