Firewall to Azure Site to Site VPN

To update this post: Many changes have been made to Azure VPN Gateway since, here are the latest updates:

1. IKEv1 is no longer Supported. You need a firewall that supports IKEv2

Settings as recommended:

Key Negotiation Tries: 5

Re-key connection: On

Compression: Off

SHA2 with 96-bit trunctation: Off

Authentication: Main Mode

Phase 1: Key Life 28800, Re-key Margin 60, Randomize Re-key Margin by 100

- DH Groups: 2, 14, 21

- Encryption: AES256, Authentication SHA2 256;

- Encryption: AES256, Authentication SHA2 512;

Phase 2: PFS (None), Key Life 27000

- Encryption: AES256, Authentication SHA2 512;

- Encryption: AES256, Authentication SHA2 256;

Dead Peer Detection: On

- Check peer after every 30 Sec

- Wait for response up to 120 Sec

- When peer is unreachable, Re-initiate Connection

Azure Virtual Network Gateway

Gateway type: VPN

VPN type: Route-Based

Sophos SG UTM

no longer supported

Sophos SFOS XG (this is preinstalled into the firmware)

Peplink device

IPFire

https://blogs.technet.microsoft.com/canitpro/2017/06/28/step-by-step-configuring-a-site-to-site-vpn-gateway-between-azure-and-on-premise/

Jul 15, 2016

For anyone trying to connect their IPFire firewall (http://www.ipfire.org/)to Azure VPN Gateway, here is the required setting visualized https://azure.microsoft.com/en-us/blog/connecting-to-a-windows-azure-virtual-network-via-a-linux-based-software-vpn-device/

Bonus: Bonus: Connecting Sophos UTM to Azure VPN Gateway requires this IPsec Policy to be configured on the UTM (credit: http://techbast.com/2015/02/step-by-step-site-to-site-vpn-microsoft-azure-and-sophos-utm-configuration.html)

Featured Posts
Recent Posts
Archive
Search By Tags
Follow Us
  • Facebook Basic Square
  • Twitter Basic Square
  • Google+ Basic Square

 © 2020 by IT Re-engineering Pte Ltd | Privacy Policy   Terms of Use