This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Anyone has experience on VPN IPsec ( site to site ) beetwen XG 17.x and Azure ?

Now are in a migration from an SG to XG and i need to know if i can maintain ikev1 ( policy based ) ipsec vpn also in XG . Otherwise i need to change azure and XG configuration for a route policy base ( ike v2 ). The ikev2 configuration seem the only supported configuration, but we have many trouble in a such configuration.

Thanks Marco

This thread was automatically locked due to age.

Parents

0 bz351 over 6 years ago

If you are running Azure VPN Gateway you need to run its IKEV2 route based. The only azure gateway that supports policy base ikev1 is the dev/basic VPN gateway if you are using this for production its very slow and the throughput of gateway is very poor.

We have just done the same as you gone from SG to XG Azure side from basic gateway to vpngw1 that is route based.

The problem we were having was with all the networks added for the ipsec tunnel for some reason this doesn't work. The recommendation for azure was to set this to ANY and they were planing to redo the Mutli SA KB due to this.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 6 years ago in reply to bz351

As far as i know, the way how Azure VPN gateway works, should not be affect the XG at all.

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps

So basically you can connect a Policy based or Route Based Product to Azure.

It should work to select a Route Based VPN Gateway in Azure and connect a (Policy based) XG to it.

That is the reason for using IKEv2 - The Azure site requires IKEv2 in Route based mode.

The KBA uses the same technique (Route based Azure vs Policy Based XG).

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq#multi-site-and-vnet-to-vnet-connectivity

But i can be wrong. This should be covered by the Microsoft Support.
Cancel
Vote Up 0 Vote Down

Cancel

0 bz351 over 6 years ago in reply to LuCar Toni

Only the Basic VPN gateway will work like this the new ones don't. This is why everyone is screaming for Sophos to bring Ikev2 to the UTM.

Azure support for policy-based VPN

Currently, Azure supports both modes of VPN gateways: route-based VPN gateways and policy-based VPN gateways. They are built on different internal platforms, which result in different specifications:

	PolicyBased VPN Gateway	RouteBased VPN Gateway
Azure Gateway SKU	Basic	Basic, Standard, HighPerformance, VpnGw1, VpnGw2, VpnGw3
IKE version	IKEv1	IKEv2
Max. S2S connections	1	Basic/Standard: 10 HighPerformance: 30

0 LuCar Toni over 6 years ago in reply to bz351

I am still not sure about this.

The Microsoft KBA even writes:

With the custom IPsec/IKE policy, you can now configure Azure route-based VPN gateways to use prefix-based traffic selectors with option "PolicyBasedTrafficSelectors", to connect to on-premises policy-based VPN devices. This capability allows you to connect from an Azure virtual network and VPN gateway to multiple on-premises policy-based VPN/firewall devices, removing the single connection limit from the current Azure policy-based VPN gateways.

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps

So basically you can connect 10/30 VPNs to one Azure VPN Gateway, if you use Routebased on the Azure site.
Cancel
Vote Up 0 Vote Down

Cancel
0 bz351 over 6 years ago in reply to LuCar Toni

Cheers for the info. Will have to look at this as our Cloud software provider said this wasn't supported and all the documentation back then pointed to this. Looking at the KB above this must be done as it was written 30/11/18

So I wonder if MS updated this.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 6 years ago in reply to bz351

Basically it should not be any difference.

You can easily connect a Policy based device to a Route based device. (no matter what device are involved).

So basically this should be possible a long time ago.

Our KBA builds the same mechanics and as far as i know, DavidOkeyode wrote this KBA. I guess, if he reads this topic, he can give us more insight.

But i am pretty sure, this is possible.

Interesting part about this.

http://web.archive.org/web/20171110000509/https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps

If you check this revision of this KBA, the same is clearly stated in 2017.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 LuCar Toni over 6 years ago in reply to bz351

Basically it should not be any difference.

You can easily connect a Policy based device to a Route based device. (no matter what device are involved).

So basically this should be possible a long time ago.

Our KBA builds the same mechanics and as far as i know, DavidOkeyode wrote this KBA. I guess, if he reads this topic, he can give us more insight.

But i am pretty sure, this is possible.

Interesting part about this.

http://web.archive.org/web/20171110000509/https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps

If you check this revision of this KBA, the same is clearly stated in 2017.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 bz351 over 6 years ago in reply to LuCar Toni

Maybe David or yourself can check out our support ticket and make comment on that. As we were told the Multi SA KB needed to be re written.

happy to supply the support case and we can take this of this channel to talk about and get your feed back and David who wrote it feed back.

I am only basing the whole KB is wrong from what Sophos support said and also going through our channel manager. If it is wrong then needs to be corrected so other don't go through our pain.

Send me a PM and I will send you the case number to have a look at.

PS sorry to the OP for hijacking his question.

Thanks
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 6 years ago in reply to bz351

FloSupport Can you take this query?
Cancel
Vote Up 0 Vote Down

Cancel
0 bz351 over 6 years ago in reply to LuCar Toni
Reading the MS KB

They state your on premises policy based VPN device must support IKEv2 so that rules out a lot of devices like the UTM.

With the custom IPsec/IKE policy, you can now configure Azure route-based VPN gateways to use prefix-based traffic selectors with option "PolicyBasedTrafficSelectors", to connect to on-premises policy-based VPN devices. This capability allows you to connect from an Azure virtual network and VPN gateway to multiple on-premises policy-based VPN/firewall devices, removing the single connection limit from the current Azure policy-based VPN gateways.

Important

To enable this connectivity, your on-premises policy-based VPN devices must support IKEv2 to connect to the Azure route-based VPN gateways. Check your VPN device specifications.

The on-premises networks connecting through policy-based VPN devices with this mechanism can only connect to the Azure virtual network; they cannot transit to other on-premises networks or virtual networks via the same Azure VPN gateway.

The configuration option is part of the custom IPsec/IKE connection policy. If you enable the policy-based traffic selector option, you must specify the complete policy (IPsec/IKE encryption and integrity algorithms, key strengths, and SA lifetimes).
Cancel
Vote Up 0 Vote Down

Cancel
0 FloSupport over 6 years ago in reply to bz351

Hi bz351

Thank you for taking the time to share this.

Would it be possible to also PM me with your support case number so that I can follow up?

Regards,
Cancel
Vote Up 0 Vote Down

Cancel