STEP BY STEP TO BUILD SITE-TO-SITE VPN FROM SOPHOS XG FIREWALL TO AZURE

      Comments Off on STEP BY STEP TO BUILD SITE-TO-SITE VPN FROM SOPHOS XG FIREWALL TO AZURE

050618 0250 SITETOSITEV1 - STEP BY STEP TO BUILD SITE-TO-SITE VPN FROM SOPHOS XG FIREWALL TO AZURE

Today, I would like to tell you how to build a site-to-site VPN from Sophos XG firewall to Azure, if you have no budget to buy a hardware base firewall for your home office or lab, no worry, you also can download and install at Microsoft Hyper-V (or others) Virtual Machine and it’s free!!

Let’s follow step by step to build site-to-site VPN from Sophos XG firewall to Azure.

Settings in Microsoft Azure Site

  1. Logon to Azure portal and select Virtual networks.

    050618 0250 SITETOSITEV2 - STEP BY STEP TO BUILD SITE-TO-SITE VPN FROM SOPHOS XG FIREWALL TO AZURE

  2. On the Virtual networks page, click Create virtual network.

    050618 0250 SITETOSITEV3 - STEP BY STEP TO BUILD SITE-TO-SITE VPN FROM SOPHOS XG FIREWALL TO AZURE

  3. Enter information as follow and click Create.

    Name: AZURE-LAB-VNet1

    Address Space: 10.10.0.0/16

    Subscription: select your subscription

    Resource group: select Create new and enter your Resource Group name

    Location: Select Central US (you also can choice other locations)

    Subnet Name: enter your subnet name

    Address range: 10.10.0.0/19

    DDoS protection: Basic (Default)

    Service endpoints: Disable (default)

    050618 0250 SITETOSITEV4 - STEP BY STEP TO BUILD SITE-TO-SITE VPN FROM SOPHOS XG FIREWALL TO AZURE

  4. On the AZURE-LAB-Vnet1 page, select Subnets.

    050618 0250 SITETOSITEV5 - STEP BY STEP TO BUILD SITE-TO-SITE VPN FROM SOPHOS XG FIREWALL TO AZURE

  5. On the AZURE-LAB-VNet1 – Subnets page, click +Gateway subnet.

    050618 0250 SITETOSITEV6 - STEP BY STEP TO BUILD SITE-TO-SITE VPN FROM SOPHOS XG FIREWALL TO AZURE

  6. Enter Address range as 10.10.32.0/27 and click OK.

    050618 0250 SITETOSITEV7 - STEP BY STEP TO BUILD SITE-TO-SITE VPN FROM SOPHOS XG FIREWALL TO AZURE

  7. Go back to Azure Dashboard and click +Create a resource.

    050618 0250 SITETOSITEV8 - STEP BY STEP TO BUILD SITE-TO-SITE VPN FROM SOPHOS XG FIREWALL TO AZURE

  8. On the search bar, enter Virtual network gateway.

    050618 0250 SITETOSITEV9 - STEP BY STEP TO BUILD SITE-TO-SITE VPN FROM SOPHOS XG FIREWALL TO AZURE

  9. Select Virtual network gateway and click Create.

    050618 0250 SITETOSITEV10 - STEP BY STEP TO BUILD SITE-TO-SITE VPN FROM SOPHOS XG FIREWALL TO AZURE

  10. Enter information as follow and click Create.

    Name: AZURE-LAB-GW

    Gateway type: VPN

    VPN type: Route-based

    SKU: Basic

    Virtual network: Azure-Lab-VNet1

    050618 0250 SITETOSITEV11 - STEP BY STEP TO BUILD SITE-TO-SITE VPN FROM SOPHOS XG FIREWALL TO AZURE

    Public IP address: Create new, enter AZURE-LAB-GWIP as its name, Basic for SKU and then click OK.

    050618 0250 SITETOSITEV12 - STEP BY STEP TO BUILD SITE-TO-SITE VPN FROM SOPHOS XG FIREWALL TO AZURE

    Subscription: select your subscription

    Location: select the location as before (Central US) and then click Create.

    050618 0250 SITETOSITEV13 - STEP BY STEP TO BUILD SITE-TO-SITE VPN FROM SOPHOS XG FIREWALL TO AZURE

  11. Go back to Azure Dashboard and click +Create a resource.

    050618 0250 SITETOSITEV14 - STEP BY STEP TO BUILD SITE-TO-SITE VPN FROM SOPHOS XG FIREWALL TO AZURE

  12. On the search bar, enter Local network gateway.

    050618 0250 SITETOSITEV15 - STEP BY STEP TO BUILD SITE-TO-SITE VPN FROM SOPHOS XG FIREWALL TO AZURE

  13. Select Local network gateway and click Create.

    050618 0250 SITETOSITEV16 - STEP BY STEP TO BUILD SITE-TO-SITE VPN FROM SOPHOS XG FIREWALL TO AZURE

  14. Enter information as follow and click Create.

    Name: Cary-HQ

    IP Address: 184.65.174.148

    Subscription: select your subscription.

    Resource Group: click Use Existing and select AZURE-LAB

    Location: select the same location as before (Central US) and then click Create.

    050618 0250 SITETOSITEV17 - STEP BY STEP TO BUILD SITE-TO-SITE VPN FROM SOPHOS XG FIREWALL TO AZURE

  15. On the Cary-HQ page select Connections.

    050618 0250 SITETOSITEV18 - STEP BY STEP TO BUILD SITE-TO-SITE VPN FROM SOPHOS XG FIREWALL TO AZURE

  16. On the Cary-HQ – Connections page, click +Add.

    050618 0250 SITETOSITEV19 - STEP BY STEP TO BUILD SITE-TO-SITE VPN FROM SOPHOS XG FIREWALL TO AZURE

  17. Enter information as follow and then click OK.

    Name: AZURE-LAB-VNet1toCaryHQ

    Virtual network gateway: AZURE-LAB-GW

    Local network gateway: Cary-HQ

    Shared key: enter your share, it is must the same as XG firewall site.

    050618 0250 SITETOSITEV20 - STEP BY STEP TO BUILD SITE-TO-SITE VPN FROM SOPHOS XG FIREWALL TO AZURE

Settings On-premises Site

  1. We are using Sophos XG firewall behind NAT device, so we need to do port forward settings at NAT Device.

    050618 0250 SITETOSITEV21 - STEP BY STEP TO BUILD SITE-TO-SITE VPN FROM SOPHOS XG FIREWALL TO AZURE

  2. Login to Sophos XG firewall.

    050618 0250 SITETOSITEV22 - STEP BY STEP TO BUILD SITE-TO-SITE VPN FROM SOPHOS XG FIREWALL TO AZURE

  3. Select Network and make sure interfaces settings are correct.

    050618 0250 SITETOSITEV23 - STEP BY STEP TO BUILD SITE-TO-SITE VPN FROM SOPHOS XG FIREWALL TO AZURE

  4. Select VPN and click Add, it’s under IPsec Connections.

    050618 0250 SITETOSITEV24 - STEP BY STEP TO BUILD SITE-TO-SITE VPN FROM SOPHOS XG FIREWALL TO AZURE

  5. Enter information as follow and click Save.

    Name: GAM2Azure

    IP Version: IPv4

    Connection Type: Site-to-Site

    Gateway Type: Respond Only

    Policy: Microsoft Azure

    Authentication Type: select Preshared Key and type preshared key, it’s must be the same as Azure site.

    Listening Interface: Port2 – 102.168.0.127

    Local ID Type: IP Address

    Local ID: 184.65.174.148

    Local Subnet: LAN (172.16.1.0/24)

    Gateway Address: 52.176.45.61

    Remote ID Type: IP Address

    Remote ID: 52.176.45.61

    Remote Subnet: AZUREVNet (10.10.0.0/16)

    050618 0250 SITETOSITEV25 - STEP BY STEP TO BUILD SITE-TO-SITE VPN FROM SOPHOS XG FIREWALL TO AZURE

  6. On the VPN page, the Active and Connection status should show green.

    050618 0250 SITETOSITEV26 - STEP BY STEP TO BUILD SITE-TO-SITE VPN FROM SOPHOS XG FIREWALL TO AZURE

  7. On the Azure Connection page, the status should show Connected.

    050618 0250 SITETOSITEV27 - STEP BY STEP TO BUILD SITE-TO-SITE VPN FROM SOPHOS XG FIREWALL TO AZURE

  8. You may find there is no traffic at VPN tunnel even their status show connected. No worry, that’s because we still not configure firewall rules yet.
  9. On the Sophos XG Firewall configure web page, select Firewall and click Add Firewall Rule.

    050618 0250 SITETOSITEV28 - STEP BY STEP TO BUILD SITE-TO-SITE VPN FROM SOPHOS XG FIREWALL TO AZURE

  10. Enter follow information to create Inbound VPN rule and click Save.

    Rule Name: Inbound_VPN

    Action: Accept

    Source Zones: VPN

    Source Networks and Devices: Any

    Destination Zones: LAN

    Destination Networks: Any

    Services: Any

    050618 0250 SITETOSITEV29 - STEP BY STEP TO BUILD SITE-TO-SITE VPN FROM SOPHOS XG FIREWALL TO AZURE

  11. Enter follow information to create Outbound VPN rule and click Save.

    Rule Name: Outbound_VPN

    Action: Accept

    Source Zones: LAN

    Source Networks and Devices: Any

    Destination Zones: VPN

    Destination Networks: Any

    Services: Any

    050618 0250 SITETOSITEV30 - STEP BY STEP TO BUILD SITE-TO-SITE VPN FROM SOPHOS XG FIREWALL TO AZURE

    Now, we have Site-to-site VPN successfully.

    Hope you enjoy this post!!

    Cary Sun @SifuSun

ca16fbd3199de5f66b829b87082fb970?s=80&d=retro&r=g - STEP BY STEP TO BUILD SITE-TO-SITE VPN FROM SOPHOS XG FIREWALL TO AZURE

Author: Cary Sun

Cary Sun is an Principal Consultant, He has a strong background specializing in datacenter and deployment solutions, and has spent over 20 years in the planning, design, and implementation of network technologies and Management and system integration.He hold CISCO CERTIFIED INTERNETWORK EXPERT (CCIE No.4531) from 1997.Cary is also a Microsoft Most Valuable Professional (MVP) and Cisco Champion, He is a published author with serveral titles, include blogs on Checkyourlogs.net, author for many books. Specialties: CCIE /CCNA / MCSE / MCITP / MCTS / MCSA / Solution Expert / CCA
Blog:
http://www.carysun.com http://www.checkyourlogs.net
Twitter:@SifuSun

About Cary Sun

Cary Sun is an Principal Consultant, He has a strong background specializing in datacenter and deployment solutions, and has spent over 20 years in the planning, design, and implementation of network technologies and Management and system integration.He hold CISCO CERTIFIED INTERNETWORK EXPERT (CCIE No.4531) from 1997.Cary is also a Microsoft Most Valuable Professional (MVP) and Cisco Champion, He is a published author with serveral titles, include blogs on Checkyourlogs.net, author for many books. Specialties: CCIE /CCNA / MCSE / MCITP / MCTS / MCSA / Solution Expert / CCA Blog: http://www.carysun.com http://www.checkyourlogs.net Twitter:@SifuSun