Tags

,

This tutorial is ow how to do site 2 site vpn with on prem data center.

VNet Name: MyVnet
VnetName = MyVNet
ResourceGroup = MyRG
Location = Australia East
AddressSpace = 10.11.0.0/16
SubnetName = DefaultSubnet
Subnet = 10.11.0.0/24
GatewaySubnet = 10.11.255.0/27
LocalNetworkGatewayName = RemoteVPNSite
LNG Public IP =
LocalAddrPrefix = 192.168.1.0/24
GatewayName = MyVNetGW
PublicIP = MyVNetGWIP
VPNType = RouteBased
GatewayType = Vpn
ConnectionName = MyVNettoRemoteSite

1. Create a resource group

az group create --name MyRG --location australiaeast

2. Create a virtual network

az network vnet create --name MyVNet --resource-group MyRG --address-prefix 10.11.0.0/16 --location australiaeast --subnet-name Subnet1 --subnet-prefix 10.11.0.0/24

3. Create the gateway subnet

az network vnet subnet create --address-prefix 10.11.255.0/27 --name GatewaySubnet --resource-group MyRG --vnet-name MyVNet

4. Create the local network gateway

az network local-gateway create --gateway-ip-address 110.145.123.123 --name RemoteVPNSite --resource-group MyRG --local-address-prefixes 192.168.1.0/24

5. Request a Public IP address

az network public-ip create --name MyVNetGWIP --resource-group MyRG --allocation-method Dynamic

6. Create the VPN gateway

az network vnet-gateway create --name MyVNetGW --public-ip-address MyVNetGWIP --resource-group MyRG --vnet MyVNet --gateway-type Vpn --vpn-type RouteBased --sku VpnGw1 --no-wait

List of IPsec/IKE policy supported by Azure: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-compliance-crypto or you can try:

az network vpn-connection ipsec-policy add --connection-name MyVNettoRemoteSite --dh-group DHGroup14 --ike-encryption AES256 --ike-integrity SHA256 --ipsec-encryption AES256 --ipsec-integrity SHA256 --pfs-group None --resource-group MyRG --sa-lifetime 3600 --sa-max-size 102400000

7. Create the VPN connection

az network vpn-connection create --name MyVNettoRemoteSite -resource-group MyRG --vnet-gateway1 MyVNetGW -l australiaeast --shared-key abc123 --local-gateway2 RemoteVPNSite

I have issue peering with Sophos XG Firewall with firmware version SFOS 16.05.8 MR-8. But SFOS_17.0.2_MR-2.SF300-116 fix the issue.

fakrul@Azure:~$ az network vpn-connection show --resource-group MyResourceGroup --name MyVirtualNetworkConnection --output table
ConnectionStatus ConnectionType EgressBytesTransferred IngressBytesTransferred Location Name ProvisioningState ResourceGroup ResourceGuid SharedKey
------------------ ---------------- ------------------------ ------------------------- ------------- -------------------------- ------------------- --------------- ------------------------------------ -----------
Connected IPsec 17247 6340 australiaeast MyVirtualNetworkConnection Succeeded MyResourceGroup 80f504f6-ed42-400c-a69c-1a270a7fefba abc123
fakrul@Azure:~$ az network vpn-connection list --resource-group MyResourceGroup --output table
ConnectionType Location Name ProvisioningState ResourceGroup ResourceGuid RoutingWeight
---------------- ------------- -------------------------- ------------------- --------------- ------------------------------------ ---------------
IPsec australiaeast MyVirtualNetworkConnection Succeeded MyResourceGroup 80f504f6-ed42-400c-a69c-1a270a7fefba
IPsec australiaeast MyVNettoRemoteSite Succeeded MyResourceGroup 698a2b4d-ca71-4834-a576-8cb7ae077b2c 10

Sophos Profile:

Capture