Configure site-to-site VPN with local FortiGate to Azure VM

Configure the local FortiGate:

To configure the interfaces:

  • In FortiOS on the local FortiGate, go to Network > Interfaces.
  • Edit port5. Set the role to WAN and set an IP/Network Mask of 192.168.5.1/255.255.255.0. This is for the interface connected to the Internet.
  • Edit port4. Set the role to LAN and set an IP/Network Mask of 172.16.200.1/255.255.255.0. This is for the interface connected to the local subnet.

To configure a static route to connect to the Internet:

  • Go to Network > Static Routes.
  • Click Create New.
  • Set the Destination to 0.0.0.0/0.0.0.0.
  • For the Interface, select port5.
  • Set the Gateway Address to 192.168.9.254.

To configure IPsec VPN:

  • Go to VPN > IPsec Wizard.
  • Click Create New.
  • Enter the desired VPN name. In the example, this is "to_cloud".
  • For Template Type, select Site to Site.
  • For the Remote Device Type, select FortiGate.
  • For NAT Configuration, select This site is behind NAT. For non dial-up situations where your local FortiGate has a public external IP address, you must choose No NAT between sites.
  • Click Next.
  • Configure Authentication:
  • For Remote Device, select IP Address.
  • Enter an IP address of 40.115.111.31, which is the Azure FortiGate's port1 public IP address.
  • For Outgoing Interface, select port5.
  • Set the Authentication Method to Pre-shared Key.
  • Enter a pre-shared key of 123456.
  • Click Next.
  • Configure Policy & Routing:
  • For Local Interface, select port4.
  • FortiOS automatically populates Local Subnets with 172.16.200.0/24.
  • Set the Remote Subnets to 10.58.1.0/24, which is the Azure FortiGate's port2 subnet.
  • For Internet Access, select None.
  • Click Create.

Configuring the Azure FortiGate:

To configure the interface:

  • In FortiOS on the Azure FortiGate, go to Network > Interfaces.
  • Edit port2. Set the role to LAN and set an IP/Network Mask of 10.58.1.4/255.255.255.0. This is for the interface connected to the Azure local subnet.

To configure IPsec VPN:

  • Go to VPN > IPsec Wizard.
  • Configure VPN Setup:
  • Enter the desired VPN name. In the example, this is "to_local".
  • For Template Type, select Site to Site.
  • For the Remote Device Type, select FortiGate.
  • For NAT Configuration, select This site is behind NAT. For non dial-up situations where your local FortiGate has a public external IP address, you must choose No NAT between sites.
  • Click Next.
  • Configure Authentication:
  • For Incoming Interface, select port1.
  • Set the Authentication Method to Pre-shared Key.
  • Enter a pre-shared key of 123456.
  • Click Next.
  • Configure Policy & Routing:
  • For Local Interface, select port2.
  • FortiOS automatically populates Local Subnets with 10.58.1.0/24.
  • Set the Remote Subnets to 172.16.200.0/24, which is the local FortiGate's port4 subnet.
  • For Internet Access, select None.
  • Click Create.

To bring up the VPN tunnel on the local FortiGate:
The tunnel is down until you initiate connection from the local FortiGate.

  • In FortiOS on the local FortiGate, go to Monitor > IPsec Monitor.
  • Click the to_cloud tunnel.
  • Click Bring Up to bring up the VPN tunnel.


Connecting a local FortiGate to an AWS VPC VPN

To create a VPG:

  • A VPG is the VPN concentrator on the Amazon side of the site-to-site VPN connection. You can create a VPG and attach it to the VPC from which you want to create the site-to-site VPN connection.
  • In the AWS management console, go to Virtual Private Gateways, then click Create Virtual Private Gateway.
  • In the Name tag field, enter the desired gateway name.
  • For static route configuration, the ASN is not important, as the ASN is for BGP routing. By default, the VPG is created with the default ASN, 64512. You cannot change the ASN once the VPG has been created.
  • After creating the VPG, select it from the list of VPGs, and click Actions > Attach to VPC.
  • On the Attach to VPC page, select the ID for the desired VPC from the VPC dropdown list.

To create a customer gateway:

  • Go to Customer Gateways, then click Create Customer Gateway.
  • In the Name field, enter the desired gateway name.
  • For Routing, select Static.
  • In the IP Address field, enter the on-premise FortiGate's external address.

To create a site-to-site VPN connection on AWS:

  • Internet Key Exchange version 2 (IKEv2)
  • NAT traversal
  • Four-byte ASN (in addition to two-byte ASN)
  • Reusable IP addresses for customer gateways
  • Additional encryption options including AES 256-bit encryption, SHA-2 hashing, and additional Diffie-Hellman groups
  • Configurable tunnel options
  • Custom private ASN for the Amazon side of a BGP session
  • This example describes creating an IPsec site-to-site VPN.
  • Go to VPN Connections, then click Create VPN Connection.
  • In the Name tag field, enter the desired VPN connection name.
  • From the Virtual Private Gateway dropdown list, select the VPG ID for the VPG created earlier.
  • For Routing Options, select Static.
  • In the IP Prefixes field, enter the CIDR of the networks behind your on-premise FortiGate.
  • Leave the tunnel options blank. You will obtain this information from a configuration file download.

To configure the on-premise FortiGate:

  • After creating the VPN, select it in the VPN list, then click Download Configuration. This document contains information needed to configure the FortiGate correctly.
  • You can configure the FortiGate using this downloaded configuration file. Run the diagnose vpn tunnel up examplephase2 command if the tunnel is not up automatically already.
  • Check in the FortiOS GUI in VPN > IPsec Tunnels that the tunnel is up.
  • In the AWS management console, check that the tunnel is up.
  • After the tunnel is up, you must edit a custom route table and security group rules to achieve connectivity between a resource behind the FortiGate to a resource on the AWS cloud.
  • On AWS, there are two tunnels for each created VPN. This example only shows connecting to one tunnel, but you can create the second tunnel in FortiOS as well. The second tunnel is for redundancy. If one tunnel goes down, the FortiGate can reach AWS resources using the other tunnel.
    Configuring site-to-site VPN be

Configuring site-to-site VPN between GCP and FortiGate

  • On the remote site 1 FortiGate, go to VPN > IPsec Tunnels, then click Create New.
  • On the VPN Setup tab, configure the following:
  • For Template type, select Site to Site.
  • For NAT configuration, select No NAT between sites.
  • Click Next.
  • On the Authentication tab, configure the following:
  • In the Remote IP address field, enter the destination FortiGate public IP address. This is the spoke1 public IP address.
  • Configure a signature ore pre-shared key to secure the tunnel.
  • Click Next.
  • On the Policy & Routing tab, configure the local and remote subnets. Note that here, the local subnet refers to the remote site subnet, and the remote subnet refers to the NCC external and internal VPC subnets. Click Next.
  • Review the configuration, then click Create.
  • Create a similar connection from the Region 1 spoke FortiGate to the remote site 1 FortiGate. When creating this connection, on the Policy & Routing tab, ensure that you add port1 and port2 as local interfaces when creating the tunnel interface.



Meraki Cloud Managed Services:
Azure, AWS, GCP Security Gateway

Configuring Meraki To Azure Site-To-Site-VPN Tunnels

Create Azure Virtual network
1. Sign-in to Azure portal.
2. In Search resources, service, and docs (G+/), type virtual network.
3. Select Virtual Network from the Services results.
4. On the Virtual Network page, select Create.
5. Once you select Create, the Create virtual network page opens.
6. On the Basics tab, configure Project details and Instance details VNet settings.
When you fill in the fields, you see a green check mark when the characters you enter in the field are validated. Some values are auto filled, which you can replace with your own values:

>> Subscription: Select Pay-As-You-Go.
>> Resource group: Select the existing (Create new) Resource group AZ-DR01.
>> Name: Type AZ-DR01-VNet1.
>> Region:

7. Click Next: IP Address.
8. On the IP Addresses tab, configure the values.
IPv4 address space: Type 10.15.0.0/16.
9. Click +Add subnet.
>> Subnet name: type FrontEnd.
>> Subnet address range: 10.15.1.0/24.
>> Services: Keep the default settings (0 selected)
10. Click Add.
11. Click Next: Security.
12. On the Security tab, at this time, leave the default values:
>> BastionHost: Disable.
>> DDoS Protection Standard: Disable.
>> Firewall: Disable.

13. Click Next: Tags.
14. On the Tags tab, leave the default values.
15. Click Next: Review + create.
16. After the settings have been validated, select Create.
17. Make sure the new VNet deployment is complete without issues, click Go to resource.

Sophos XG Firewall v18 to Azure VPN Gateway IPSEC Connection

Create Azure VPN Gateway:
1. In Search resources, service, and docs (G+/), type virtual network gateway.
2. Select Virtual network gateway from the Services results.
3. On the Basics tab, configure Project details and Instance details and Public IP address for Virtual network gateway settings.
>> Subscription: Select Pay-As-You-Go.
>> Name: Type AZ-DR01-VNet1-GW1.
>> Region: Select Canada Central.
>> Gateway type: Select VPN.
>> VPN type: Select Route-Based.
>> SKU: Select VpnGW1 (Bandwidth:650Mbps)
>> Virtual network: Select AZ-DR01-VNet1.
>> Gateway subnet address range: Type 10.15.255.0/27
>> Public IP address: Leave Create new selected.
>> Public IP address name: AZ-DR01-VNet1-GW1-Public-IP
>> Assignment: VPN gateway supports only Dynamic.
>> Enable Active-Active mode: Select Disabled.
>> Configure BGP ASN: Select Disabled.
4. Click Next: Tags.
5. On the Tags tab, leave the default values.
6. Click Next: Review + create.
7. After the settings have been validated, select Create.
8. Make sure the new Virtual network gateway deployment is complete without issues, click Go to resource.


Create Azure Local Network Gateway:
1. In Search resources, service, and docs (G+/), type virtual network gateway.
2. Select Local network gateway from the Services results.
3. Click Create local network gateway.
4. On the Create local network gateway page, specify the values for your local network gateway.
>> Name: Type OFFICECalgary.
>> IP address: Type OFFICE-Calgary WAN IP address (208.230.42.114).
>> Address Space: add 192.168.0.0/22 and 172.16.200.0/24 and 172.16.250.0/24.
>> Configure BGP settings: Use only when configuring BGP. Otherwise, don't select this.
>> Subscription: Select Pay-As-You-Go.
>> Resource Group: Select AZ-DR01.
>> Location: Select Canada Central.
5. Click Create.

Create VPN connection:
1. On the Azure Services page, click the new create Virtual network gateway.
2. On the Virtual network gateway page, select Connections.
3. On the Connections page, click +Add.
4. On the Add connection page, configure the values for your connection.
>> Name: Type AZ-DR01-VNet1toOFFICECalgary
>> Connection type: Select Site-to-site(IPSec).
>> Virtual network gateway: The value is fixed because you are connecting from this gateway.
>> Local network gateway: Click Choose a local network gateway and select the local network gateway that you want to use.
>> Click the OFFICECalgary local network gateway.
>> Shared Key: Type Azure
>> IKE Protocol: Select IKEv2
>> Resource Group: Select AZ-DR01

5. Click OK.


Settings at Meraki site:


1. Sign-in to Cisco Meraki portal.
2. Select Security & SD-WAN, click Site-to-site VPN.
3. On the Site-to-site VPN field, select Hub.
4. On the VPN settings field, select the local networks that you want to connect to Azure and then select VPN on.
5. On the Organization-wide settings page, click add a peer in the Non-Meraki VPN peers.
6. On the Non-Meraki VPN peers, configure details settings.
>> Name: Type ToAzure
>> IKE Version: Select IKEv2
>> IPsec Policies: Click Default and then change Default to Azure
>> Click Update.
>> Public IP: Type Azure Virtual Network Gateway Public IP address (53.139.26.221)
>> Private subnets: Type 10.15.0.0/16
>> Preshared secret: Type Azure.
>> Availability: select All Networks.


7. Click Save Changes.


Verify the VPN connection:

In the Azure portal, you can view the connection status of a Resource Manager VPN Gateway by navigating to the connection.

1. In the Azure portal menu, select All resources or search for and select All resources from any page.
2. Select to the virtual network gateway.
3. On the blade for the virtual network gateway, click Connections. You can see the status of each connection.
In the Meraki portal, you can view the VPN status of a Meraki by navigating to the Non-Meraki peer.

1. Sign-in Meraki portal.
2. Select Security & SD-WAN, click VPN Status.
3. Click Non-Meraki peer.
4. Make sure the Status light show green.




CONFIGURING MERAKI TO AWS SITE-TO-SITE-VPN TUNNELS

Create a VPC:

1. After logging into AWS go to the 'Services' area (top bar) and select the 'VPC' service. This will bring you to a status page about the Networking configured for your AWS environment. Select 'Your VPCs' on the left-hand side.
2. Select the 'Create VPC' button. This will allow you to create a Virtual Private Cloud where accessible resources on AWS will live. Enter a name and a CIDR block.
3. You'll be taken back to the 'Your VPCs' page where there will be a new element based on what you just created.

Allocate a subnet:
1. On the left-hand side of the VPC Service screen there is a menu bar. Under the 'Virtual Private Cloud' header there is an option for 'Subnets'. Select the 'Subnets' option.
2. On the configuration screen select the 'Create subnet' button.
3. On the following 'Create subnet' screen, provide a descriptive name, select the VPC we just made, and provide a subset of the total space allocated for the VPC.
4. You'll be brought back to the Subnets configuration screen when this is complete.

Configure the VPN connection on AWS's side:
1. On the left-hand bar within the VPC service screen there is a heading entitled VPN Connection. Within this area select the 'Customer Gateways' option.
2. Assign the Customer Gateway a name, keep the Routing as Dynamic and in IP address slot place the IP address of your Meraki device. Select 'Create Customer Gateway' when ready.
3. To find your Meraki devices IP address open the Meraki dashboard and select 'Security appliance' ->'Appliance Status'. In this photo the number hidden with the blue box is the public IP of the Meraki device.
4. On the left-hand bar within the Customer Gateways service screen there is a heading entitled VPN Connections. Within this area select the 'Virtual Private Gateway' option.
5. Select the button entitled 'Create Virtual Private Gateway'.
6. In the configuration screen choose a name and leave the ASN as 'Amazon default ASN' (unless you have specific a BGP configuration). Select the 'Create Virtual Private Gateway' button. When complete you should be moved back to the Virtual Private Gateway Configuration Screen with a new element list.
7. Select the checkbox next to the new element and find the 'Action' button at the top. Click it and select 'Attach to VPC'.
8. You'll be brought to a new screen. Select the VPC you created. Then select the 'Yes, Attach' button. You'll be taken back to the Virtual Private Gateway configuration screen.
9 On the left-hand bar within the Virtual Private Gateway service screen there is a heading entitled VPN Connection. Within this area select the 'VPN Connections' option.
10 Select the button entitled 'Create VPN Connection'.
11 In the Create VPN Connection window select a Name, the VPN Gateway we just created from the list, the existing customer gateway ID of the Virtual Private Gateway we just configured, and specify 'static' as the routing option. For Static IP Prefixes put the internal subnet used by your Meraki Device. Leave the rest blank and when finished select the 'Create VPN Connection' button. You can find this subnet on the Meraki Dashboard under 'Security Appliance' -> 'Addresses & VLANs' in the 'Routing' section.
12 Once this is created it will be in a 'pending' state for a bit while Amazon allocates it. After a few minutes it should switch to an 'available' state. Once it reaches that state, select the checkbox next to the newly created resource and select the 'Download Configuration' button. Save this file for the next step.
13 On the left-hand bar within the VPN Connections service screen there is a heading entitled 'Virtual Private Cloud'. Within this area select the 'Route' Tables option. Select the checkbox next to the route table associated with the VPC you've created.
14 On the lower pane a configuration menu will appear. Select the 'Route Propagation' tab and select the 'Edit' button. Then check the 'Propagate' checkbox next to the Virtual Private Gateway listed.


Configure the VPN connection on Meraki's side:
1 In your Meraki Dashboard navigate to site-to-site VPN options under Security appliance->Site-to-site VPN.
2 Under type, select Hub (Mesh).
3 Under the VPN settings sub header find the networks that you'd like to enable the site-to-site routing for and select 'yes' under the 'Use VPN' column.
4 Leave NAT traversal as automatic.
5 Leave OSPF advertisements disabled.
6 Under the Organization-wide settings sub header find 'Non-Meraki VPN peers'. Select the 'Add a peer' link.
7 Fill out the new peer link information based on the downloaded file.
First give the connection a descriptive name.
Then, using the information from the downloaded file, find the 'Outside IP Address' of the 'Virtual Private Gateway'. Place this value in the Public IP field.
For private subnets put the subnet address you allocated back in step 2.
Under IPsec policies, click 'default'. This will open a new configuration menu. At the top select from the 'Choose a Preset' dropdown -'AWS'. Hit Update when this is complete.
Find the Pre-Shared Key row within the downloaded file and copy the pre-Shared key into the Meraki configuration area.

8 Save your Changes.
E. Note: while making a request to a host on the other side of the Site-to-Site VPN, it will take a few attempts for the request to complete while the tunnel is initialized. The more traffic sent across the tunnel the less likely this lag is to occur as the tunnel will stay up. This often leads to people writing quick ping scripts that send a ping every couple second to keep the tunnel up.


Configuring Meraki To GCP Site-To-Site VPN

Meraki Dashboard Configuration:
1 Add license(s) to the Meraki dashboard:
To complete the vMX Meraki dashboard configuration, a vMX license must be available for use in your organization.

If your organization has already reached its vMX license limit, you will be unable to create new vMX networks until a vMX network is deleted or additional vMX licensing added.

If you do not have access to a vMX license or require additional vMX licenses, please reach out to your Meraki reseller or sales representative.

2 Create a 'Security Appliance' Network Type.

3 Assign vMX type to network
Once you have created the 'Security appliance' network and added the appropriate license you will be able to deploy a new vMX to your network by clicking on the 'Add vMX' button.
4 Generate the authentication token
After you add the new vMX to your network, navigate to Security Appliance > Appliance status and select 'Generate authentication token' to generate the token for the GCP vMX Authentication Token field.
5 Copy the newly generated token and save it.
The newly generated token will be used in the "New Cisco Meraki vMX deployment" configuration section when creating a new instance.


Google Cloud Setup:
1 You must have the following before you begin:
2 Google Cloud VPC network.


Deploying the vMX:

1 Access the Cisco Meraki vMX offer by clicking here or search for "Meraki" in the GCP marketplace to find the vMX solution.
2 Click Launch on the vMX offer landing page.
3 Enter a Deployment Name for the instance.
4 Choose the desired Zone.
5 Select the c2-standard-4 vMX instance size. This is the only instance size currently offered for vMX on GCP.
6 Paste the vMX Authentication token you copied from the Meraki dashboard in the steps earlier to the vMX Authentication Token field.
7 The Boot Disk options can remain as-is.
8 Under the Network section select the desired Network, Subnetwork and External IP for this instance. The External IP field can be left as Ephemeral (if you would like to let GCP assign a public IP to the vMX itself) or set to None (if you would like to have a private IP on the vMX and have it egress through an upstream device like a firewall or Google Cloud NAT instance). You do not need to add more network interfaces to the VM as it is a single interface appliance.
9 Click Deploy.

Additional VPC Configuration:
The virtual MX appliance will allow for site-to-site VPN connectivity using Auto VPN between GCP and other remote MXs. In order to have proper bidirectional communication between remote subnets that are terminating into GCP via the vMX and hosts within GCP, the VPC routing table must be updated for the remote Auto VPN-connected subnets.

1 Navigate to VPC Networks > Routes from the GCP console and select Create Route.
2 Specify a Name and Description for the route.
3 Select the Network that your vMX is deployed in.
4 In the Destination IP range, add the routes available via Auto VPN.
5 Select the Specify an instance option for the next hop and select the vMX instance as the Next hop instance.


Firmware Version:
In order for the vMX to function on GCP it must be running 16.8+ firmware.

Token Validity:
1 Navigate to Compute Engine > VM Instances, click on the vMX in question and click on Stop to turn it off.
2 Click Edit.
3 Scroll down to the Custom Metadata section and update the value in the token field.
4 Click Save and then click Start to power the vMX back up.


Confirming Cloud Reachability:
By default, HTTP traffic inbound to the vMX is disabled for security purposes. You can enable inbound HTTP traffic to the vMX (for accessing the local status page) by performing the following:

1 Navigate to Compute Engine > VM Instances, click on the vMX in question and click Edit (you do not need to turn off the instance for this change).
2 Scroll down to the Firewalls section and select the box next to Allow HTTP traffic.
3 Click Save.
4 On the VM instance details page copy the External IP that was assigned to the instance.
5 On the local status page you can find the health status of the vMX and whether it is successfully able to connect to the Meraki cloud or not.


No "Add vMX" Button:
When navigating to Security & SD-WAN > Appliance Status, if there is no "Add vMX" button, please ensure the following two conditions are met:

1 You have available vMX licenses in your license pool.
2 You have created a 'Security appliance' network type.


Key Concepts:
1 Concentrator Mode:
All MXs can be configured in either NAT or VPN concentrator mode. There are important considerations for both modes.

2 One-Armed Concentrator:
In this mode, the MX is configured with a single Ethernet connection to the upstream network. All traffic will be sent and received on this interface. This is the only supported configuration for MX appliances serving as VPN termination points into Google Cloud.
3 NAT Mode Concentrator:
In this mode the MX is configured with a single Ethernet connection to the upstream network and one Ethernet connection to the downstream network. VPN traffic is received and sent on the WAN interfaces connecting the MX to the upstream network and the decrypted, unencapsulated traffic is sent and received on the LAN interface that connects the MX to the downstream network.

VPN Topology:
1 Split Tunnel:
In this configuration, branches will only send traffic across the VPN if it is destined for a specific subnet that is being advertised by another MX in the same Dashboard organization. The remaining traffic will be checked against other available routes, such as static LAN routes and third-party VPN routes, and if not matched will be NATed and sent out the branch MX unencrypted.
2 Full Tunnel:
In full tunnel mode all traffic that the branch or remote office does not have another route to is sent to a VPN hub.




Sophos Managed Services, Cloud VPN to Azure, AWS, GCP & OCI

Sophos XG Firewall v18 to Azure VPN Gateway IPSEC Connection

1. Create Azure Local Network Gateway:

a. Go to the Azure Portal: https://portal.azure.com and sign in with your credentials.
b. Click on "Create a resource".
c. In the search box, type "Local Network Gateway".
d. Select "Local Network Gateway" and click on "Create".
e. In the "Create local network gateway" blade, configure the following and then click on "Create":

> Name You can give this any preferred name.

> Endpoint: IP address

> IP address: Specify the public IP address of your Sophos XG firewall.

> Address space: Specify the address ranges for the network that your On-Prem local network represents.

> Subscription: Verify that the correct subscription is selected for the deployment.

> Resource Group: Select the resource group that you want to use. You can either create a new resource group or select an existing one.


2. Create a Gateway Subnet:

a. In the Azure Portal: https://portal.azure.com, click on 'More Services'.
b. In the search box, type 'Virtual Networks' and select the 'Virtual Networks' option.
c. Click on the virtual network for which you want to create a virtual network gateway.
d. In the 'Virtual networks' blade, under 'Settings' click on 'Subnets'.
e. In the 'Subnets' blade, click on '+ Gateway subnet" to add a new Gateway subnet.
f. In the 'Add Subnet' blade, configure the CIDR range of the new Gateway subnet and click 'Save'.

Create the VPN Gateway:

1. In the Azure Portal: https://portal.azure.com, click on 'Create a resource'.
2.In the search box, type 'Virtual network gateway'.
3. Select 'Virtual network gateway' and click on 'Create'.
4. In the 'Create virtual network gateway' blade, configure the following:

i. Subscription: Verify that the correct subscription is selected for the deployment.
ii. Instance details:
> Name: This will be the name of the gateway object you are creating.
> Region: Select the same location as your virtual network (Otherwise the virtual network will not be displayed on the list).
> Gateway type: VPN
> VPN type: Route-based (this is a MUST to be able to use IKEv2).
> SKU: Select the gateway SKU from the dropdown. For more information about gateway SKUs, see Gateway SKUs.
> Generation: Generation 1
> Virtual network: Choose the virtual network to which you want to add this gateway.
iii. Public IP address:
> Public IP address: Create New
> Public IP address Name: Enter a Name for the public IP address resource.
> Leave other settings as default.
> Click on 'Review + Create'
> Click on 'Create'
> Creating a gateway can take up to 45 minutes!

e. After the VPN gateway creation has completed successfully, obtain it's public IP address (this will be needed in step 5).

i. In the Azure Portal, click on 'More services' and search for 'Virtual network gateways'. Then click on 'Virtual network gateways'.
ii. Click on the VPN Gateway that you just created.
iii. In the 'VPN Gateway' blade, in the 'Overview' section, make a note of the public IP address of the gateway.
iv. This will be used in step 5.


4 Create the VPN connection (Azure):

a. In the Azure Portal: https://portal.azure.com, click on 'More services' and search for 'Virtual network gateways'. Then click on 'Virtual network gateways'.
b. Select the VPN gateway that you created earlier.
c. In the 'VPN Gateway' blade, in the 'Setting'" section, click on 'Connections', then click on '+ Add'.
d. In the 'Add connection' blade, configure the following:

i. Name: Sophos_Xg_OnPrem_To_Azure (Input your preferred name)
ii. Connection type: Site-to-site (IPSec)
iii. Virtual network gateway: The value is fixed because you are connecting from this gateway
iv. Local network gateway:
> Click 'Choose a local network gateway'
> In the 'Choose a local network gateway' blade, select the local network gateway that you created earlier.
v. Shared key (PSK): Input a complex shared key. The value here must match the value that we will use on our on-premises Sophos XG firewall.
vi. IKE Protocol: IKEv2
vii. The remaining values for Subscription, Resource Group, and Location are fixed.
viii. Click OK to create your connection. You'll see Creating Connection flash on the screen.


5 Download and extract needed information from the configuration file (Azure):

a. In the Azure Portal: https://portal.azure.com, click on 'More services' and search for 'Virtual network gateways'. Then click on 'Virtual network gateways'.
b. Select the VPN gateway that you created earlier.
c. In the "VPN Gateway" blade, in the "Settings" section, click on "Connections", then select the connection that you created earlier.
d. Click on the "Download configuration" button. This configuration file contains the needed information to configure the VPN connection on the XG Firewall.

e. In the 'Download configuration' blade, select the following:
i. Device vendor: Generic Samples
ii. Device family: Device Parameters
iii. Firmware version: 1.0
iv. Click on 'Download configuration'.

f. Open the downloaded file and make a note of the following:
i. Scroll down to the "Tunnel interface (VTI) configuration" section.
ii. Make a note of the interface tunnel IP address and subnet mask
iii. Also, make a note of the MSS value.
iv. Both values will be needed for the configuration of the "xfrm tunnel interface" on the Sophos XG.


6 Create the VPN connection (Sophos XG Firewall):

a. Log into the WebAdmin of your On-Premises Sophos XG firewall.
b. Under "Configure", click on "VPN" -> "IPSEC Connections" -> "Add".
c. Configure the following settings:

i. General Settings:

> Name: Input any preferred name.
> Connection type: Tunnel interface
> IP version: Dual
> Gateway type: Initiate
> Activate on save: Selected
> Description: Add a description for the connection.

ii. Encryption:
> Policy: Microsoft Azure
> Authentication Type: Pre-shared key
> Pre-shared key: Enter the same pre-shared key that you entered when creating the VPN connection on Azure.
> Repeat pre-shared key: Confirm the above pre-shared key.

iii. Gateway settings:

> Listening interface: Select the WAN interface of the Sophos XG Firewall.
> Gateway address: Input the public IP of the Azure VPN gateway that you noted in Step 3 (5).
> Local ID: IP Address
> Remote ID: IP Address
> Local ID: Enter the public IP of the OnPrem Sophos XG firewall.
> Remote ID: Input the public IP of the Azure VPN gateway that you noted in Step 3 (5).
> There is no option to configure the "Local Subnet" and "Remote Subnet". They will both be set to "0.0.0.0/0".
iv. Advanced:
> Leave default settings.

v.Click "Save".

vi. Click "OK" when prompted about the "Pre-shared key".

vii.The connection should now be active. Click on the "red" button under Connection to enable the connection.


7 Create firewall rules to allow inbound and outbound traffic through the VPN (Sophos XG Firewall):

a. Log into the WebAdmin of your On-Premises Sophos XG Firewall.
b. Under "Protect", click on "Rules and policies" -> "Add firewall rule" -> "New firewall rule".
c. In the "Add Firewall Rule" window, configure the incoming firewall rule as follows:
i. Rule status: None
ii. Rule name: azure_to_onprem
iii. Action: Accept
iv. Rule position: Top
v. Rule group: None
vi. Log firewall traffic: Selected
vii. Source
> Source zones: LAN and VPN
> Source networks and devices: Any
> During scheduled time: Leave default setting

viii. Destination & services
> Destination zones: LAN and VPN
> Destination networks: Any
> Services: Any

ix. Leave other settings as default.
> You can configure the security checks of the XG for the traffic if you want to.

x. Click on "Save".


8 Configure the xfrm tunnel interface (Sophos XG Firewall):

a. Log into the WebAdmin of your On-Premises Sophos XG Firewall.
b. Under "Configure", click on "Network" -> under "Interfaces", click on the xfrm interface.
c. In the "Network" configuration window, configure the following:
i. IPv4/netmask: Enter the IP address and select the subnet mask that you made a note of in Step 5 (6).
ii. Expand "Advanced settings".
> Select "Override MSS" and enter the MSS value that you made a note of in Step 5 (6).
iii. Click on "Save".
iv. In the "Update interface" prompt, click "Update interface".


9 Configure static routing to the Azure network (Sophos XG Firewall):

a. Log into the WebAdmin of your On-Premises Sophos XG Firewall.
b. Under "Configure", click on "Routing" -> under "Static Routing", click on "Add".
c. In the "Add unicast route" window, configure the following:
i. Destination IP/Netmask: Enter the network IP and subnet mask of your Azure virtual network.
ii. Gateway: You can either leave this empty
iii. OR enter the second IP address in the network that you made a note of in Step 5 (6).
iv. Interface: Select the XG's xfrm tunnel interface.
v. Distance: Leave default setting.
vi. Click on "Save"


10 Verify the VPN connection:

a. Do a connectivity test from an on-premise instance to an Azure VM.
b. Do a connectivity test from an Azure VM to an on-premise instance.
c. In the Azure Portal: https://portal.azure.com, go to "Virtual network gateways" and select the virtual network that you connected to.
d. In the "VPN Gateway" blade, in the "Settings" section, click on "Connections".
e. In the "VPN Gateway - Connections" blade, ensure that the status of the connection is "Connected"
f. Click on the connection and ensure that you're seeing data flow.
i. If you see 0B doesn't mean that the connection is not working, it just means that there's no data flow detected on the Azure side.

Sophos XG Firewall v18 to AWS VPN Gateway IPSEC Connection

Create AWS Customer Gateway:

a. Go to the AWS Portal: https://aws.amazon.com/console/ and sign in with your credentials.
b. Under 'Services', click on 'VPC'.
c. Filter your VPC, for the ease of navigation.
d. On the left navigation pane, scroll down to VIRTUAL PRIVATE NETWORK (VPN).
> Click on 'Customer Gateways'.
e. In the "Create customer gateway" blade, configure the following:
i. Name: Specify any descriptive name.
ii. Routing: Specify the mode of routing to be used. In our scenario, Select Static.
iii. IP Address: Specify the public IP address of your Sophos XG firewall.
iv. Certificate ARN(optional): In our scenario, no Certificate is selected.
v. Device(optional): In our scenario, no Device is selected.

f. Click on Create Customer Gateway.

2 Create a Virtual Private Gateway (Attaching the VGW with your VPC):

a. Select the virtual network for which you want to create a virtual network gateway.
b. In the left navigation pane, scroll down to VIRTUAL PRIVATE NETWORK (VPN).
c. Click on 'Virtual Private Gateways'.
d. In the "Create Virtual Private Gateway" blade, configure the following:
i. Name tag: Specify a descriptive Name
ii. ASN: Select the applicable option. In our scenario, select Amazon default ASN

e. Click on Create Virtual Private Gateway.
f. Attach Virtual Private Gateway (VGW) to the VPC.
i. Select the newly created VGW.
ii. Click on Actions and select Attach to VPC.


3 Create the Site-to-Site VPN connection (AWS):

a. In the left navigation pane, scroll down to Site-to-Site VPN Connections.
b. Click on 'Create VPN Connection'.
c. In the "Create VPN Connection" blade, configure the following:
i. Name Tag
ii. Target Gateway Type
iii. Virtual Private Gateway
iv. Customer Gateway
v. Customer Gateway ID
vi. Routing Options
vii. Static IP Prefixes
viii. Local IPv4 Network = XG LAN resources
ix.Remote IPv4 Network = AWS side resources

d.Click on 'Create VPN Connection' to create the AWS VPN.



4 Download and extract needed information from the configuration file (AWS):

a. Select the newly created VPN connection and click on Download Configuration.
b. In the "Download configuration" blade, select the following:
i. Vendor: Generic
ii. Platform: Generic
iii. Software: Vendor Agnostic
iv. Click on "Download"



5
Create a route in the route table associated with your VPC:

a. In the left navigation pane:
i. Filter by VPC: Select your VPC.

b. Navigate to VIRTUAL PRIVATE CLOUD > Route Tables.
c. Select the associated Route Table.
d. In the bottom navigation:
i. Select the Routes tab.
ii. Click on Edit routes.

e. Click on Add route and configure the following:
i. Destination: Private IP address range behind XG firewall. Typically, the remote private IP address is the LAN interface network on the on-prem Sophos XG firewall.
ii. Target: Select the Virtual gateway created in Step 2.
iii. Click on Save routes.


6 Create the VPN Policy (Sophos XG Firewall):

a. Log into the WebAdmin of your On-Premises Sophos XG firewall.
b. Create a new policy in Sophos XG matching the parameters specified in the document downloaded in the previous step.
c. Navigate to CONFIGURE>VPN.
d. Click on the "..." to expand the menu, and select IPsec policies.
e. In the IPSec policies blade, configure the following:
i. Name: Specify a descriptive name
ii. Key exchange: Select IKEv1
iii. Authentication mode: Select Main mode

f. Scroll down to configure the parameters for Phase 1. These should match the downloaded configuration obtained in Step 4(2).
g. In our scenario, configure the following Phase 1 parameters on Sophos XG:
i. Key life: 28800
ii. DH group (key group): 2[DH1024]
iii. Encryption: AES128
iv. Authentication: SHA1

h. Scroll down to configure the parameters for Phase 2. These should match the downloaded configuration obtained in Step 4(2).
i. In our scenario, configure the following Phase 2 parameters on Sophos XG:
i. Key life: 3600
ii. DH group (key group): Same as phase-I
iii. Encryption: AES128
iv. Authentication: SHA1

j. Scroll down to configure the parameters for Dead Peer Detection.
i. Enable Dead peer Detection checkmark.
ii. Click Save.


7 Create the VPN Connection (Sophos XG Firewall):

a. Under "Configure", click on "VPN" -> "IPSEC Connections" -> "Add".
b. Configure the following settings:
c. General Settings
i. Name: Input any preferred name
ii. Connection Type: Tunnel interface
iii. IP Version: Dual
iv. Gateway Type: Initiate the Connection
v. Activate on Save: Selected
vi. Description: Add a description for the connection

d. Encryption
i. Policy: Select the policy created in Step 6
ii. Authentication Type: Preshared Key
iii. Preshared Key: Enter the preshared key as available from the downloaded configuration obtained in Step 4(2).
iv. Repeat Preshared Key: Confirm the above-preshared key

e. Gateway Settings
i. Listening Interface: Select the WAN interface of the Sophos XG firewall
ii. Gateway Address: Input the public IP of the AWS VPN gateway. The AWS public IP /Virtual Private Gateway is available from the downloaded configuration obtained in Step 4(2).
iii. Local ID: IP Address
iv. Remote ID: IP Address
v. Local ID: Enter the public IP of the OnPrem Sophos XG firewall
vi. Remote ID: Input the public IP of the AWS VPN gateway. The AWS public IP /Virtual Private Gateway is available from the downloaded configuration obtained in Step 4(2).
vii. There is no option to configure the "Local Subnet" and "Remote Subnet". They will both be set to "0.0.0.0/0".

f. Advanced
i. Leave default settings

g. Click "Save".
h. Click "OK" when prompted about the "Preshared key".
i. The connection should now be active and in a connected state.


8 Create firewall rules to allow inbound and outbound traffic through the VPN (Sophos XG Firewall):

a. Log into the WebAdmin of your On-Premises Sophos XG firewall.
b. Under "Protect", click on "Rules and Policies" -> "Add Firewall Rule" -> "New Firewall Rule".
c. In the "Add Firewall Rule" window, configure the incoming firewall rule as follows:
i. Rule status: ON
ii. Rule Name:XGS_to_AWS
iii. Action: Accept
iv. Rule Position: Top
v. Rule group: Automatic or select your VPN group
vi. Log firewall traffic: Selected

d. Source and destination
i. Source Zones: LAN
ii. Source Networks and Devices: IP or Network of the device(s) that will be reaching AWS
iii. Destination Zones: VPN
iv. Destination Networks: IP or Network of the device(s) in AWS
v. During Scheduled Time: Leave the default setting

e. Leave other settings as default.
i. You can configure the security checks of the XG for the traffic if you want to.

f. Click on "Save".
g. Create a Second Firewall Rule in case Traffic is initiated by the AWS side

i. Rule status: ON
ii. Rule Name: AWS_TO_XGS
iii. Action: Accept
iv. Rule Position: Top
v. Rule group: Automatic or select your VPN group
vi. Log firewall traffic: Selected

h. Source
i. Source Zones: VPN
ii. Source Networks and Devices: IP or Network of the device(s) that will be reaching XGS
iii. Destination Zones: LAN
iv. Destination Networks: IP or Network of the device(s) behind the XGS
v. During Scheduled Time: Leave the default setting

i. Leave other settings as default.
i. You can configure the security checks of the XG for the traffic if you want to.

j. Click on "Save".

9 Configure the xfrm tunnel interface (Sophos XG Firewall):

a. Log into the WebAdmin of your On-Premises Sophos XG firewall.
b. Under "Configure", Click on "Network" -> Under "Interfaces", click on the xfrm interface.
c. In the "Network" configuration window, configure the following:
i. IPv4/netmask: Enter the IP address. The IP address can be found under Inside IP Addresses >Customer Gateway, as obtained from the configuration file downloaded in Step 4(2).

d. Expand "Advanced Settings"
i Select "Override MSS" and enter the MSS value as obtained from the configuration file downloaded in Step 4(2).

e. Click on "Save".
f. In the "Update interface" prompt, click "Update interface".



10 Configure static routing to the AWS network (Sophos XG Firewall):

a. Log into the WebAdmin of your On-Premises Sophos XG firewall.
b. Under "Configure", click on "Routing" -> Under "Static Routing", click on "Add".
c. In the "Add unicast route" window, configure the following:
i. Destination IP/Netmask: Enter the network IP and subnet mask of your AWS virtual network
ii. Gateway: To be left empty
iii. Interface: Select the XG's xfrm tunnel interface
iv. Distance: Leave default setting
v. Click on "Save"


11
Verify the VPN connection:
a. In the AWS Portal: https://console.aws.amazon.com/, go to "Virtual Private Network(VPN") and select Site-to-Site VPN Connections.
b. In the "VPN Connection" blade, ensure that the status of the Tunnel is "UP".
c. Check the EC2 Security Groups are allowing RDP
d. Download the Remote Desktop file for your EC2 instance from AWS
e. Perform a connectivity test from an on-premise instance to an AWS VM

ABOUT VAST EDGE

Vast Edge has been empowering businesses since 2004 with tailored cloud solutions that go beyond regular IT management. As a Cloud Solution Provider (CSP), we specialize in delivering fully managed services that combine implementation, integration, and ongoing support - positioning us as your trusted IT partner, not just a vendor.
Our Offerings:
- Azure, GCP, AWS, OCI Cloud Services: Security, DevOps, Data Analytics, Warehousing, AI/ML, and Seamless Integrations
- ERP Migration & Implementation: Expertise across Dynamics, SAP, Sage, Oracle EBS, JDE, & NetSuite
We deliver complete solutions. Our CSP model is built around value-added services, ensuring customers receive expert implementation, optimization, and support alongside their Cloud investments.
Read more about us

QUICK LINKS

TECHNOLOGY PARTNERS

CONTACT US

Copyrights © October 8 , 2025 All Rights Reserved by Vast Edge Inc.