Sophos UTM and Azure Site-2-Site VPN (IPSec)

Here is a short guide on how to establish a Site-2-Site (S2S) VPN connection to Microsoft Azure with the Sophos UTM. Since the Azure portal has been significantly revised in the meantime and I have only found quite old HowTo's, I have summarized my configuration of the UTM and Azure here. If I find some time, I will also write an article on how to restrict access to the respective networks.

Introduction

I am using an "empty" Azure environment for this HowTo, so no resources have been created yet. However, if virtual networks have already been created, these instructions can usually be transferred or slightly modified if necessary.

Here is a brief overview of how the local and future Azure environment will be set up:

There are two local networks 192.168.100.0/24 and 172.16.14.0/24. Within Azure, the virtual network 10.10.0.0/16 is created, which in turn contains several subnets (10.10.1.0/24, 10.10.2.0/24, etc).

Configuration of Azure networks

The first step is to configure the virtual networks in Azure. To do this, a new virtual network is first created:

The new virtual network is given the address range 10.10.0.0/16 and the subnet 10.10.0.0/24 is created within this network. The first subnet (10.10.0.0/24) could, for example, contain services that are directly accessible from the Internet. However, it is up to the user to decide which function is assigned to the subnets:

As soon as the new virtual network with the first subnet has been created, the overview in Azure should look like this:

By clicking on the new virtual network, further subnets can now be created.

A gateway subnet is required so that an S2S VPN connection can be established later. I have set the gateway subnet to the last subnet in the 10.10.0.0/16 network (in this case 10.10.255.0/24):

Once the gateway subnet has been created, a "gateway for virtual networks" can now be created. In principle, this is a VPN-capable router in Azure. Under the menu item "Create resource", you can search for "Gateway for virtual networks" and create the corresponding resource:

The settings for the virtual gateway can now be defined. It is important to note that the Sophos UTM currently supports IKEv1, so the "VPN type" must be set to "Policy-based". The VPN type "Route-based" requires IKEv2, which is currently not supported by the UTM. The other settings should be self-explanatory:

If everything has worked up to this point, the new gateway can be created:

A new "Local network gateway" can now be created. The "Local network gateway" is basically the local Sophos UTM (in the UTM this configuration is called "Remote gateway"), here the settings for the S2S VPN tunnel are made:

For the "Local network gateway", the settings for the data of the local Sophos UTM are entered, essentially the static IP WAN of the IP UTM and the local networks available in the tunnel:

After the local network gateway has been created, the Azure overview page should now look like this:

Important: At this point, you must wait until the provision of resources has been completed (bell symbol)

A new "Connection" must be added so that an S2S VPN connection can be established by the UTM. The S2S connection can be added to the previously created resource "Gateway for virtual networks", in this case "FrankysWeb-Test-VNet1-GW1":

A PSK (Pre Shared Key) can now be entered within the connection; the PSK is required later for the configuration of the UTM:

Once the settings have been saved, the overview of connections now looks like this:

For the configuration of the Sophos UTM, the static IP of the Azure Gateway is now required in addition to the PSK. The IP can be displayed in the overview:

The Azure configuration is now complete, we will continue with the local UTM.

Configuration of the Sophos UTM

Now that the Azure configuration is complete, you can start configuring the Sophos UTM. First, a new "IPsec policy" must be created:

The settings of the "IPsec policy" of the UTM are shown in the following screenshot:

A new "remote gateway" can now be created, i.e. the counterpart to the "local network gateway" in Azure. The IP address of the Azure gateway is used as the gateway:

Distributed key" (PSK, Pre Shared Key) is used as the authentication method and the PSK previously defined in Azure is used. In addition, the Azure network is created as a "remote network", in this case the complete network 10.10.0.0/16:

The overview of the UTM should now look as follows:

Once the remote gateway has been created, a new IPsec connection can be created. The previously created remote gateway and the IPsec policy are selected here. The WAN interface of the UTM is entered as the local interface. The subnets/networks that were previously entered on the local network gateway in Azure must be entered as local networks. The settings of the local networks of the UTM must match the subnets of the local network gateway in Azure:

Once the connection has been established, the S2S tunnel can be activated:

The connection should work after a short time.

Status / Tests

To check the status of the S2S connection, the status can be displayed on the Site-2-Site VPN overview page of the UTM, if there is an SA for each configured local network, the connection should work:

The status of the VPN connection is also displayed in the Azure Portal:

The status of the connection can now also be checked using ping:

Tip: If new local subnets are added to the tunnel configuration, the configuration must be adjusted on both sides (Azure and UTM), then the tunnel must be rebuilt (disconnect and reconnect). If new Azure subnets are created, for example 10.10.3.0/24, the tunnel must be rebuilt once, the configuration does not need to be adjusted.