Sophos XG Azure Site-to-Site to Point-to-Site routing issue

Prob the case but the Point to site VPN is setup to use the default gateway on the VPN right?

Can you post your Firewall rules on Azure pls?

Anyreason why your not using SSL VPN? Sorry are you using XG Azure appliance?? Or out the box Azure VPN's?

Ta

JK

Hi John

hanks for your reply.. The P2S VPN by default is "force tunneled". Take a look at the config below when dialed in:

Route print shows:

 Firewall rules as follows:

SSL VPN is simply not secure enough for the client.

Darren

Dont know about not sucure but its the clients decisions i find. lol!

So do you use XG Azure Appliance then? Or standard Azure VPN? Either way do you have the used Subnets setup at each point as each point in the link will need to know the subnets you want routed.  So the Site to Site has to have the subnets used in the Site to Point and vice versa?? Have you got those in??

Sorry just trying to get my head round your setup, I can def advise Azure XG appliance as i know from experience Azure VPNs are a pain.

JK

Ours is not to reason why :-)

It's a dedicated box Caswell CAR3000 with 6x 1Gbe built in.

Darren

OK, can you send your XG VPN config do you think?

You only have 1 route table there but can i assume it matches at each point then right??

Thanks

JK

sorry think ive missed something?? Are you going from XG on prem to Azure XG to end user point vpn??

Here you go: Hope this is what you're after

Really appreciate you taking the time to look at this.. :-)

Hi John..

Sorry my bad explanation.. It's on-prem XG t Azure Virtual Network Gateway then back out to the P2S client..

Darren

OK so your remote networks on XG add the point to site subnets too then on Azure S2S you need to then add the additional subnet to its local networks so the vpn there connects.  Then you need to do the same on the other side. point to site add the xg subnets on the azure end if you get what i mean..

As long as both sides on the Azure part has the subnet of both vpns it should work. sorry if im being vague, if you can wait till i get through my morning emails ill draw it on ur diag.

To add you will change the XG firewall rules to match.

JK

OK so your remote networks on XG add the point to site subnets too then on Azure S2S you need to then add the additional subnet to its local networks so the vpn there connects.  Then you need to do the same on the other side. point to site add the xg subnets on the azure end if you get what i mean..

As long as both sides on the Azure part has the subnet of both vpns it should work. sorry if im being vague, if you can wait till i get through my morning emails ill draw it on ur diag.

To add you will change the XG firewall rules to match.

JK

Splendid.. Really appreciate that.. I have tried adding the VPN pool address range ito the remote subnet of the IPSEC VPN and it refuses to accept it but I my be doing that incorrectly.. Drawing it into the diagram would be great thanks..

TIA

Darren

TBH never set BGP up so cant add to that, but the way i mentioned is the manual method to set that up without needing BGP.

When you added the extra Remote subnet on XG did you also add that into the S2S vpn setup on Azure as it has to match or the VPN wont connect.

Azure VPNs are very fiddly anyway, you would do yourself a favor if you could setup an Azure XG Appliance.....  Would def simplfy things....

Hi John..

Where would I add that in Azure? On the Virtual Network Gateway?

Darren

Did you add the remote networks of the P2S VPN in the XG firewall rules too?? If your using BGP it could just be firewall rules??

JK

So on the S2S VPN XG has its local subnet in local networks in the VPN settings, then you add the remote networks which will be the Azure VNAT subnet + the P2S VPN Subnet.  Then on Azure VPN settings you add the extra subnet in as its local networks.  Then on the P2S side you add on Azure VPN settings the Local VNET subnet + the XG local subnet, in as its local networks in the vpn settings there and then the P2S endpoint subnet as the remote network.

As i said Azure VPNs are very fiddly, so some sort of VPN appliance would be a lot easier if you are able to provision one that is.

JK

Dont know how much a basic XG Azure appliance will set you back for but it will prob be a lot simpler to get setup, maintain and be reliable.  Dont get me wrong once you get the Azure VPN settings right for the S2S & P2S youll be fine but im biased as im an XG partner! lol

If you havent solved it by time i get done with what im doing ill refresh myself of the correct Azure terminology and send over some diags.

Just looking again at azure vpn, forgot to ask what VPN type are you using Policy routing or route based?? Forgot about those types, i know now with v17.1 and ikev2 its not such a problem but still will cause grief, thats how often i set these up. first few times were enough to give me nightmares.  Im refreshing myself with Azure VPN as its always changing and doing the diag.

Hi John.. Apologies for my lack of response... I've re-set this up again and the result is the same.. I've tried adding the remote VPN network into the IPSEC remote networks and the XG doesn't like it at all.. 

Any ideas where else this needs to be set for the XG to acknowledge this subnet?