Sophos UTM Site-to-Site VPN Azure

Just another Home Network

Sophos UTM Site-to-Site VPN Azure

I decided that i wanted to mess around with a Site-to-Site connection to Azure so i could play around with a remote office setup (Having a Domain controller on Azure linked to my domain) In this post i will be explaining all the steps to make this happen.

First step is to create a Virtual Network on Azure, to do this Login to your Azure control panel and Click New -> Network Services -> Virtual Network -> Custom Create


This will bring up the Creation Wizard which you will need to enter a name for your virtual network and a location.


Once done that move on to the next step which you will need to select Configure a site-to-site VPN. If you already have a local network created select “Specifiy a new local network” I left the DNS settings till after everything is created but feel free to add your on premise DNS servers here then move on to next step.



Now you need to create a new local network (your on premise network) myn is so i created that and then you need to set your on premise external IP address. You can fetch this if you dont know it by going to (I will be showing you all later how to change the IP if you have a dynamic IP like i do).



Next you need to create a address space for your Azure virtual network. I left myn as default, you need to click add gateway subnet because azure creates two gateways for redundancy.



Once you click finish the wizard will create your virtual network. Next click on your virtual network once its created. We now need to create a static routing gateway (This is important as Sophos UTM doesnt at the time of writing this support Dynamic Routing Site-to-Site with azure.


This can take 15 minutes or longer while waiting for that we will configure Sophos UTM ready. So login to your Sophos UTM web control panel and go to Site-to-Site VPN -> IPSec and then click Policies then clone the AES-128 Policy. I called my one Azure, then changed the policy to look like the following. (Must look like below or you wont be able to connect correctly)



To carry on you need to wait for Azure to finish configuring the gateway because you need the IP and Key. Once created click on Remote Gateway tab in Sophos UTM and create a new one.

createGW2 createRemoteGw2

With the “Gateway IP Address” you need to enter that in a new network definition. Then you need to click Manage Keys and copy the “shared key” in to the Key and Repeat key section


Next you need to create an azure remote network so click the +


Then click Save and move to the Connections tab and create a new connection


Once everything is configured make sure you enable the connection


Now with any luck you should be all connected. It may take a minute for it to decide to connect


Now create a Virtual machine on Azure and connect it to your virtual network. Once all created and connected you should now be able to ping an ip on your local network (Make sure firewall allow ping on both the Azure server and local servers to be able to ping both ways.

To be able to use dynamic ip’s i found a great blog which ill link here

Which contains the following script

I created a task inside windows and make it run the script every 5 minutes.

Hope this guys helps some people


Leave a Reply

%d bloggers like this: