helpdesk@the-internet-guy.com

This solution is viable as of April of 2017.

In this solution, I'm going to walk you through setting up a site-to-site VPN with Microsoft Azure (in 100 easy steps)

With Microsoft changing Azure on a regular basis, please be aware that some items may no longer work or be available or appear different.

Please note:  This document is based of of the work of many people.  I'd like to thank David Okeyode for his YouTube video on this subject using Sophos XG firewalls.  You can find that here.

Our final solution will look like this:

At the end of our setup, we will be able to RDP into our server at 10.0.0.4 from our local PC at 192.168.1.225.

Please note:  For this example I'll be using a virtual machine at 192.168.1.225 and I will create a Windows Server 2012R2 server at 10.0.0.4.

What we need to do this:

• Sophos UTM appliance of software installed version 9.2+
• Microsoft Azure account (in good standing or pay-as-you-go)
• Internet connection for our UTM appliance
• Windows or Linux PC with a virtual host running at 192.168.1.225

1. Log into Microsoft Azure and open the "new portal"
2. Click on "Search resources" box (at the top on the right hand side) and type "virtual networks".  You should see one option show up (see image below) click on it.
   

3. You will see the Virtual networks management page show up.  Click on the "+ Add" at the top to add a virtual network.

4. You will be prompted with the "Create virtual network" setup box (see image below).
   
   

5. For #1 (above), Name, we are going to enter "AzureTestVirtualNetwork", you can name this anything you want, just keep track of it for use later in this example.

6. For #2 (above), Address space, we are going to edit this to read "10.0.0.0/16"

7. For #3 (above), Subnet name, we will leave this as "default".  Once again, you can name this anything you want, you just need to keep track of it.

8. For #4 (above), Subnet address range, will will leave this as "10.0.0.0/24".  This is a subnet of 10.0.0.0/16 and will aid in our example.

9. For #5 (above), Resource group, we will create a new resource group for this example.  You can make a new one, add this to an existing one or do just about whatever you like here.  It just needs to be accounted for.

10. When done, our virtual network will look like this (see image below).
    
    

11. Click "Create" to create the virtual network.

12. If we refresh our Virtual networks page, you will see your new network displayed (see image below).
    

13. We will now create a virtual machine within our new virtual network.  Go back to the "Search resources" box and type "virtual machines".  You should see one option show up (see image below) click on it.
    

14. Click on the "+ Add" option at the top to create a new virtual machine.  For this example, I'm going to create a Windows Server 2012R2 system.  You can create any type of system you want depending on your needs.  However, for this example, we need a server VM for testing.  You will see many machine types show up to create (see image below).  Click on "Windows Server".
    

15. We will see a "pop out", on the right, that will show the options available for the OS (see image below).  Pick "Windows Server 2012 R2 Datacenter".  You will then see another "pop out" on the right with information about it.  Click on the "Create" button at the bottom to start the creation of the VM.

16. The "Create virtual machine" window will appear (see image below).
    

17. For #1 (above), Name, enter something you want to call the VM.  In this example we will use "AzureTestVM-1".

18. For #2 (above), VM disk type, select HDD.  This server is for testing and does not need anything fast for that.

19. For #3 (above), User name, enter something that you can remember for the local admin name.  In this example we will use "localadmin".

20. For #4 and #5 (above), password, enter a password you can remember and fulfills the security requirements.

21. For #6, Resource group, pick the same group you made when you created the virtual network.  In this example we will use "AzureTestRG".

22. When done, our 1st page, Basics, will look like this (see image below).
    

23. Click "OK" to move to step 2.

24. For this example I'm picking the cheapest VM I can (see image below).  Once selected, click the "Select" button.
    Note: I am only doing this because it is for testing.  In your environment, you may need to pick something else.
    

    
    

25. After selecting the size, you will be prompted about the "Settings" for the VM (see image below).
    

26. For #1 (above), Storage account, we are going to leave the default.  You can rename this if you like.

27. For #2 (above), Virtual network, we are going to make sure it is the virtual network we setup in steps 4 through 9, above.

28. For #3 (above), Subnet, we need to pick our subnet we created within our virtual network.  This should be the subnet default or 10.0.0.0/24.

29. For #4 (above), Public IP address, we need to change this to NONE.
    Note:  This is a "gotcha" when doing this.  If this is not done right, we will not get our example to work.

30. For #5 (above), Network security group, we are going to leave the default.  You can rename this if you like.

31. When done, our Settings will look like this (see image below).
    

32. Click "OK" to review your settings and then "OK" again to create the machine.

33. We now need to create a "Virtual network gateway" for the "Virtual network" we created.  Go back to "Search resources" and type "virtual network gateways" and click on the option you get (see image below).
    

34. Click on the "+ Add" at the top to create a new virtual network gateway.

35. The "Create virtual network gateway" box will appear (see image below).
    

36. For #1 (above), Name, we are going to name it "AzureTestVNG".  You can name it anything you like, just keep track of it.

37. For #2 (above), Gateway type, we are going to leave the default as VPN.

38. For #3 (above), VPN type, we will need to change this to "Policy-based" (the SKU option will only have one option at this point, basic).
    Note:  This is a gotcha again.  If this is not setup correctly, our example will not work.

39. For #4 (above), Virtual network, pick the network we created in the steps above.  This will also auto-populate the gateway subnet address range.  Leave this at default.

40. For #5 (above), Public IP address, click on the item and select "New" to create a new public IP address.  We named out address "AzureTestVNGAddr".

41. For #6 (above), Resource group, just as before, add it to the test resource group.

42. When done, it will look like this (see image below).
    

43. Click "Create" to create the gateway.

44. At this point, we need to wait.  The creation of the gateway, with a public IP address, could take up to 45 minutes.  My experience has shown that it takes, about, 30 minutes at least.

45. Open your UTM appliance in a browser windows on your PC (or VM in this case).

46. Verify that you can get on the internet with your PC and that both links (eth0 & eth1) are up (see image below)
    

    
    

47. Click on the "Site-to-site VPN" menu item on the left.  Then click on "IPsec" VPN (see image below).
    

48. We need to create a policy that is compatible with Microsoft Azure.  For this click on the "Policies" menu item.  We are going to copy an existing policy.  Find the policy "AES-256" and click "Clone" (see image below).
    

49. You will be prompted with the "Add IPsec policy" window (see image below).
    

50. For #1 (above), Name, rename this policy to "AES-128-Azure".  You can name this anything you want, just keep track of it.

51. For #2 (above), IKE encryption algorithm, change this to "AES 128".

52. For #3 (above), IKE authentication algorithm, change this to "SHA1".

53. For #4 (above), IKE SA lifetime, change this to "28800".

54. For #5 (above), IKE DH group, change this to "Group 2: MODP 1024".

55. For #6 (above), IPsec encryption algorithm, change this to "AES 128".

56. For #7 (above), IPsec authentication algorithm, change this to "SHA1".

57. For #8 (above), IPsec PFS group, leave this at none.
    Note:  This is a gotcha and will not work correctly if changed.

58. When done it will look like this (see image below).
    

    
    

59. Click "Save".

60. Click on the "Remote Gateways" menu option and then the "New Remote Gateway" button.  You will be prompted with the  "Add Remote Gateway" window (see image below).
    

61. For #1 (above), Name, type "AzureTestVPN".  You can name this anything you like, just keep track of it.

62. For #2 (above), Gateway, click on the + icon and create a new "host" (or end point) with the external IP address of the "Virtual network gateway" we created in steps 35 to 43.  You will need to get this address from Azure.

    • Open your resource groups and click on the group we created in prior steps (see image below).
      

      
      

    • Locate the external IP address we created in prior steps and click on it (see image below).
      

    • Locate the IP address and copy it/write it down (see image below).
      

      
      

63. Name the Host "AzureIPAddr" and enter the address from the prior step into the "IPv4 Address" box.  It should look like this (see image below).
    

    
    
    

64. For #3 (above), Authentication type, keep the default of "Preshared key".

65. For #4 & #5 (above), Key, enter a pass phrase you can remember (we will need this later).

66. For #6 (above), Remote Networks, click on the + icon and create a new network with the details from the network we created in steps 4 through 10.

67. When done, it will look like this.
    

    
    

68. Click "Save" to save the gateway.

69. Click on the "Connections" menu item and then on "New IPsec connection".  You will be prompted with the "Add IPsec connection" window (see image below).
    

70. For #1 (above), Name, enter "AzureTestVPNConn".  You can name this anything you like.

71. For #2 (above), Remote Gateway, pick the remote gateway we made in steps 60 through 68.

72. For #3 (above), Local Interface, pick the external adapter on your UTM appliance that is connected to the internet.

73. For #4 (above), Policy, pick the policy that we created in steps 48 through 59.

74. For #5 (above), Local Networks, click on the folder and pick the "Internal (Network)" option from the menu on the left.

75. When done, it should look like this.
    

76. Click "Save" to add the IPsec connection.

77. If you click back on the "Site-to-Site VPN" menu option on your UTM, you will see that the connection HAS NOT been established yet (see image below; IP addresses blurred for security reasons).
    

78. Go back to your browser and back to the Microsoft Azure portal.  You should still be on your resource group (from when we found the external IP address).  If not, open the resource groups and pick your group.

79. Go back to "Search resources" and type "local network gateways" and click on the option you get (see image below).
    
80. Click on the "+ Add" button to create a local network gateway.
81. The "Create local network gateway" box will appear (see image below).
    
82. For #1 (above), Name, type "AzureTestLNG".  You can use any name you like, just keep track of it.
83. For #2 (above), IP address, you will need to use the external IP address you setup on your UTM appliance.
84. For #3 (above), Address space, type in "192.168.1.0/24" as this is the address space on our local network.
85. For #4 (above), Resource group, add this to the resource group we have been using for this example.  You can add to to any group you like or create a new one, just keep track of it.
86. When done, it should look like this (see image below; IP address blurred our for security reasons).
    
87. Click create to add the local network gateway.

88. Go back to your resource group (from when we found the external IP address).  If not, open the resource groups and pick your group.

89. Locate your virtual network gateway and click on it (see image below).
    
    
    
    
    

90. Once in the virtual network gateway, on the left, you will see the options that can be setup for the gateway.  Click on "Connections" (see image below).
    

91. Click on the "+ Add" option to create a new connection.  You will be prompted with an "Add connection" window (see image below; Site-to-site has been selected already for clarity).
    

92. For #1 (above), Name, type "AzureTestConnection".  You can name this anything you like, just keep track of it.

93. For #2 (above), Connection type, pick "Site-to-Stie (IPsec)" from the list.  The option for a "Local network gateway" will appear.

94. For #3 (above), Local network gateway, pick the local network gateway we created in steps 79 through 87.
    Note:  This is a gotcha, if not configured correctly, our example will not work.

95. For #4 (above), Shared key (PSK), enter the same key as you entered in step 65.

96. When done, it will look like this (see image below; PSK blurred out for security reasons).
    

97. Click "OK" to create the connection.

98. When done, you can check your connection under Connections (see image below) however this does not always show the immediate result.
    

99. You can also check the status on your UTM appliance (see image below).
    

100. Now we will test our connection with RDP (see image below).  We are prompted for a login... this is a sign we have connectivity.  We need to use the login we created for our VM in steps 16 through 32.
     

101. After logging in, we have a desktop (see image below).
     

We did it!!

If you notice any errors in this document, please leave a comment or send me a message.