This tutorial is ow how to do site 2 site vpn with on prem data center.
VNet Name: MyVnet VnetName = MyVNet ResourceGroup = MyRG Location = Australia East AddressSpace = 10.11.0.0/16 SubnetName = DefaultSubnet Subnet = 10.11.0.0/24 GatewaySubnet = 10.11.255.0/27 LocalNetworkGatewayName = RemoteVPNSite LNG Public IP = LocalAddrPrefix = 192.168.1.0/24 GatewayName = MyVNetGW PublicIP = MyVNetGWIP VPNType = RouteBased GatewayType = Vpn ConnectionName = MyVNettoRemoteSite
1. Create a resource group
az group create --name MyRG --location australiaeast
2. Create a virtual network
az network vnet create --name MyVNet --resource-group MyRG --address-prefix 10.11.0.0/16 --location australiaeast --subnet-name Subnet1 --subnet-prefix 10.11.0.0/24
3. Create the gateway subnet
az network vnet subnet create --address-prefix 10.11.255.0/27 --name GatewaySubnet --resource-group MyRG --vnet-name MyVNet
4. Create the local network gateway
az network local-gateway create --gateway-ip-address 110.145.123.123 --name RemoteVPNSite --resource-group MyRG --local-address-prefixes 192.168.1.0/24
5. Request a Public IP address
az network public-ip create --name MyVNetGWIP --resource-group MyRG --allocation-method Dynamic
6. Create the VPN gateway
az network vnet-gateway create --name MyVNetGW --public-ip-address MyVNetGWIP --resource-group MyRG --vnet MyVNet --gateway-type Vpn --vpn-type RouteBased --sku VpnGw1 --no-wait
List of IPsec/IKE policy supported by Azure: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-compliance-crypto or you can try:
az network vpn-connection ipsec-policy add --connection-name MyVNettoRemoteSite --dh-group DHGroup14 --ike-encryption AES256 --ike-integrity SHA256 --ipsec-encryption AES256 --ipsec-integrity SHA256 --pfs-group None --resource-group MyRG --sa-lifetime 3600 --sa-max-size 102400000
7. Create the VPN connection
az network vpn-connection create --name MyVNettoRemoteSite -resource-group MyRG --vnet-gateway1 MyVNetGW -l australiaeast --shared-key abc123 --local-gateway2 RemoteVPNSite
I have issue peering with Sophos XG Firewall with firmware version SFOS 16.05.8 MR-8. But SFOS_17.0.2_MR-2.SF300-116 fix the issue.
fakrul@Azure:~$ az network vpn-connection show --resource-group MyResourceGroup --name MyVirtualNetworkConnection --output table ConnectionStatus ConnectionType EgressBytesTransferred IngressBytesTransferred Location Name ProvisioningState ResourceGroup ResourceGuid SharedKey ------------------ ---------------- ------------------------ ------------------------- ------------- -------------------------- ------------------- --------------- ------------------------------------ ----------- Connected IPsec 17247 6340 australiaeast MyVirtualNetworkConnection Succeeded MyResourceGroup 80f504f6-ed42-400c-a69c-1a270a7fefba abc123
fakrul@Azure:~$ az network vpn-connection list --resource-group MyResourceGroup --output table ConnectionType Location Name ProvisioningState ResourceGroup ResourceGuid RoutingWeight ---------------- ------------- -------------------------- ------------------- --------------- ------------------------------------ --------------- IPsec australiaeast MyVirtualNetworkConnection Succeeded MyResourceGroup 80f504f6-ed42-400c-a69c-1a270a7fefba IPsec australiaeast MyVNettoRemoteSite Succeeded MyResourceGroup 698a2b4d-ca71-4834-a576-8cb7ae077b2c 10
Sophos Profile: