Tutorials

Create a Site-to-Site VPN between ProfitBricks and Azure with Sophos UTM

REQUIRED TO PROCEED:

  • A working installation of SOPHOS UTM on ProfitBricks. A sample configuration can be found in our DevOps site: Install and Configure Sophos UTM.
  • An active Azure subscription to deploy a new VNET and VPN Gateway.

INSTRUCTIONS:

  1. Below is a snapshot of the ProfitBricks environment. It is comprised of a SOPHOS UTM Firewall/VPN virtual machine and a freshly installed Window Server 2012 R2 which will be used for testing connectivity once the tunnel is established.

    DCD Screenshot

  2. Make a note of your ProfitBricks server IP addresses. My environment is configured as follows:

    • FW_SOPHOS Public IP: 162.254.26.249
    • FW_SOPHOS Internal IP: 192.168.0.5
    • MGMT_SRV Internal IP: 192.168.0.10
  3. .
  4. Sign in to the Azure portal and let’s create an Azure Local Network. This term is a reference to the “on-premises” side and will be used to create the routing rules to the ProfitBricks IPv4 address space.

  5. In the lower left corner of the Azure management portal, click the “+ NEW” button --> Network Services --> Virtual Network --> Add Local Network

    Azure Add Local Network

  6. The ADD A LOCAL NETWORK wizard will pop-up. Enter a name for your local network in Azure and the Internet facing IP of the SOPHOS server. Click the Next arrow.

    Add Local Network - Step 1

  7. The next step is to enter the address space for the ProfitBricks internal network. In this example, this is a 192.168.0.1/24 address space as shown below:

    Add Local Network - Step 2

  8. This will create the “Local Network” in Azure. You can see the newly created network under Networks --> Local Networks

    Azure Local Networ Created

  9. The next step is to create a Virtual Network to be used within the Azure infrastructure. This VNET will combine the local network created in the previous steps.

    NOTE: A VNET could also include DNS server entries. However; this step will be skipped for the purposes of this tutorial as testing will be done purely via IP addresses.

  10. In the lower left corner of the Azure management portal, click the “+ NEW” button --> Network Services --> Virtual Network --> Custom Create

    Azure Custom Network

  11. The CREATE A VIRTUAL NETWORK wizard will pop-up. Enter a name for your virtual network and select a location according to your Data Center region. Click the Next arrow.

    Virtual Network - Step 1

  12. Click the “Configure a site-to-site VPN” and select the Local Network created in the previous steps.

    Virtual Network - Step 2

  13. The next step is to enter the address space for the Azure virtual network. In this example, this is a 10.10.0.0/24 address space. Add a Subnet and a Gateway as shown below:

    • Subnet-1 is where VMs created in Azure will live and obtain DHCP addresses (and DNS if configured).
    • Gateway subnet will be used later when a gateway is created.

    Virtual Network - Step 3

  14. This will create the “Virtual Network” in Azure. You can see the newly created network under Networks --> Virtual Networks.

    Azure Virtual Network Created

  15. Click on the “Azure_To_PB_SOPHOS_VNET” virtual network to display the Dashboard. Once the dashboard is displayed, click the CREATE GATEWAY button and select Static Routing.

    Azure VNET Dashboard

  16. At this point, Azure will create the gateway (~10-15 minutes) and setup the static routes so it can find the path to the on-premise (ProfitBricks) network as defined in the “Local Network”.

    Azure VNET Creating Gateway

  17. Once the Gateway is created, it will show disconnected and display the IP Address of the Gateway device.

    Azure VNET Gateway Created

  18. The next step is to configure the Sophos UTM VPN deployed at ProfitBricks. Go to Site-to-Site VPN --> IPsec --> Remote Gateway --> New Remote Gateway

    SOPHOS New Remote Gateway

  19. Click the “+” next to Gateway to add a new Network definition.

    SOPHOS New Gateway Definition

  20. Enter the Azure Gateway IP Address and click Save.

    SOPHOS Add Network Definition

  21. Go to the Azure management portal under Networks --> Virtual Networks --> Azure_To_PB_SOPHOS_VNET. Click on the Manage Key button to obtain the Shared Key.

    Azure Manage Key

  22. Back in the SOPHOS Add Remote Gateway screen, set the Authentication type to “Preshared key” and enter the Pre-Shared Key.

    SOPHOS Preshared Key

  23. The next step is to configure the Remote Network. Click the “+” sign to enter the details for the Azure_To_PB_SOPHOS_VNET Subnet as shown below:

    SOPHOS Edit Network Definition

  24. Click Save to add the Remote Gateway.

    SOPHOS Save New Remote Gateway

  25. The next step is to create a new IPsec Policy. Go to Site-to-site VPN --> IPsec --> Policies --> New IPsec Policy.

    SOPHOS New IPSec Policy

  26. Configure the IPsec policy as shown below and click Save.

    SOPHOS Configure IPSec Policy

  27. The next step is to create a new IPsec connection. Go to Site-to-site VPN --> IPsec --> Connections --> New IPsec Connection. Enter the details as shown below:

    SOPHOS Add IPSec Connection

  28. Go to the Azure management portal under Networks --> Virtual Networks --> Azure_To_PB_SOPHOS_VNET. Click the Connect button initiate the connection.

  29. After a short while (may need to refresh the page), the tunnel will show connected as pictured below:

    Azure VPN tunnel established

  30. At this point, you can deploy a VM in Azure to test connectivity across the tunnel. Make sure to select the “Azure_To_PB_SOPHOS_VNET” under the Region/Affinity Group/Virtual Network.

    Azure New VM

  31. As a final note, make sure the server firewalls are configured properly for whatever tests you decide to run (RDP, File Transfer, etc.).

 
  • Would Sophos be able to create a VPN which would let me avoid the "Great Firewall" on my visit to China later this year? I am currently using 3 VPN services, dependent on location where I am (Freelancer, Digital Nomad) and I am happiest with IPVanish VPN at the moment, but as much as I can see, China is not tolerating VPNs any longer, and Tor is not an option for a long time now :S

    Any idea what I might do to make it working?

  • I don't think Sophos was intended to be used as a "vpn proxy service" such as the 3 you mentioned or at least not something I'm familiar with to accomplish what you're looking for.

  • was worth a try, someone might know what to do... From what Ive read, while being in the big cities I should have no problem using any VPN, since they are tolerating those because of foreign companies. We will see. Thank you for the answer though

Log In, Add a Comment