top of page

Firewall to Azure Site to Site VPN

To update this post: Many changes have been made to Azure VPN Gateway since, here are the latest updates:

1. IKEv1 is no longer Supported. You need a firewall that supports IKEv2

Settings as recommended:

Key Negotiation Tries: 5

Re-key connection: On

Compression: Off

SHA2 with 96-bit trunctation: Off

Authentication: Main Mode

Phase 1: Key Life 28800, Re-key Margin 60, Randomize Re-key Margin by 100

- DH Groups: 2, 14, 21

- Encryption: AES256, Authentication SHA2 256;

- Encryption: AES256, Authentication SHA2 512;

Phase 2: PFS (None), Key Life 27000

- Encryption: AES256, Authentication SHA2 512;

- Encryption: AES256, Authentication SHA2 256;

Dead Peer Detection: On

- Check peer after every 30 Sec

- Wait for response up to 120 Sec

- When peer is unreachable, Re-initiate Connection

Azure Virtual Network Gateway

Gateway type: VPN

VPN type: Route-Based

Sophos SG UTM

no longer supported

Sophos SFOS XG (this is preinstalled into the firmware)

Peplink device



Jul 15, 2016

For anyone trying to connect their IPFire firewall ( Azure VPN Gateway, here is the required setting visualized

Bonus: Bonus: Connecting Sophos UTM to Azure VPN Gateway requires this IPsec Policy to be configured on the UTM (credit:

Featured Posts
Recent Posts
Search By Tags
Follow Us
  • Facebook Basic Square
  • Twitter Basic Square
  • Google+ Basic Square
bottom of page