Sophos UTM Site-to-Site VPN Azure

I decided that i wanted to mess around with a Site-to-Site connection to Azure so i could play around with a remote office setup (Having a Domain controller on Azure linked to my domain) In this post i will be explaining all the steps to make this happen.

First step is to create a Virtual Network on Azure, to do this Login to your Azure control panel and Click New -> Network Services -> Virtual Network -> Custom Create

createNetwork1

This will bring up the Creation Wizard which you will need to enter a name for your virtual network and a location.

createNetwork2

Once done that move on to the next step which you will need to select Configure a site-to-site VPN. If you already have a local network created select “Specifiy a new local network” I left the DNS settings till after everything is created but feel free to add your on premise DNS servers here then move on to next step.

createNetwork3

 

Now you need to create a new local network (your on premise network) myn is 192.168.1.1/24 so i created that and then you need to set your on premise external IP address. You can fetch this if you dont know it by going to http://www.whatsmyip.net (I will be showing you all later how to change the IP if you have a dynamic IP like i do).

createNetwork4

 

Next you need to create a address space for your Azure virtual network. I left myn as default, you need to click add gateway subnet because azure creates two gateways for redundancy.

createNetwork5

 

Once you click finish the wizard will create your virtual network. Next click on your virtual network once its created. We now need to create a static routing gateway (This is important as Sophos UTM doesnt at the time of writing this support Dynamic Routing Site-to-Site with azure.

createGW1

This can take 15 minutes or longer while waiting for that we will configure Sophos UTM ready. So login to your Sophos UTM web control panel and go to Site-to-Site VPN -> IPSec and then click Policies then clone the AES-128 Policy. I called my one Azure, then changed the policy to look like the following. (Must look like below or you wont be able to connect correctly)

createAzurePolicy

 

To carry on you need to wait for Azure to finish configuring the gateway because you need the IP and Key. Once created click on Remote Gateway tab in Sophos UTM and create a new one.

createGW2 createRemoteGw2

With the “Gateway IP Address” you need to enter that in a new network definition. Then you need to click Manage Keys and copy the “shared key” in to the Key and Repeat key section

createRemoteGw

Next you need to create an azure remote network so click the +

createRemoteGw3

Then click Save and move to the Connections tab and create a new connection

createRemoteGw4

Once everything is configured make sure you enable the connection

createRemoteGw5

Now with any luck you should be all connected. It may take a minute for it to decide to connect

checkWorks

Now create a Virtual machine on Azure and connect it to your virtual network. Once all created and connected you should now be able to ping an ip on your local network (Make sure firewall allow ping on both the Azure server and local servers to be able to ping both ways.

To be able to use dynamic ip’s i found a great blog which ill link here

http://www.vnext.be/2013/12/01/windows-azure-s2s-vpn-with-dynamic-public-ip/

Which contains the following script

I created a task inside windows and make it run the script every 5 minutes.

Hope this guys helps some people

 

Leave a Reply