Create a Site-to-Site VPN between ProfitBricks and Azure with Sophos UTM

REQUIRED TO PROCEED:

• A working installation of SOPHOS UTM on ProfitBricks. A sample configuration can be found in our DevOps site: Install and Configure Sophos UTM.
• An active Azure subscription to deploy a new VNET and VPN Gateway.

INSTRUCTIONS:

1. Below is a snapshot of the ProfitBricks environment. It is comprised of a SOPHOS UTM Firewall/VPN virtual machine and a freshly installed Window Server 2012 R2 which will be used for testing connectivity once the tunnel is established.

   

2. Make a note of your ProfitBricks server IP addresses. My environment is configured as follows:

   • FW_SOPHOS Public IP: 162.254.26.249
   • FW_SOPHOS Internal IP: 192.168.0.5
   • MGMT_SRV Internal IP: 192.168.0.10
.

3. Sign in to the Azure portal and let’s create an Azure Local Network. This term is a reference to the “on-premises” side and will be used to create the routing rules to the ProfitBricks IPv4 address space.

4. In the lower left corner of the Azure management portal, click the “+ NEW” button --> Network Services --> Virtual Network --> Add Local Network

   

5. The ADD A LOCAL NETWORK wizard will pop-up. Enter a name for your local network in Azure and the Internet facing IP of the SOPHOS server. Click the Next arrow.

   

6. The next step is to enter the address space for the ProfitBricks internal network. In this example, this is a 192.168.0.1/24 address space as shown below:

   

7. This will create the “Local Network” in Azure. You can see the newly created network under Networks --> Local Networks

   

8. The next step is to create a Virtual Network to be used within the Azure infrastructure. This VNET will combine the local network created in the previous steps.

   NOTE: A VNET could also include DNS server entries. However; this step will be skipped for the purposes of this tutorial as testing will be done purely via IP addresses.

9. In the lower left corner of the Azure management portal, click the “+ NEW” button --> Network Services --> Virtual Network --> Custom Create

   

10. The CREATE A VIRTUAL NETWORK wizard will pop-up. Enter a name for your virtual network and select a location according to your Data Center region. Click the Next arrow.

    

11. Click the “Configure a site-to-site VPN” and select the Local Network created in the previous steps.

    

12. The next step is to enter the address space for the Azure virtual network. In this example, this is a 10.10.0.0/24 address space. Add a Subnet and a Gateway as shown below:

    • Subnet-1 is where VMs created in Azure will live and obtain DHCP addresses (and DNS if configured).
    • Gateway subnet will be used later when a gateway is created.

    

13. This will create the “Virtual Network” in Azure. You can see the newly created network under Networks --> Virtual Networks.

    

14. Click on the “Azure_To_PB_SOPHOS_VNET” virtual network to display the Dashboard. Once the dashboard is displayed, click the CREATE GATEWAY button and select Static Routing.

    

15. At this point, Azure will create the gateway (~10-15 minutes) and setup the static routes so it can find the path to the on-premise (ProfitBricks) network as defined in the “Local Network”.

    

16. Once the Gateway is created, it will show disconnected and display the IP Address of the Gateway device.

    

17. The next step is to configure the Sophos UTM VPN deployed at ProfitBricks. Go to Site-to-Site VPN --> IPsec --> Remote Gateway --> New Remote Gateway

    

18. Click the “+” next to Gateway to add a new Network definition.

    

19. Enter the Azure Gateway IP Address and click Save.

    

20. Go to the Azure management portal under Networks --> Virtual Networks --> Azure_To_PB_SOPHOS_VNET. Click on the Manage Key button to obtain the Shared Key.

    

21. Back in the SOPHOS Add Remote Gateway screen, set the Authentication type to “Preshared key” and enter the Pre-Shared Key.

    

22. The next step is to configure the Remote Network. Click the “+” sign to enter the details for the Azure_To_PB_SOPHOS_VNET Subnet as shown below:

    

23. Click Save to add the Remote Gateway.

    

24. The next step is to create a new IPsec Policy. Go to Site-to-site VPN --> IPsec --> Policies --> New IPsec Policy.

    

25. Configure the IPsec policy as shown below and click Save.

    

26. The next step is to create a new IPsec connection. Go to Site-to-site VPN --> IPsec --> Connections --> New IPsec Connection. Enter the details as shown below:

    

27. Go to the Azure management portal under Networks --> Virtual Networks --> Azure_To_PB_SOPHOS_VNET. Click the Connect button initiate the connection.

28. After a short while (may need to refresh the page), the tunnel will show connected as pictured below:

    

29. At this point, you can deploy a VM in Azure to test connectivity across the tunnel. Make sure to select the “Azure_To_PB_SOPHOS_VNET” under the Region/Affinity Group/Virtual Network.

    

30. As a final note, make sure the server firewalls are configured properly for whatever tests you decide to run (RDP, File Transfer, etc.).