Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 13 replies
  • Subscribers 29 subscribers
  • Views 7126 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Anyone has experience on VPN IPsec ( site to site ) beetwen XG 17.x and Azure ?

MarcoCaserio

Now are in a  migration from  an SG to XG and i need to know if i can maintain ikev1 ( policy based ) ipsec vpn also in XG . Otherwise i need to change azure and XG configuration for a route policy base ( ike v2 ). The ikev2 configuration seem the only supported configuration, but we have many trouble in a such configuration.

Thanks Marco



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to LuCar Toni

    Only the Basic VPN gateway will work like this the new ones don't. This is why everyone is screaming for Sophos to bring Ikev2 to the UTM. 

     

     

    Azure support for policy-based VPN

    Currently, Azure supports both modes of VPN gateways: route-based VPN gateways and policy-based VPN gateways. They are built on different internal platforms, which result in different specifications:

      PolicyBased VPN Gateway RouteBased VPN Gateway
    Azure Gateway SKU Basic Basic, Standard, HighPerformance, VpnGw1, VpnGw2, VpnGw3
    IKE version IKEv1 IKEv2
    Max. S2S connections 1 Basic/Standard: 10
    HighPerformance: 30
  • 0 in reply to bz351

    I am still not sure about this.

     

     

    The Microsoft KBA even writes:

    With the custom IPsec/IKE policy, you can now configure Azure route-based VPN gateways to use prefix-based traffic selectors with option "PolicyBasedTrafficSelectors", to connect to on-premises policy-based VPN devices. This capability allows you to connect from an Azure virtual network and VPN gateway to multiple on-premises policy-based VPN/firewall devices, removing the single connection limit from the current Azure policy-based VPN gateways.

    https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps

     

    So basically you can connect 10/30 VPNs to one Azure VPN Gateway, if you use Routebased on the Azure site. 

     

     

  • 0 in reply to LuCar Toni

    Cheers for the info. Will have to look at this as our Cloud software provider said this wasn't supported and all the documentation back then pointed to this. Looking at the KB above this must be done as it was written 30/11/18 

    So I wonder if MS updated this. 

  • 0 in reply to bz351

    Basically it should not be any difference. 

    You can easily connect a Policy based device to a Route based device. (no matter what device are involved).

    So basically this should be possible a long time ago. 

    Our KBA builds the same mechanics and as far as i know,  wrote this KBA. I guess, if he reads this topic, he can give us more insight. 

    But i am pretty sure, this is possible. 

     

    Interesting part about this.

    http://web.archive.org/web/20171110000509/https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps

    If you check this revision of this KBA, the same is clearly stated in 2017. 

  • 0 in reply to LuCar Toni

    Maybe David or yourself can check out our support ticket and make comment on that. As we were told the Multi SA KB needed to be re written. 

     

    happy to supply the support case and we can take this of this channel to talk about and get your feed back and David who wrote it feed back. 

     

    I am only basing the whole KB is wrong from what Sophos support said and also going through our channel manager. If it is wrong then needs to be corrected so other don't go through our pain. 

     

    Send me a PM and I will send you the case number to have a look at. 

     

    PS sorry to the OP for hijacking his question. 

    Thanks 

  • 0 in reply to LuCar Toni

    Reading the MS KB 

     

    They state your on premises policy based VPN device must support IKEv2 so that rules out a lot of devices like the UTM. 

     

    With the custom IPsec/IKE policy, you can now configure Azure route-based VPN gateways to use prefix-based traffic selectors with option "PolicyBasedTrafficSelectors", to connect to on-premises policy-based VPN devices. This capability allows you to connect from an Azure virtual network and VPN gateway to multiple on-premises policy-based VPN/firewall devices, removing the single connection limit from the current Azure policy-based VPN gateways.

     Important

    1. To enable this connectivity, your on-premises policy-based VPN devices must support IKEv2 to connect to the Azure route-based VPN gateways. Check your VPN device specifications.
    2. The on-premises networks connecting through policy-based VPN devices with this mechanism can only connect to the Azure virtual network; they cannot transit to other on-premises networks or virtual networks via the same Azure VPN gateway.
    3. The configuration option is part of the custom IPsec/IKE connection policy. If you enable the policy-based traffic selector option, you must specify the complete policy (IPsec/IKE encryption and integrity algorithms, key strengths, and SA lifetimes).
  • 0 in reply to bz351

    Hi  

    Thank you for taking the time to share this.

    Would it be possible to also PM me with your support case number so that I can follow up?

    Regards,