Sophos UTM Site-to-Site VPN Azure
I decided that i wanted to mess around with a Site-to-Site connection to Azure so i could play around with a remote office setup (Having a Domain controller on Azure linked to my domain) In this post i will be explaining all the steps to make this happen.
First step is to create a Virtual Network on Azure, to do this Login to your Azure control panel and Click New -> Network Services -> Virtual Network -> Custom Create
This will bring up the Creation Wizard which you will need to enter a name for your virtual network and a location.
Once done that move on to the next step which you will need to select Configure a site-to-site VPN. If you already have a local network created select “Specifiy a new local network” I left the DNS settings till after everything is created but feel free to add your on premise DNS servers here then move on to next step.
Now you need to create a new local network (your on premise network) myn is 192.168.1.1/24 so i created that and then you need to set your on premise external IP address. You can fetch this if you dont know it by going to http://www.whatsmyip.net (I will be showing you all later how to change the IP if you have a dynamic IP like i do).
Next you need to create a address space for your Azure virtual network. I left myn as default, you need to click add gateway subnet because azure creates two gateways for redundancy.
Once you click finish the wizard will create your virtual network. Next click on your virtual network once its created. We now need to create a static routing gateway (This is important as Sophos UTM doesnt at the time of writing this support Dynamic Routing Site-to-Site with azure.
This can take 15 minutes or longer while waiting for that we will configure Sophos UTM ready. So login to your Sophos UTM web control panel and go to Site-to-Site VPN -> IPSec and then click Policies then clone the AES-128 Policy. I called my one Azure, then changed the policy to look like the following. (Must look like below or you wont be able to connect correctly)
To carry on you need to wait for Azure to finish configuring the gateway because you need the IP and Key. Once created click on Remote Gateway tab in Sophos UTM and create a new one.
With the “Gateway IP Address” you need to enter that in a new network definition. Then you need to click Manage Keys and copy the “shared key” in to the Key and Repeat key section
Next you need to create an azure remote network so click the +
Then click Save and move to the Connections tab and create a new connection
Once everything is configured make sure you enable the connection
Now with any luck you should be all connected. It may take a minute for it to decide to connect
Now create a Virtual machine on Azure and connect it to your virtual network. Once all created and connected you should now be able to ping an ip on your local network (Make sure firewall allow ping on both the Azure server and local servers to be able to ping both ways.
To be able to use dynamic ip’s i found a great blog which ill link here
http://www.vnext.be/2013/12/01/windows-azure-s2s-vpn-with-dynamic-public-ip/
Which contains the following script
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 |
#Perform Prerequisite Setup Steps First #Download latest Windows Azure PowerShell Module: Import-Module "C:\Program Files (x86)\Microsoft SDKs\Windows Azure\PowerShell\Azure\Azure.psd1" #Execute: Get-AzurePublishSettingsFile; Save .publishsettings file locally #Get-AzurePublishSettingsFile #Variables $Path = "C:\Scripts" $DynDNS = "syno.vnext.be" $AzureSubscriptionName = "Windows Azure MSDN - Visual Studio Ultimate" $AzurePublishSettingsFile = "$Path\Windows Azure MSDN - Visual Studio Ultimate-11-19-2013-credentials.publishsettings" #Execute: Import-AzurePublishSettingsFile; reference local .publishsettings file Import-AzurePublishSettingsFile -PublishSettingsFile $AzurePublishSettingsFile Set-AzureSubscription -SubscriptionName $AzureSubscriptionName Select-AzureSubscription -SubscriptionName $AzureSubscriptionName #Get IP based on the Domain Name [string]$IP = ([System.Net.DNS]::GetHostAddresses($DynDNS)).IPAddressToString #Get AzureVnetConfiguration Get-AzureVnetConfig -ExportToFile "$Path\AzurevNetConfigCurrent.xml" | Out-Null [XML]$xml = Get-Content "$Path\AzurevNetConfigCurrent.xml" [string]$AzureIP = $xml.NetworkConfiguration.VirtualNetworkConfiguration.LocalNetworkSites.LocalNetworkSite.VPNGatewayAddress #Check if the IPs are still the same if($IP -ne $AzureIP) { #IP Changed, we need to update Write-host "IP Update In Progress..." #Update the configuration file $xml.NetworkConfiguration.VirtualNetworkConfiguration.LocalNetworkSites.LocalNetworkSite.VPNGatewayAddress = $IP $xml.Save("$Path\AzurevNetConfigNew.xml") #Upload the configuration file to Azure $Ret = Set-AzureVNetConfig -ConfigurationPath "$Path\AzurevNetConfigNew.xml" if($Ret.OperationStatus -eq "Succeeded") { Write-host "IP Updated Successfully" } else { Write-host "IP Update Failed" } # Dial-in to Azure gateway (optional and only if this script is running on the RRAS server) #Connect-VpnS2SInterface -Name xxx.xxx.xxx.xxx } else { #IP didn't change, nothing to do Write-host "IP Already Up To Date" } |
I created a task inside windows and make it run the script every 5 minutes.
Hope this guys helps some people