Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 13 replies
  • Subscribers 29 subscribers
  • Views 7134 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Anyone has experience on VPN IPsec ( site to site ) beetwen XG 17.x and Azure ?

MarcoCaserio

Now are in a  migration from  an SG to XG and i need to know if i can maintain ikev1 ( policy based ) ipsec vpn also in XG . Otherwise i need to change azure and XG configuration for a route policy base ( ike v2 ). The ikev2 configuration seem the only supported configuration, but we have many trouble in a such configuration.

Thanks Marco



This thread was automatically locked due to age.
Parents
  • 0

    If you are running Azure VPN Gateway you need to run its IKEV2 route based. The only azure gateway that supports policy base ikev1 is the dev/basic VPN gateway if you are using this for production its very slow and the throughput of gateway is very poor. 

     

    We have just done the same as you gone from SG to XG  Azure side from basic gateway to vpngw1 that is route based. 

     

    The problem we were having was with all the networks added for the ipsec tunnel for some reason this doesn't work. The recommendation for azure was to set this to ANY and they were planing to redo the Mutli SA KB due to this. 

     

     

  • 0 in reply to bz351

    As far as i know, the way how Azure VPN gateway works, should not be affect the XG at all.

    https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps

     

    So basically you can connect a Policy based or Route Based Product to Azure. 

    It should work to select a Route Based VPN Gateway in Azure and connect a (Policy based) XG to it. 

    That is the reason for using IKEv2 - The Azure site requires IKEv2 in Route based mode. 

     

    The KBA uses the same technique (Route based Azure vs Policy Based XG). 

     

     

    https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq#multi-site-and-vnet-to-vnet-connectivity

    But i can be wrong. This should be covered by the Microsoft Support. 

  • 0 in reply to LuCar Toni

    Only the Basic VPN gateway will work like this the new ones don't. This is why everyone is screaming for Sophos to bring Ikev2 to the UTM. 

     

     

    Azure support for policy-based VPN

    Currently, Azure supports both modes of VPN gateways: route-based VPN gateways and policy-based VPN gateways. They are built on different internal platforms, which result in different specifications:

      PolicyBased VPN Gateway RouteBased VPN Gateway
    Azure Gateway SKU Basic Basic, Standard, HighPerformance, VpnGw1, VpnGw2, VpnGw3
    IKE version IKEv1 IKEv2
    Max. S2S connections 1 Basic/Standard: 10
    HighPerformance: 30
  • 0 in reply to bz351

    I am still not sure about this.

     

     

    The Microsoft KBA even writes:

    With the custom IPsec/IKE policy, you can now configure Azure route-based VPN gateways to use prefix-based traffic selectors with option "PolicyBasedTrafficSelectors", to connect to on-premises policy-based VPN devices. This capability allows you to connect from an Azure virtual network and VPN gateway to multiple on-premises policy-based VPN/firewall devices, removing the single connection limit from the current Azure policy-based VPN gateways.

    https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps

     

    So basically you can connect 10/30 VPNs to one Azure VPN Gateway, if you use Routebased on the Azure site. 

     

     

  • 0 in reply to LuCar Toni

    Cheers for the info. Will have to look at this as our Cloud software provider said this wasn't supported and all the documentation back then pointed to this. Looking at the KB above this must be done as it was written 30/11/18 

    So I wonder if MS updated this. 

  • 0 in reply to bz351

    Basically it should not be any difference. 

    You can easily connect a Policy based device to a Route based device. (no matter what device are involved).

    So basically this should be possible a long time ago. 

    Our KBA builds the same mechanics and as far as i know,  wrote this KBA. I guess, if he reads this topic, he can give us more insight. 

    But i am pretty sure, this is possible. 

     

    Interesting part about this.

    http://web.archive.org/web/20171110000509/https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps

    If you check this revision of this KBA, the same is clearly stated in 2017. 

  • 0 in reply to LuCar Toni

    Maybe David or yourself can check out our support ticket and make comment on that. As we were told the Multi SA KB needed to be re written. 

     

    happy to supply the support case and we can take this of this channel to talk about and get your feed back and David who wrote it feed back. 

     

    I am only basing the whole KB is wrong from what Sophos support said and also going through our channel manager. If it is wrong then needs to be corrected so other don't go through our pain. 

     

    Send me a PM and I will send you the case number to have a look at. 

     

    PS sorry to the OP for hijacking his question. 

    Thanks 

Reply
  • 0 in reply to LuCar Toni

    Maybe David or yourself can check out our support ticket and make comment on that. As we were told the Multi SA KB needed to be re written. 

     

    happy to supply the support case and we can take this of this channel to talk about and get your feed back and David who wrote it feed back. 

     

    I am only basing the whole KB is wrong from what Sophos support said and also going through our channel manager. If it is wrong then needs to be corrected so other don't go through our pain. 

     

    Send me a PM and I will send you the case number to have a look at. 

     

    PS sorry to the OP for hijacking his question. 

    Thanks 

Children